Error : CA Directory Policy Store Class is Undefined when Replication is enabled

book

Article ID: 77017

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

 

Following CA Directory documentation to setup Policy Store replication
between 2 DSAs, multiple multiple class "xxxxx" is undefined error are
seen via the console:

  (ERROR) : [sm-xpsxps-00270] Class 712809123 is undefined. 
  (ERROR) : [sm-xpsxps-00270] Class 712809123 is undefined. 
  (ERROR) : [sm-xpsxps-00270] Class 1397826539 is undefined. 

This issue is observed only when Policy Store replication between 2
DSAs.

Multiwrite-DISP Replication has been configured between DSAs as
documented (1).

 

Cause


The class undefined errors are coming because both Policy Stores
Instances have been separately initialized and later tried to enable
"multi-write DISP recovery".

However, according to the documentation, the second store needs to be
an empty one (2).

 

Environment

 

  Policy Server 12.8SP5 on RedHat 6.9;
  Policy Store CA Directory 14.1; 

 

Resolution

 

Follow below steps to correctly configure Policy Store Replication:

  1) Created a new instance of CA Directory (ps1) & followed the
     documentation to configure it as Policy Store with Policy Server1
     (3). All default objects got imported to the Policy Store and
     XPSRegClient worked perfectly fine. Later the Policy Server 1 was
     stopped.
     
  2) Created a new instance of CA Directory (ps2) on a different
     machine. Only changes to the config & initialization files was
     done. All steps from the topic "Open the DSA" have not been
     performed. So basically this store did not have any data in it.
     
  3) Followed the steps in the document to enable multi-write disp
     recovery among both the policy stores (ps1 & ps2 resp) (1).

  4) Verified the CA Directory logs and confirmed that the replication
     was successful.

  5) Connected to ps2 using JXplorer and observed that the objects got
     replicated successfully.

  6) Now, pointed Policy Server2 to ps2 instance & observed that the PS
     started successfully.

  7) Executed XPSRegClient on Policy Server2, the command got executed
     successfully without any errors.

 

Additional Information

 

(1)

    Example: Set up Multiwrite-DISP Replication between DSAs

      This example explains how to enable multiwrite replication with
      DISP recovery (MW-DISP) between two DSAs.
      
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/directory/14-1/ca-directory-concepts/directory-replication/multiwrite-replication-with-disp-recovery/example-setting-up-multiwrite-disp-replication-between-dsas.html

(2)

    Adding a DSA to a Multiwrite-DISP System
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/directory/14-1/ca-directory-concepts/directory-replication/multiwrite-replication-with-disp-recovery/adding-a-dsa-to-a-multiwrite-disp-system.html

(3)

    Configure a Symantec Directory Policy Store

      This content describes how to configure a single Symantec
      Directory server instance to store policy data and encryption
      keys.
    
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/installing/install-a-policy-server/configure-ldap-directory-servers-as-policy-session-and-key-stores/configure-an-ldap-directory-server-as-a-policy-store/configure-a-ca-directory-policy-store.html