Wednesday, July 25, 2012

Policy Server Limitations 12.0

Here I am going to post about policy server limitations in R12.0.

1) Error Changing Long Password(160 UTF8 octets) When Password Services is Enabled 

2) Leading Spaces in User Password May Not Be Accepted

3) Handshake Errors with Shared Secret Rollover Enabled

4)Policy Servers Sharing Policy Store Not Updated Consistently -> Need to change registry value
SiteMinder\CurrentVersion\ObjectStore Key: ServerCommandTimeDelay to 10

5) Certain User Name Characters Cause Authenticating or Authorizing Problems 

Example : 
  • use&r1
  • use*r2
  • use\r3
  • use\\r4
6) Policy Server Does Not Support Roll Over of Radius Log 

7) The copy option is not available for the so many  objects.

Source: Bookshelf

Thanks !!! 

Monday, July 23, 2012

CA Report Server and Sun one Directory

CA Report Server and Sun one Directory should not be installed on same box. Please make sure that Sun one Directory and CA Report Server are in different box because both won't work if both are installed in same box. As it is recommended by CA.

Please add this point as pre-requisite while installing Sun one directory or while installing Report Server.

Thanks !!! 

Friday, July 20, 2012

Installation Media Platform Identification

Determine Siteminder installer executable and extension for particular OS:

Executable            Extension
aix                           .bin
hp                           .bin
linux                        .bin
sol                          .bin
win32 (32 bit)         .exe

Siteminder Password Services Default Redirection URL

Siteminder supports password services, for password services Siteminder have some default pages which gets loaded during policy server installation. If there is any request for change password / account lock message/ any other password related task Siteminder automatically redirects to default CGI page.


In latest version(R12 sp2) they have converted page from CGI to FCC, now all the password service requests will be redirected to following URL:


And CGI-based Password Services is deprecated, so if any application still using CGI based start migrating to FCC based.

Thanks !!! 

Thursday, July 19, 2012

Siteminder Adminstrator Authentication

In 12.0 to login into FSS UI / WAM UI for the first time we need to use credentials which are given during installation and by default username we use is "siteminder". Credentials for Administrator are stored in Policy Store rather than External Store/User Store. 

After first login Administrator can configure External Store/User Store for Admin Authentication. 

Authentication with External Store is optional. 

Thanks !!!

Wednesday, July 18, 2012

Import Audit Logs/Access from Text Files to ODBC

When we installed Siteminder, usually it takes some time to configure Database. During that period Audit/Access logs are stored in text file or if we consider other scenario when Database is down then we configure text file for logs.

To import such logs to database when it is ready we can use Siteminder Tool called "smauditimport" which is located in /bin of Policy server.

Things that need to be verified before running this command: 

  1. Need to verify if port is open from Policy server to database
  2. Create Data Source in policy server and verify connection. 
  3. Make sure that DB user has all the permissions on that schema. 

Options Available for this tool are: (CA Bookshelf)

  • audit_file
    Specifies the path and name of the text file containing the audit data.
    Note:The smauditimport tool requires the full path name of the audit data text file.
  • dsn
    Specifies the Data Source Name (DSN) of the ODBC database.
  • user_name
    Specifies the name of the ODBC database administrator.
  • user_password
    Specifies the password of the ODBC database administrator.
  • -f
    (Optional) When an error occurs while importing audit data, smauditimport logs the row number and continues processing.
    Default:Without the -f option, smauditimport logs the row number, but stops processing when an error occurs.
  • -v
    (Optional) Validates the number of fields in the text file, validates that the values in numeric fields fall within specified ranges, validates the connection to the database, and outputs errors.
    Note:When the smauditimport tool is run in the validation mode, no data is imported into the database.
  • -b bulk_load_size
    (Optional) Specifies the number of rows to read and import into the ODBC database.
    Default: 100
  • -s5 | -s6
    (Optional) Supports an ODBC database configured as an audit store with either 5.x schema or 6.x schema.
    Default: Supports an ODBC database configured as an audit store with 6.x schema

Thanks !!! 

Friday, July 13, 2012

DSEE Installation

Following are the basic steps while installing Oracle Directory Server Enterprise Edition: 

  1. Go to server and Run command prompt as administrator.
  2. Copy the installer to any particular location in server. 
  3. Unzip the installer and navigate to bin folder inside Installer. 
  4. From command prompt run the command "dsccsetup war-file-create"
  5. Which will create war file under Var folder inside installer.
  6. Run the following command in command propet "dsccsetup.exe ads-create" which will create directory server registry.
  7. While creating registry it will ask for password, please enter password and do remember.
  8. Run the following command after creating directory server registry. "dsccsetup.exe cacao-reg" which will  register in cacao agent. 
  9. If you get cacao error, try running command prompt as admin. 
  10. check "dsccsetup.exe status"
  11. Run "cacaoadm.bat status" which gives instance details. 

default instance is DISABLED at system startup.
Current retries count : 0/4
Uptime: 0 day(s), 0:7

 12. Create new instance and enable it. 
 13. To create new instance run "cacaoadm.bat create-instance Ravi_instance"
 14. Keep password in some text file(password.txt) and enable the instance using following command
 15. Run "Cacaoadm.bat enable -i Ravi_instance -f C:\dsee7\password.txt"

Thanks !!!

CGI Error The specified CGI application misbehaved by not returning a complete set of http headers

The following error is because of bug:

"CGI Error The specified CGI application misbehaved by not returning a complete set of http headers"

This problem occurs when the programs are running on a computer that has dual processors and that is running Microsoft Windows Server 2003 or Microsoft Windows 2000. A race condition is created when the programs try to access the same resource and one or more of the programs cannot access the resource.

Microsoft has released patch for this, please apply the patch available on following link:

Thanks !!!

Friday, July 6, 2012

Basics about Policy Server and Policy Server Interactions

What is Policy Server and how it works?

Policy server is core and central part of Siteminder, Policy server(PS) makes connection with different components of siteminder. Policy Server directly interacts with:

1) Web Agent
2) Policy Store
3) User Store
4) Application Agent

Web Agent and Application Agent interaction with Policy Server:

  • Webagent connects to Policy server to verify if user is Authenticate and Authorized so that it can respond to the user.
  • Webagent also receives response attribute from Policy server and forwards same to application.

Policy Store interaction with Policy Server:

  • All Policies that are defined in WAMUI/FSS UI are stored in Policy Store. Policy Store directly interacts only with Policy Server.
User Store interaction with Policy Server:
  • Policy server interacts with User Store to validate user credentials(Authentication) and Authorization. User Store only interacts with Policy Server. 

Hope this helps !!

Thanks !!!

Thursday, July 5, 2012

Windows Installer Error

Setup requires windows installer 4.5 or higher. you must download and install the latest version of windows installer.

Download required windows installer from

And continue your installation. 

Monday, July 2, 2012

Webagent Registration With Policy server Part 2

Hi, in this I am going to post steps to Register Webagent with Policy server:

For pre-requisites please refer

Following are few pre-requisites for webagent installations: 

1) Need to get the proper installer from CA website. Take care of version and Type of Webagent.

2) Check CA platform support matrix for minimum requirements for infrastructure (CPU, RAM, Memory etc.,)

Registration Steps:

1) Please go to installation path (Example in Windows:  C:\Program Files\CA\webagent) and run ca-wa-config file.  Select Continue.

2) After that following screen will appear, don't press any thing during this screen. 

3) Select "Yes, I would like to do Host Registration now" and click "Next"

4) Provide Siteminder(Policy Server) Admin Username and password, if you want to Enable Shared secret Rollover check "Enable Shared Secret Rollover" and press Next.

5) Give Trusted host name and Host Configuration Object (which is created in policies) and click next.

6) Provide Hostname / IP Address of Policy server, click Add button and click next.

7)  Select FIPS Compatibility Mode if you are not using any FIPS Compliant Algorithms. 

8) Select path where you want smhost.conf located. 

9) Select Webserver with which you want to register policy server. 

10) Select the website under that webserver which you need siteminder Agent. 

11) Provide ACO name which is already created. 

12) Check the configuration summary before pressing install. If every thing looks good press Install. 

After that verify Smhost.conf file and webagent.conf

Thanks !!

Other Posts