Description:
We have had issues at times when making admin changes via SiteMinder SDK changes are not picked up correctly by the other Policy Servers. Example: Customer updated the same rule twice, but it looks like the downstream servers picked up the first change, then missed the second one.
Solution:
IMPORTANT: This article contains information about modifying the registry.
Before you modify the registry, make sure to create back up of the registry and ensure that you understand how to restore the registry if a problem may occur.
For more information about how to back up, restore, and edit the registry, please review the relevant Microsoft Knowledge Base articles on support.microsoft.com.
There are two reasons for this issue:
To fix this issue SiteMinder has implemented the following changes in SiteMinder 6 SP5 CR27:
Instructions has been documented in SiteMinder readme file that we ship with 6 SP5 CR27:
<- Begin
80662 The Policy Server command replication can now be made to use sub second recording and ordering. This means that if multiple server commands are sent to the policy server that occur within the same second their order of replay is always the same as the order they were sent.
The policy server will now use an improved algorithm to determine which server commands it has already replayed and which ones that needs to be replayed. This change no longer relies on time frames and provides a more complete replication of the server commands.
This behavior is configurable and can be achieved by using a global registry key
"ServerCmdMsec" has been added:
Location: \\HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\Siteminder\CurrentVersion\ObjectStore
Type: DWORD
Value: 1 or 0
If the registry value is 0 or does not exist, the default existing behavior will be executed.
To deploy this setting all the policy servers that are using the same policystore must be upgraded to at least cr27. The setting also has to be the same on all of the policy servers. Using policy server releases less than cr27 or mixing this setting will cause errors to be generated in the policy server logs and a failure to replicate the server commands.
The following procedure is recommended for enabling this feature.
Restarting servers before all of them have been stopped for the new setting will result in a mixed setup which will fail as mentioned above.
-> End