Setup Adminui on secondary server with shared policy store
Article ID: 74830
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
AXIOMATICS POLICY SERVER
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
Issue/Introduction
How to set up adminui on secondary server with shared policy store?
Customer has one primary policy server and admin ui up running already.
Customer needs to set up a second adminui on second policy server, however, both policy servers share same policy store.
Because there is only one siteminder account, that limits to single XPSRegclient connection for a particular user account.
If someone runs XPSRegclient with same user account again from other servers, it potentially will overwrite existing previous registration and render previous adminui registration invalid, resulting siteminder admin can not login.
Customer has one primary policy server and admin ui up running already.
Customer needs to set up a second adminui on second policy server, however, both policy servers share same policy store.
Because there is only one siteminder account, that limits to single XPSRegclient connection for a particular user account.
If someone runs XPSRegclient with same user account again from other servers, it potentially will overwrite existing previous registration and render previous adminui registration invalid, resulting siteminder admin can not login.
Environment
12.52
12.6
12.7
Windows and Unix
12.6
12.7
Windows and Unix
Resolution
This instruction applies to use case where two policy servers share same policy store.
Even customer has two policy stores, but if they are replicated, then they are still considered the same store data.
1. Make sure account "smwamui" is not an administrator already in admin UI screen or in policy store already.
2. Login to the secondary policy server and rung xpsregclient utility
XPSRegClient smwamui:password -adminui -vT
Ensure no error in this step.
When you run the command step 2, it creates a file in the /siteminder/bin directory called 'siteminder.XPSReg'.
Do not continue if seeing FATAL error...
3. Now create a legacy administrator account "smwamui" from first primary policy server admin UI.
It should automatically be promoted to super user account within that primary adminui (WAMUI).
4. Recycle second policy server and admin ui, this step ensures second server sees the change made in step 3.
Complete registering the policy server connection in the second admin UI server using smwamui/password/hostname.
Hostname should be the second policy server hostname.
The end result is:
First primary policy serve admin ui login ID: siteminder
Second policy serve admin ui login ID: smwamui
Even customer has two policy stores, but if they are replicated, then they are still considered the same store data.
1. Make sure account "smwamui" is not an administrator already in admin UI screen or in policy store already.
2. Login to the secondary policy server and rung xpsregclient utility
XPSRegClient smwamui:password -adminui -vT
Ensure no error in this step.
When you run the command step 2, it creates a file in the /siteminder/bin directory called 'siteminder.XPSReg'.
Do not continue if seeing FATAL error...
3. Now create a legacy administrator account "smwamui" from first primary policy server admin UI.
It should automatically be promoted to super user account within that primary adminui (WAMUI).
4. Recycle second policy server and admin ui, this step ensures second server sees the change made in step 3.
Complete registering the policy server connection in the second admin UI server using smwamui/password/hostname.
Hostname should be the second policy server hostname.
The end result is:
First primary policy serve admin ui login ID: siteminder
Second policy serve admin ui login ID: smwamui
Additional Information
https://docops.ca.com/ca-single-sign-on/12-7/en/troubleshooting/administrative-ui-troubleshooting
Feedback
Powered by
