SiteMinder Policy Server is not applying admin changes as expected.

book

Article ID: 52799

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Description:

We have had issues at times when making admin changes via SiteMinder SDK changes are not picked up correctly by the other Policy Servers. Example: Customer updated the same rule twice, but it looks like the downstream servers picked up the first change, then missed the second one.

Solution:

IMPORTANT: This article contains information about modifying the registry.
Before you modify the registry, make sure to create back up of the registry and ensure that you understand how to restore the registry if a problem may occur.
For more information about how to back up, restore, and edit the registry, please review the relevant Microsoft Knowledge Base articles on support.microsoft.com.

There are two reasons for this issue:

  1. Policy Server is processing the servercommands out of order, result changes may not be applied in required sequence.
  2. Policy Server is saving the server command with the timestamp in seconds. Result: If you create objects through the command line tools, the servercommands could be generated within the same second.

To fix this issue SiteMinder has implemented the following changes in SiteMinder 6 SP5 CR27:

  1. Server Command store in Millisecond implementation and properly sorted
  2. Object Cache Flush implementation.

Instructions has been documented in SiteMinder readme file that we ship with 6 SP5 CR27:

<- Begin

80662 The Policy Server command replication can now be made to use sub second recording and ordering. This means that if multiple server commands are sent to the policy server that occur within the same second their order of replay is always the same as the order they were sent.

The policy server will now use an improved algorithm to determine which server commands it has already replayed and which ones that needs to be replayed. This change no longer relies on time frames and provides a more complete replication of the server commands.

This behavior is configurable and can be achieved by using a global registry key
"ServerCmdMsec" has been added:
Location: \\HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\Siteminder\CurrentVersion\ObjectStore
Type: DWORD
Value: 1 or 0

If the registry value is 0 or does not exist, the default existing behavior will be executed.

To deploy this setting all the policy servers that are using the same policystore must be upgraded to at least cr27. The setting also has to be the same on all of the policy servers. Using policy server releases less than cr27 or mixing this setting will cause errors to be generated in the policy server logs and a failure to replicate the server commands.

The following procedure is recommended for enabling this feature.

  1. Upgrade all the policy servers to cr27.
  2. Add or change the registry key to enable the feature on all the servers.
  3. Stop ALL the servers and then restart all the servers.

Restarting servers before all of them have been stopped for the new setting will result in a mixed setup which will fail as mentioned above.

-> End

Environment

Release:
Component: SMPLC