Skip navigation
All Places > CA Security > CA Single Sign-On > Blog > 2015 > November
2015

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 25th Nov 2015

 

QUESTION:

What is HLA, LLA/ LLAWP within the Advanced Authentication (SiteMinder) Webagent?

 

ANSWER:

The framework agents break the existing Web Agent’s access control functionality into logical blocks, called ‘managers’ e.g: Challenge Manager, Resource Manager. Managers are assigned specific tasks and are controlled by a single High-Level Agent (HLA) manager that implements the logic of SiteMinder access control.

 

The High Level Agent orchestrates the complete flow of servicing a request, from receiving the request to finally authorizing access to the requested resource.

 

The Low Level Agent Worker Process (LLAWP) implements the Agent-to-Policy Server DoManagement polling mechanism as well as writing log messages to the physical log medium and collating health data for the SiteMinder One-View Monitor. The Low Level Agent Worker Process uses shared memory to communicate between clients, and to facilitate logging and caching.

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 25th Nov 2015

ISSUE:

Siteminder Webagent configuration wizard failed to detect the Apache running on the Windows server.

 

CAUSE:

For Apache, Siteminder Webagent configuration wizard is checking for the ServerRoot registry key entry from the following registry path:

  • 64-bit Apache 2.0: HKEY_LOCAL_MACHINE\SOFTWARE\Apache Group\Apache\<version>
  • 32-bit Apache 2.0: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Group\Apache\<version>
  • 64-bit Apache 2.2/2.4: HKEY_LOCAL_MACHINE\SOFTWARE\Apache Software Foundation\Apache\<version>
  • 32-bit Apache 2.2/2.4: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Apache\<version>
  • 32-bit OHS: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ORACLE

 

If pre-compiled Apache is installed through console, it may not prompt user to input Apache installation directory path and registry key is not be created with the installation.

 

RESOLUTION:

Create the registry entry accordingly, referencing the Apache root folder, e.g:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Apache\2.2.25\ServerRoot = C:\Program Files (x86)\Apache Software Foundation\Apache2.2\

 

Update Apache installation directory path in httpd.conf file and re-run the Siteminder Webagent configuration wizard.

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 25th Nov 2015

 

ISSUE:

Resources are protected with Integrated Windows Authentication (IWA) scheme.

 

User login via level 5 IWA. When users access resources that require higher authentication level (level 10) than the existing user session, Policy Server rejects the step-up user access with following error:

[9592][8908][Sm_Az_Message.cpp:595][CSm_Az_Message::ProcessMessage][s2393/r8][winagent][][][][highwinrealm][highwindomain][][][][][][][][][][][][][][** Status: Not Authorized. Session is not authorized for this security level][][][][][][][][][kMwBI49TESlO…4dFFGSC][][][cn=administrator,CN=Users,dc=test,dc=com]

 

CAUSE:

With IWA, Webagent redirects user to creds.ntc for authentication with CHALLENGE header value append to the query string, e.g:

http://support.ca.com/siteminderagent/ntlm/creds.ntc?CHALLENGE=-SM-Ju%2bV9mlAGDRNm27iWCZe4EJJ1NmhDutvLoOAA4KCOrnDElxgY72TsvjUWhAFZB5g&SMAGENTNAME=VVxwPoXpuA1x2lBT4BYdLQ6WS61uAfktANTcakLxikLmGzGPR0xvSBWYpNXp86tT&TARGET=-SM-http%3a%2f%2fkumna13--u139913%2enawal%2ecom%2fhighwin%2fpage1%2ehtml

 

The CHALLENGE header consists of the encrypted user name from the existing user session. Webagent compares the user authenticated by IIS with the user name passed from the CHALLENGE query string. If they matched, NTLM will challenge user again and if user login with same user credentials, Webagent validates the user against the existing authentication level. Policy Server then rejects user access again. Hence, the request is going in loop.

 

RESOLUTION:

Additional logic is added in Webagent to identify step-up authentication. It removes the CHALLENGE header from the query string when the logged-in user is accessing higher level protection realm..

Tentatively, fix will be incorporated with following releases:

  • R12.51 CR8
  • R12.52 SP1 CR4
  • R12.52 SP2

 

WORKAROUND:

Use same protection level across the authentication schemes to avoid getting into the deadlock.

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 17th Nov 2015

 

Issue:

IIS 7.x webserver hosts multiple websites, some are configured with Siteminder web agent and some are not, each website has its respective application pool.  When user attempts to access IIS website that is not configured with Siteminder web agent, they observed that LLAWP is initializing and the following warning is logged in Event Viewer application log:

 

Siteminder Web Agent not having write permission on host configuration file. Shared secret roll-over may not be supported. Permission denied. Please assign write permission to the user IUSR2 for the file C:\CA\webagent\win64\config\SmHost.conf”

 

IUSR2 user identity associates with the application pool of the website that is not configured with Siteminder web agent.

 

Cause:

With IIS 7.x, Web Agent is getting initialized at global module level and IIS global level functions are used. Hence, Siteminder Low-Level agent worker process (LLAWP) is invoked with the w3wp process.

 

Workaround:

Ensure that all application pool identity has read, write permissions to WebAgent.conf, SmHost.conf and Siteminder Web Agent log files.

 

Additional Information:

Web Agent Initialization logic is moved to local HTTP Module. Therefore, LLAWP will only get initialized with configured website.

Tentatively, the change will be addressed with following Siteminder Web Agent releases:

  •        R12.5 CR5
  •        R12.52 SP1 CR4
  •        R12.52 SP2

The latest NPS survey is now available for Single Sign-On users who would like to provide input on your experience with the product. Customer feedback is one of the most important tools we use to advise product development. In addition to product management, your feedback is immediately accessible by CA executive management  who are always looking to improve your experience.  If you would like to complete this short survey, please go here: https://survey.medallia.com/?product-communities&product=Single%20Sign-On%20(SiteMinder)]

 

Thank you.

 

Monique Lucey

Director, Single Sign-On Product Marketing

How long have you been at CA CAlteri ? profile-image-display.jpg

Since July 15, 2013.

 

Are you a dedicated engineer as part of an enhanced support package?

I am dedicated to State Street, but I also work with all our other customers using Single Sign-On.

 

What was the career path that led you here?

I have over 12 years experience in customer care and technical support.

 

What product do you support?

CA Single Sign-On

 

What keeps you at CA?

I enjoy the team I work with and the flexibility to balance my home and work life.

 

What is your passion outside of work? What do you like to do?

I am an avid fisherman. I also camp and play bass guitar!

FB_IMG_14326071121344662.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

What is your educational background?

I have a BA in Film Theory.  I also have a Certificate in computer science, and am an MCSE.

 

How has support changed since you started?

Support is always changing.  We have to keep up with new product releases, and the expectations of our customers.  Also, there are third party products that provide integration challenges.

 

Why should people be involved in the communities?

The communities offer a central point for customers and support engineers to share ideas and offer solutions to issues.  It is also a great way for us to get an idea of what sorts of issues customers are seeing and proactively work to fix them.

 

Why should customers read Knowledge Articles?

KB Articles can allow our customers to answer their own questions, and provide them with a working document to help them resolve issues without having to initiate the support process.

 

Follow the Support Engineer Here: CAlteri

Meet More CA Support Engineers Here

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 6th Nov 2015

ISSUE

 

Unable to locate user while configuring Administrative UI to authenticate CA Single Sign-on (SiteMinder) administrators using an external user store.

 

RESOLUTION

 

When going through Administrative Authentication wizard, Step 6: Select Super User dialog allows you locate a single user in the user store. However, there are some differences in the search query between the Policy Server releases:

 

  1. 12.52 SP1 release:

 

Filter: (&(|(sAMAccountName=*wonsa03*)(displayName=*wonsa03*))(&(&(objectclass=organizationalPerson)(objectclass=person))(objectclass=user)))

 

  1. 12.51 release:

 

Filter: (displayName=*wonsa03*)(&(&(objectclass=organizationalPerson)(objectclass=person))(objectclass=user)))

 

 

R12.51 Policy Server locate the user via displayName attribute while R12.52 SP1 Policy Server search through displayName and sAMAccountName attributes.

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 6th Nov 2015


Issue:

SPS is failing to start after configuring it with a dedicated user, instead of the root user.

 

Cause:

When SPS is configured with a dedicated user, proxyserver.sh will be executed with this user, instead of root. During startup, sps.pid file is created under ${PROXY_HOME}/CA/secure-proxy/tmp directory. Hence, it requires this user to have write permission to this directory.

 

Following is observed when SPS is started with root account, while it was configured with a dedicated user:

[root@lod1111 proxy-engine]# ./sps-ctl start
httpd (pid 7814) already running
Successfully Started Apache..
Attempting to start Secure Proxy Engine..
Sending output to /opt/CA/secure-proxy/proxy-engine/logs/nohup.out.20151002_020336
/opt/CA/secure-proxy/proxy-engine/proxyserver.sh: line 184: /opt/CA/secure-proxy/proxy-engine/tmp/sps.pid: Permission denied
/opt/CA/secure-proxy/proxy-engine/proxyserver.sh: line 184: /opt/CA/secure-proxy/proxy-engine/logs/nohup.out.20151002_020336: Permission denied
Successfully Started Proxy Engine..
(Proxy Engine initialization may take a few extra seconds).

 

Resolution:

On UNIX, make sure the following is updated in the httpd.conf file:

User <dedicated_user>

LoadModule env_module modules/mod_env.so

PassEnv LD_LIBRARY_PATH

 

Also, update /tmp and /logs folders owner to this dedicated user.

 

If you have configured SPS to be Federation Gateway, Federation Web Services Application is deployed inside the Tomcat web server. Hence, please ensure that the ${PROXY_HOME}/CA/secure-proxy/Tomcat/webapps/affwebservices folder owner is updated to this dedicated user with at least 755 permissions, else you will run into HTTP error 404 with the following exception logged in the nohup log:

 

 

Oct 26, 2015 7:07:00 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [jsp] in context with path [/affwebservices] threw exception [java.lang.IllegalStateException: No output folder] with root cause
java.lang.IllegalStateException: No output folder
So, please change the tmp and logs folders owner to nobody, maintaining the permissions to secure-proxy files and folders as 755 and try start up SPS again.

For those coming to CA World '15 or planning to – now there’s even more mainframe content! Check out the new sessions in the catalog, including sessions led by Wells Fargo, millenia... and Zions Bank!