Summary:

It has been noted with the new Agent Discovery feature available in the R12.5x Policy Server in a multi-master replicated Policy Store environment that the Agent Instance objects created can over-write existing objects in the Policy Store due to a race condition resulting in corruption of the previous objects. For this reason CA Support recommends disabling the Agent Discovery feature in Multi-Master replicated Policy Store environments.

Background: 

The Agent Discovery feature was introduced to allow SiteMinder Agents to report data about themselves to the Policy Server which would create an Agent Instance object in the Policy Store making this data available to SiteMinder Administrators via the WamUI's 'Infrastructure>Agent>Agent Instances' Tab. The Agent Discovery Instance feature was designed to provide SiteMinder Administrators with a visual representation of the Agent Instances that were active in their environment. This visual representation would allow Administrators to identify obsolete objects in their environment that were no longer in use such as TrustedHosts, Agent Configuration Objects (ACO), and Host Configuration Objects (HCO). Knowing which Agent Instances are no longer communicating with the Policy Servers in the environment by reviewing the 'Status" of an Agent Instance object allows a SiteMinder Administrator the ability to delete the obsolete objects associated with these Agent Instances to help improve Policy Server performance in a large SiteMinder environment.

Due to an unforeseen race conditions in multi-master replicated Policy Store environments in which Agents can communicate with multiple Policy Servers, it has been seen that an Agent Instance communicating with one Policy Server can create an Agent Instance object via that Policy Server/Policy Store that can then over-write a Policy Store object created via a WamUI pointed at a different Policy Server\Policy Store instance during Policy Store replication.

To help prevent Policy Store corruption in these environments, CA Engineering has provided the ability to disable the Agent Discovery feature at the Policy Server via the 'XPSConfig' utility at R12.51 CR-07 and R12.52 SP1 and above.

Environment:

R12.5 and above Single Sign-On/SiteMinder Policy Server  

Instructions:

1.) Upgrade the Policy Server to R12.51 CR-07 or higher (except R12.52 Base and R12.52 CR-01).

2.) Open a command window and navigate to siteminder_home\xps\dd.

siteminder_home

Specifies the Policy Server installation path.

3.) Run the following command:

XPSDDInstall SmMaster.xdd

XPSDDInstall

Imports the required data definitions.

4.) Open a command prompt on the Policy server system.

5.) Enter "XPSConfig".

6.) Enter "SM".

7.) Enter the number that corresponds to "AgentDiscoveryEnabled".

8.) Change the value to "0".

9.) Restart the Policy Servers in the environment to pick up this Global parameter.

There are three states for the Agent Discovery feature; Disabled=0, Auto Discover=1, and Enabled > 1.

A value of "0" disables the feature and AgentInstance objects will not be written to the Policy Store.

A value of "1" will only disable the feature if there are currently no Agent Instance Objects in the Policy Store; the value will be changed to "0". If there are existing Agent Instance objects in a Policy Store, the value will be changed to "2" and Agent Discovery will continue to create and update Agent Instance objects in the Policy Store.

A value greater than "1" will enable the Agent Discovery feature and Agent Instance objects will be written to the Policy Store.

Additional Information:

https://docops.ca.com/ca-single-sign-on/12-52-sp2/en/configuring/policy-server-configuration/agents-and-agent-groups/agent-discovery