Setup Adminui on secondary server with shared Policy Store
search cancel

Setup Adminui on secondary server with shared Policy Store

book

Article ID: 74830

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

 

How to set up an AdminUI on secondary Policy server with shared Policy Store?

One primary Policy Server and AdminUI are up and running already.

There's a need to set up a second AdminUI on a second Policy Server, however, both Policy Servers share same Policy Store.

Because there is only one siteminder account, that is limited to single XPSRegclient connection for a particular user account.

If someone runs XPSRegclient with the same user account again from other servers, it potentially will overwrite existing previous registration and render previous AdminUI registration invalid, resulting siteminder admin can not login.

This impacts also login to the API gateway via single sign -on

 

Environment

 
12.52
12.6
12.7
12.8
Windows and Unix
 

Resolution

 

This instruction applies to use case where two Policy Servers share same Policy Store.

Even when running two Policy Stores, but if they are replicated, then they are still considered the same store data.

  1. Make sure the account "smwamui" is not an administrator already on AdminUI screen or in the Policy Store already.
  2. Login to the secondary Policy Server and run the XPSRegClient utility 

    XPSRegClient smwamui:password -adminui -vT
    Ensure no error in this step.
    When you run the command step 2, it creates a file in the /siteminder/bin directory called 'siteminder.XPSReg'.
    Do not continue if seeing "FATAL error..."

  3. Now create a legacy administrator account "smwamui" from first primary Policy Server AdminUI.

    Choose "CA Single Sign-On Database", provide a password.
    "System" for Administrator Privileges, and enable/check all 4 Tasks.
    It should automatically be promoted to super user account within that primary AdminUI (WAMUI).
    Please verify it from Administrators  --> View Administrator : smwamui
  4. Recycle the second Policy Server and AdminUI, this step ensures second server sees the change made in step 3.

    Complete registering the Policy Server connection with the second AdminUI server using smwamui/password/hostname.
    Hostname should be the second Policy Server hostname.

The end result is:

First primary Policy Server AdminUI login ID: siteminder 
Second Policy Server AdminUI login ID: smwamui 

 

Additional Information

Powered by Wolken Software