Explanation regarding Web agent and Policy Server interaction/Working.
search cancel

Explanation regarding Web agent and Policy Server interaction/Working.


Article ID: 51435


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On



How does web agent Policy server interaction takes place for the following 3 Scenarios:

Scenario 1:

Policy Server is already running and then Web Agent Started up.


Web agent and Policy Server are up and running. Then Policy Server is stopped and Re-started after some time.

Scenario 3:

Both the Web agent and Policy Server are restarted.


Here is the explanation for the above mentioned 3 scenarios:

Scenario 1:

When PS is already running and Web-agent is started, initialization occurs. As an initialization process, Web-agent checks for the SmHost.conf to get the Policy Server address and tries to establish connection with the PS defined in SmHost.conf.

Once connection is established with PS, web-agent reads the HCO and tries to fetch details of PS configured to serve the request.

If it is the same server as mentioned in SmHost.conf, it proceeds with requesting the ACO, else it proceeds to contact PS mentioned in HCO and further reading the ACO.

Once web-agent has the ACO information from the policy server (i.e. connection is established between Web Agent and Policy Server. This can also be verified as agent logs are updated with the agent configuration parameters.), The Policy server then serves the request of the web agent.

Scenario 2:

When Web-Agent is up and running, Policy server is stopped and then restarted later.

In this case the already running Web-Agent continues to poll policy server through Do-Management background thread.

Agent communicates with Policy Server over a connection defined in Connection Manager Object that is a part of Agent Object.

This all communication happens on the lower layer using Agent API. When policy server is stopped for a period of time and turned it back on, in the mean time, web-agent closes the connection on getting the policy server state as NO CONNECTION.

But Web-agent still holds this connection details. After some time when policy server comes up and during handshake with WebAgent, policy server gets the status as invalid socket. And the following error is logged in Policy Server Logs:

[4464/5120][Fri Jan 30 2009 09:20:55][CServer.cpp:1398][ERROR] Bad security handshake attempt. Handshake error: 3152 
[4464/5120][Fri Jan 30 2009 09:20:55][CServer.cpp:1405][ERROR] Handshake error: Failed to receive client hello. Socket error 0 

To resolve this error- WebAgent Needs to be Restarted. The Reason for this is:

Web-Agent reads SmHost.conf only at the time of start-up, so, when agent is restarted, it makes a new connection with the policy server and problem is resolved as agent has now the updated connection object and the communication happens using the new connection object.

Scenario 3:

Both the Web agent and Policy Server are restarted.

Web-agent plug-in is initialized again and starts following the default flow of communication between web-agent and policy server as mentioned above. New Connection objects are created and connection is established without error.


Component: SMPLC