Troubleshooting SSO

The following topics describe common errors and issues that you may encounter. Where at all possible, a resolution has been paired with the error or an issue to assist you with your integration.
cim140
The following topics describe common errors and issues that you may encounter. Where at all possible, a resolution has been paired with the error or an issue to assist you with your integration.
Error While Creating a Domain in CA SSO Admin User Interface
Symptom:
Post integration of 
Identity Manager
 and CA SSO, I get the following error when I try to create a domain from the CA SSO Admin User Interface:
Failed to execute CreateDomainEvent. ERROR MESSAGE: SmApiWrappedException:Class CA.SM::Domain does not have attribute CA.SM::Domain.IMSEnvironmentsLink
Solution:
  1. Ensure that you have imported the
    IdmSmObjects.xdd
    objects. 
    See, Import Data Definitions into the Policy Store.
  2. Restart CA SSO Policy Server and CA SSO Admin User Interface services.
Missing Windows DLL
Symptom:
Missing Windows DLL (MSVCP71.dll)
We observed that after the CA SSO connection was enabled, JBoss threw a java error complaining about a missing DLL (MSVCP71.dll).
This error may not appear if JBoss is running as a service. If at all possible, test your configuration without running JBoss as a service.
Solution:
Follow these steps:
  1. Locate MSVCP71.dll on the CA SSO Policy Server, if it is running on Windows.
  2. Copy this DLL (MSVCP71.dll) into the \Windows\system32 folder.
  3. After you place this file in the correct location, register it with the OS.
  4. From the Command Prompt, run the regsvr32 command. As long as the file is loaded, you must be OK.
  5. Restart the application server.
Incorrect CA SSO Policy Server Location
Symptom:
Incorrect CA SSO Policy Server Location.
Solution:
An incorrect location is referenced in
ra.xml
. The error, "Cannot connect to Policy Server: xxx" appears.
Follow these steps:
  1. Verify the hostname that is provided in
    ra.xml
    .
    The image shows the hostname is provided in ra.xml.
  2. In the ConnectionURL property, specify your CA SSO Policy Server hostname. Use an FQN (Fully Qualified Name).
Incorrect Admin Name
Symptom:
Incorrect Admin Name
Solution:
An incorrect admin is referenced in
ra.xml
. The error "Unknown administrator" appears.
Follow these steps:
  1. Check the UserName property in
    ra.xml
    .
    The shows the UserName property in the ra.xml file.
  2. In the UserName property, specify the account that is used to communicate with CA CA SSO. For example, use the CA SSO account (default value).
Incorrect Admin Secret
Symptom:
Incorrect Admin Secret
Solution:
An incorrect admin secret is used in
ra.xml
. The error, "Cannot connect to the Policy Server: Invalid credentials" appears.
Follow these steps:
  1. Check the AdminSecret property in
    ra.xml
    .
    The image shows the AdminSecret property in the ra.xml file.
  2. In the AdminSecret property, specify the encrypted password for the username that is referenced in the UserName property.
Incorrect Agent Name
Symptom:
Incorrect Agent Name
Solution:
An incorrect agent name is used in
ra.xml
. The error, "Cannot connect to the Policy Server: Failed to init Agent API: -1" appears.
Follow these steps:
  1. Check the AgentName property in
    ra.xml
    .
    The image shows the AgentName property in the ra.xml file.
  2. Specify the 4.X agent name that you created during the third step of the CA SSO configurations.
Incorrect Agent Secret
Symptom:
Incorrect Agent Secret
Solution:
An incorrect agent secret is used in
ra.xml
. The error "Cannot connect to the Policy Server: Failed to init Agent API: -1" appears with a preceding crypto handler error.
Follow these steps:
  1. Check the AgentSecret property in
    ra.xml
    .
    The images hsows the AgentSecret property in the ra.xml file for encryption.
  2. Specify the encrypted password that was used when creating that agent.
No User Context in
Identity Manager
Symptom:
No User Context in
Identity Manager
.
If a user tries to access
Identity Manager
without an SMSESSION cookie,
Identity Manager
cannot authenticate the user. In this case, you can expect to see can empty
Identity Manager
UI.
If you have Workflow that is enabled for your environment, expect to see a failure much like this.
The image shows a sample WorkFlow error message.
Solution:
A few things can cause this, but it is usually one of the following:
  • You have directly accessed
    Identity Manager
    .
  • The CA SSO agent at the proxy is disabled (that is, nothing is protected - The SMSESSION Cookie is not being created).
  • The CA SSO Domain for the
    Identity Manager
    environment is misconfigured.
The first two causes are straight forward. Ensure that you route through the web server with the fully functional web agent enabled. If however you are going through the web server and the agent is enabled, then you must modify the Domain.
Follow these steps:
  1. Log in to the CA SSO Administrative UI.
  2. Locate your
    Identity Manager
    Domain and click through the layers to modify it. Click the
    Realm
    Tab and then the first realm in the list.
  3. The default location of the forward slash is under the realm. Delete it.
  4. Click the Rule under this Realm.
    The default effective resource for the rule is an asterisk "*".
  5. Add the forward slash "/" in front of the asterisk.
    You have moved the forward slash from the realm to the rule. The protection is the same, but CA SSO treats it differently.
    You can successfully log in to
    Identity Manager
    through CA SSO. To validate proper protection, review your CA SSO agent logs.
Error Loading Environments
Symptom:
When importing an environment back into
Identity Manager
after integrating with CA SSO, an error appears about attribute "requireadminpassword" and the element "WebService".
Note:
 This issue can also occur when CA SSO is not part of the deployment.
t7.png
Solution:
This error allows partial deployment of the environment. The partial deployment can create empty elements in the
Identity Manager
object store. Correct one of the environment XMLs and reimport.
Follow these steps:
  1. Locate the archived ZIP file, and explore it.
  2. Create a copy of the XXX_environment_settings.xml.
  3. Edit this file and locate the "WebService" element.
  4. Delete the tag "requireadminpassword="false."
    Note:
    Remove the tag
    and
    the value. Do not remove only the value.
  5. Save your changes and place the file back into the ZIP file.
  6. Reimport the archived environment zip file.
    You do not have to delete the environment that was created from the failed attempt. Reimporting a corrected file fixes the errors from the failed attempt.
Cannot Create a CA Identity Manager Directory or Environment
Symptom:
Cannot create an 
Identity Manager
 directory or environment, when CA SSO integration is enabled.
Solution:
This issue can be caused by a missing entry in the registry.
Verify that the following registry setting exists on the CA SSO Policy Server:
  • Solaris or Linux:
    Verify that the following entry exists in sm.registry:
    ImsInstalled=8.0; REG_SZ
  • Windows:
    Verify that setting "ImsInstalled=8.0; REG_SZ" exists in the following location: 
    HKLM\SOFTWARE\Netegrity\SiteMinder\CurrentVersion
Notes:
  • If the registry path \Netegrity\SiteMinder\CurrentVersion does not exist, create it manually.
  • If you change the registry, be sure to restart the Policy Server for the changes to take effect.
  • Before you modify the registry, perform a full system backup.
User Cannot Log In
Symptom:
A new user cannot log in to an environment with a clear text password.
Solution:
Verify that the following data classification is not included in the password attribute definition in the directory configuration file (directory.xml):
<DataClassification name="AttributeLevelEncrypt"/>
In environments that include the following components, enabling attribute level encryption prevents users from logging in:
  • CA SSO, and
  • A relational database