search cancel

SPS Admin Login failing


Article ID: 7524


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


SPS proxyui bug after successful AU/AZ the webapp (proxyui) makes additional call, gets config and uses the value in aco defaultagentname instead of current agentname



Linux SPS R12.6 Linux policy server R12.6


Bug is in the additional call from proxyui to getconfig and use defaulagentname – this will not always be the cause where customers protect proxyui with defaultagentname

For proxyui access it uses defaultagentname – not documented.  

Prosxyui is protected, user is AU/AZ, however after AZ call the webapp proxyui makes a call to PS with defaultagentname – which could returns not protected

Expected results: Allow access to proxyui


Actual results: Presented with page ‘You must protect proxyui”

29092/140638892373760][Tue Apr 04 2017 15:12:38] agentname=lodbl510vm001-sps1,

[29092/140638892373760][Tue Apr 04 2017 15:12:38] agentname=lodbl510vm001-sps2,

[29092/140638892373760][Tue Apr 04 2017 15:12:38] agentname=lodbl510vm001-proxyui,


[29092/140638892373760][Tue Apr 04 2017 15:12:38] defaultagentname=lodbl510vm001-default




First isProtect:

[04/04/2017][15:18:40.334][15:18:40][25551][139956160698112][Sm_Az_Message.cpp:598][CSm_Az_Message::SendReply][s25/r6][DOMAIN-SPSADMINUI-lodbl510vm001-proxyui][REALM-SPSADMINUI-lodbl510vm001-proxyui][lodbl510vm001-proxyui][** Status: Protected. ]



[04/04/2017][15:18:49.427][15:18:49][25551][139956160698112][SmDsLdapProvider.cpp:2378][CSmDsLdapProvider::Search][(Search) Base: 'dc=ca,dc=com', Filter: '(uid=A20)'. Status: 1 entries.][Ldap Search callout succeeds.]

[04/04/2017][15:18:49.429][15:18:49][25551][139956160698112][Sm_Auth_Message.cpp:4759][CSm_Auth_Message::SendReply][s14/r11][A20][DOMAIN-SPSADMINUI-lodbl510vm001-proxyui][REALM-SPSADMINUI-lodbl510vm001-proxyui][lodbl509vm022-2000-UID][lodbl510vm001-proxyui][AUTHSCHEME-SPSADMINUI][** Status: Authenticated. ]



[04/04/2017][15:18:49.432][15:18:49][25551][139956202657536][Sm_Az_Message.cpp:598][CSm_Az_Message::SendReply][s14/r12][A20][DOMAIN-SPSADMINUI-lodbl510vm001-proxyui][REALM-SPSADMINUI-lodbl510vm001-proxyui][lodbl510vm001-proxyui][** Status: Authorized. ]


After successful AU/AZ a seconds call from webapp to get config then use defaultagentname to perform isProect

[04/04/2017][15:18:49.598][15:18:49][25551][139956244616960][Sm_Az_Message.cpp:598][CSm_Az_Message::SendReply][s28/r2][** Status: GetConfig. ]

[04/04/2017][15:18:50.712][15:18:50][25551][139956297066240][Sm_Az_Message.cpp:598][CSm_Az_Message::SendReply][s29/r2][** Status: GetConfig. ]

[04/04/2017][15:18:50.717][15:18:50][25551][139956192167680][Sm_Az_Message.cpp:598][CSm_Az_Message::SendReply][s29/r3][lodbl510vm001-default][** Status: Not Protected. ]



ProxyUI log

"2017-Apr-04 15:15:25,818 - INFO - - Agent API Init status= 0 
"2017-Apr-04 15:15:25,818 - DEBUG - - Connectiong to PS for getting agent name and LocalConfig ACO Parameters 
"2017-Apr-04 15:15:25,822 - DEBUG - - getAgentConfig status = 1 
"2017-Apr-04 15:15:25,822 - DEBUG - - getAttribute() count = 75 
"2017-Apr-04 15:15:25,823 - DEBUG - - defaultAgentName = lodbl510vm001-default 
"2017-Apr-04 15:15:25,823 - DEBUG - - AllowLocalConfig in ACO is no 
"2017-Apr-04 15:15:25,824 - INFO - - Verifying if AllowLocalConfig ACO parameter is enabled 
"2017-Apr-04 15:15:25,824 - DEBUG - - agentName = lodbl510vm001-default,contextPath= /proxyui 
"2017-Apr-04 15:15:25,825 - DEBUG - - IsProtected returned retCode = FALSE 


Bug filed DE285970 this will be fixed in a fortune release of SPS

Work around:

Created agent group:  proxyui-group

Added the defaultagent (spsdefault) and (utlxa550_sps-adminui)

Change the SPS Proxyui realm agent to the new agent group (proxyui-group)


Bug info:  Bug parse ACO in the code for the list of agentnames this resulted in always using defaultagentname, if the defaultagentname is not part of the domain used to protect the SPS it will fail to allow access with message ProxyUI must be protected