Skip navigation
All Places > CA Security > CA Single Sign-On > Blog > 2015 > August
2015

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 20th August 2015


OVERVIEW

Use custom login page to POST to login.fcc with SecureURLs=yes.

 

If this is not setup correctly, webagent trace will logged the following error:

[CSmHttpPlugin::ProcessResource][Error. Unable to handle request in Secure mode.]

 

With SecureURLs enabled, Web Agent encrypts all SiteMinder query parameters (e.g: smagentname, target) in a redirect URL, further securing Agent interactions. All the query parameters are grouped into a single query parameter called SMQUERYDATA.

 

REQUIREMENTS

  • You can use the OOTB login.fcc. However, if you are using custom FCCs, you must add the smquerydata directive along with other FCC directives, such as TARGET to the custom FCC.
  • Customize custom login page (ASP/ JSP page) to extract the SMQUERYDATA from the redirect response, append the SMQUERYDATA to the subsequent POST request as query string and as POST data.

 

SETUP

  1. Setup form authentication scheme that reference the custom login page e.g: login.asp.
  2. Customize the login.asp to extract the SMQUERYDATA from the redirect response, POST to login.fcc with SMQUERYDATA appended to the URL as query string and as POST data.
  3. Customize the login.fcc to include the following directive: <INPUT type='hidden' name='smquerydata' value='$$smquerydata$$'>
  4. Apply this authentication scheme for a protected realm.

 

POINTERS

HTTP Header trace will capture the POST data and request redirections. The trace will help to identify the failing point within the login process.

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 11th August 2015

 

Symptoms:

  • Policy Server trace logged the following message:

[SmEmsCommandBase.cpp:497][CSmEmsCommandBase::traceResponse] [531][<session=>

<command=smlookup>

<directory = userstore>

<searchpattern = cn=*>

<status=E/0213/0/No session>][Processed EMS2 response.]

 

  • smkeyexport in clear text returned the error “Failed to decrypt persistent key”.
  • “No session” error is returned when accessing key management from WAM UI.
  • Telnet to LDAP port is successful.
  • smldapsearch command is successful.

 

Resolution:

Persistent key failed to be decrypted. It caused Policy Server failing to establish a valid session with the backend user store.

 

Remediation steps:

  1. Appoint only ONE Policy Server to generate agent keys in the same environment.
  2. Stop all the Policy Server(s) referencing the same key store.
  3. Clean up the agent keys and persistent key.
  4. Start Policy Server (new set of keys will be generated) and restart WAM UI.