How do I maintain a working Watchdog service if I need to restore an Access Control database from another server in my Single Sign-On Farm? Information based on any customer that is running SSO 8.1CR20 or SSO 12CR4 Server and later.

book

Article ID: 52766

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Description:

In the SSO R8.1CR20 and R12CR4 server releases, a unique SSO Watchdog account is being created to prevent authentication collisions in the Policy Server Token Directory. If a situation arises where a broken or corrupted Access Control database can only be restored from another server in a SSO farm, please perform the following steps to ensure that the Watchdog process will continue to work after the restore is complete. The solution steps can be accomplished right after your install or upgrade is complete. Any future upgrades will also need to have the Watchdog account credentials reset again to make sure the data is consistent across all of your AC databases if you wish to continue to have a universally acceptable Watchdog account in the SSO farm.

Solution:

Disclaimer:
This technical document assumes that the data residing inside the Access Control databases in your SSO server farm have the same values including passwords for administrative accounts. Please backup your existing Access Control databases before performing the steps in this solution.

To begin, you will notice that the install has created a unique ID in your local machine > users container. This user contains that same rights and privilege as the original pswd-pers account. This account is unique in that the tail of it's name is the last octet of your SSO servers' machine IP address. For example:

Machine IP is 192.168.0.157
Watchdog account ID is pswd-157
Do not worry if you plan to change the machine IP address in the future. The Watchdog service will continue to function properly.

  • In order to maintain a database that can be copied from one SSO server to another we need to create this account inside the Access Control database on the other members of the SSO farm and vice-versa.

  • Also, since the password generated for each watchdog account created is random and encrypted, we will need to reset the password for every watchdog account on every database to the same password. We do not know this password and therefore cannot expect the watchdog to login properly without an authentication failure if the service password does not match the User ID password inside the Access Control database. To maintain continuity, please log into each SSO server as the original installer of SSO.

Example Information:
SSOserver 1 = 192.168.0.157 > pswd-157
SSOserver 2 = 192.168.0.158 > pswd-158

  1. From your command prompt run the following on SSOserver 1:

    • selang <enter>

    • eu pswd-158 admin auditor server auth_type(method20) password(typenewpasswordhere) nonative <enter>

    • join(pswd-158) group(_ps-adms) <enter>

    • eu pswd-157 password (typenewpasswordhere) <enter>

    • exit <enter>

    • cd %SSOSERVERINSTALLPATH%/bin <enter>

    • pswd.exe -s pswd-157 typenewpasswordhere <enter>

  2. For windows machines, open the services control panel with Start > Run > services.msc

    • find the eTrust SSO Server Watchdog service and Right-Click > properties

    • click the 'Log On' tab and set the password to the same password that you have been typing in the previous steps. Then click OK

  3. From your command prompt run the following on SSOserver 2:

    • selang <enter>

    • eu pswd-157 admin auditor server auth_type(method20) password(typenewpasswordhere) nonative <enter>

    • join(pswd-157 group(_ps-adms) <enter>

    • eu pswd-158 password (typenewpasswordhere) <enter>

    • exit <enter>

    • cd %SSOSERVERINSTALLPATH%/bin <enter>

    • pswd.exe -s pswd-158 typenewpasswordhere <enter>

  4. For windows machines, open the services control panel with Start > Run > services.msc

    • find the eTrust SSO Server Watchdog service and Right-Click > properties

    • click the 'Log On' tab and set the password to the same password that you have been typing in the previous steps. Then click OK

  5. You may now start the SSO watchdog service on all machines in your SSO farm

    • NOTE: setting the password for the Unique ID's to be the same gives us the ability to copy the Access Control database from one server to another and still have the Watchdog service operate without a login failure. Only the password reset commands will need to be repeated after every subsequent server upgrade if you wish to maintain this solution. (e.g. eu user password, pswd -s, and on the windows service.)

As always, if you have any concerns with the solution given in this technical document, do not hesitate to open an issue with CA Support Online.

Environment

Release: SOASA199000-12.1-SOA Security Manager-w/ SOA Agent Addl CPUs
Component: