Setup Adminui on secondary server with shared policy store

book

Article ID: 74830

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

How to set up adminui on secondary server with shared policy store?

Customer has one primary policy server and admin ui up running already.
Customer needs to set up a second adminui on second policy server, however, both policy servers share same policy store.
Because there is only one siteminder account, that limits to single XPSRegclient connection for a particular user account.
If someone runs XPSRegclient with same user account again from other servers, it potentially will overwrite existing previous registration and render previous adminui registration invalid, resulting siteminder admin can not login.  

Environment

12.52
12.6
12.7
Windows and Unix

Resolution

This instruction applies to use case where two policy servers share same policy store.
Even customer has two policy stores, but if they are replicated, then they are still considered the same store data.

1. Make sure account "smwamui" is not an administrator already in admin UI screen or in policy store already. 

2. Login to the secondary policy server and rung xpsregclient utility 
XPSRegClient smwamui:password -adminui -vT 
Ensure no error in this step. 
When you run the command step 2, it creates a file in the /siteminder/bin directory called 'siteminder.XPSReg'. 
Do not continue if seeing FATAL error... 

3. Now create a legacy administrator account "smwamui" from first primary policy server admin UI. 
It should automatically be promoted to super user account within that primary adminui (WAMUI). 

4. Recycle second policy server and admin ui, this step ensures second server sees the change made in step 3.
Complete registering the policy server connection in the second admin UI server using smwamui/password/hostname. 
Hostname should be the second policy server hostname. 

The end result is: 
First primary policy serve admin ui login ID: siteminder 
Second policy serve admin ui login ID: smwamui 

 

Additional Information

https://docops.ca.com/ca-single-sign-on/12-7/en/troubleshooting/administrative-ui-troubleshooting