Skip navigation
All Places > CA Security > CA Single Sign-On > Blog > 2016 > January
2016

Posted by Ujwol Shrestha - Principal Support Engineer in CA Security on Jan 28, 2016

 

Problem Summary

 

Customer wants to disable SSL protocol and enable TLSv1.2 for Administrative UI access due to recent Poodle & BEAST (CVE-2011-3389) vulnerability with SSLv3.0/TLSv1.0

 

What determines the embedded JBOSS supportability to various SSL/TLS protocols?

 

The version of SSL/TLS protocol supported by JBoss Application server depends on the JDK/JRE that it uses.

Now, here is the supportability chart across different version for JDK.

 

JDK 8
(March 2014 to present)
JDK 7
(July 2011 to present)
JDK 6
(2006 to end of public updates 2013)
TLS ProtocolsTLSv1.2 (default)
TLSv1.1
TLSv1
SSLv3
TLSv1.2
TLSv1.1
TLSv1 (default)
SSLv3

 

TLSv1 (default)
SSLv3
JSSE Ciphers:Ciphers in JDK 8Ciphers in JDK 7Ciphers in JDK 6
Reference:JDK 8 JSSEJDK 7 JSSEJDK 6 JSSE
Java Cryptography Extension, Unlimited Strength (explained later)JCE for JDK 8JCE for JDK 7JCE for JDK 6

 

Reference : https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https

 

Does Admin UI R12.52SP1 CR7 Supports TLS v1.2 ?

 

The standalone Admin UI installer for R12.52 SP1 CR7 installs following JBOSS and JRE version :

 

  • JBOSS Version : 5.1.0 GA
  • JRE : 1.6 Update 45 ( JRE is installed under <AdminUI_install_directory>/runtime/)

 

So, unfortunately, R12.52 SP1 CR7 Admin UI does NOT support TLSv1.2 protocol as the underlying JRE 1.6 does not support it.

Also note the following:

  • Customer also cannot simply upgrade their JRE to 1.7 as the JBOSS 5 is not certified with JRE 1.7.

 

What Next ?

 

For r12.52SP1.CR.XX

 

We already have couple of ticket opened with our sustaining engineering to enable TLS v1.2 support for Admin UI.

Most likely engineering will fix this issue by upgrading JBoss and JRE in the upcoming CR for r12.52 SP1.

This post will be updated when that happens.

(Update : As of 29/06/2017 or 12.52SP1CR7 doesn't' have support for this yet) 

 

For r12.52SP2

 

Admin UI for r12.52SP2 now bundles embedded JBoss 8.2 & JDK 1.8 for the standalone installation.

TLS 1.2 is enabled by default in the Jboss configuration as well.

 

This is done by setting enabled-protocols flag in  admin_ui_installation_dir\standalone\configuration\ standalone.xml file.

to  enabled-protocols=" TLSv1.1,TLSv1.2" as below :

 

<https-listener name="https" socket-binding="https" security-realm="SSLRealm" enabled-protocols="TLSv1.1,TLSv1.2"

 

Reference : https://docops.ca.com/ca-single-sign-on-1252sp2/en/installing/install-the-administrative-ui/install-the-administrative-ui-on-windows-stand-alone

Posted by Ujwol Shrestha - Principal Support Engineer in CA Security on Jan 23, 2016

 

Problem:

 

Apache Web Server fails to start while loading Siteminder module mod_sm24/mod_sm22, and following error message appears in Windows event viewer.

Faulting application name: httpd.exe, version: 2.4.17.0, time stamp: 0x56187590

Faulting module name: mod_sm24.dll, version: 12.52.103.767, time stamp: 0x55f7cc05

Exception code: 0xc00000fd

Fault offset: 0x0000000000167987

Faulting process id: 0xab4

Faulting application start time: 0x01d1570bf07d34be

Faulting application path: C:\Apache24\bin\httpd.exe

Faulting module path: C:\Program Files\CA\webagent\win64\bin\mod_sm24.dll

Report Id: 2ea325cc-c2ff-11e5-8abf-000c29d059bd

 

Analyzing the crash dump with Microsoft Debug Diag shows following exception :

 

In httpd__PID__1556__Date__12_02_2015__Time_11_29_21AM__813__Second_Chance_Exception_C00000FD.dmp the assembly instruction at mod_sm24!CSmPasswordMsgWriter::WriteMessage+6d4c7 in C:\Program Files\CA\webagent\win64\bin\mod_sm24.dll from Netegrity, Inc. has caused a stack overflow exception (0xC00000FD) when trying to write to memory location 0x00033000 on thread 0

 

Environment:

 

Web Agent Version: r12.52 SP1 CR2 (However, this is applicable for any r12.5x version)

Web Server OS : Windows

Web Server : Apache 2.4/2.2

 

Root Cause:

 

The default size for the reserved stack space (and initially committed stack memory) is specified in the executable file header (httpd.exe)

In Windows, the Apache webserver executable (httpd.exe) is built with a default stack reserve of 256KB.

This is not sufficient for SiteMinder module, hence while loading SiteMinder module , Apache encounters the stack overflow exception as it can't provide enough memory to reserve the number of bytes requested.

 

Resolution:

 

An external utility, EDITBIN.exe, can be used to modify the binary executable’s header and the required stack reserve memory can be specified.

Sample syntax:

 

EDITBIN.EXE /STACK:reserve <files>

 

So, for our current requirement we can increase the stack reserve to default 512KB as below :

 

EDITBIN.EXE /STACK:524288 httpd.exe

 

This tool is bundled with Visual studio by default.

However, it can also be installed standalone using the following download link :

http://people.sju.edu/~ggrevera/cscCV/stack/eb.zip

 

Additionally, both Visual studio and the attached editbin standalone zip comes with "link" tool which can be used to dump header information from the executable.

 

1. Step 1 : Find stack information from the header dump

C:\Apache24\bin\editbin>link /dump /headers httpd.exe | find "stack"

           40000 size of stack reserve

            1000 size of stack commit

2. Step 2: Using editbin.exe increase stack reserve memory to 512KB

C:\Apache24\bin\editbin>editbin /stack:524288 httpd.exe

Microsoft (R) COFF/PE Editor Version 8.00.50727.42

Copyright (C) Microsoft Corporation.  All rights reserved.

3. Step 3: Verify using the header dump if the stack reserver memory is increased or not

C:\Apache24\bin\editbin>link /dump /headers httpd.exe | find "stack"

           80000 size of stack reserve

            1000 size of stack commit

Note : 40000hex = 256KB, 80000hex = 512KB

 

References:

Hello CA Single Sign-On Community Users,

 

Please find below the list of the latest Knowledge Base Articles  for Single Sign-On (Formerly CA SiteMinder) published or updated since 1-Jan-2016 for your reference:

 

SiteMinder not setting HTTP header with underscore in the name in Apache 2.4
SiteMinder not setting HTTP header with underscore in the name in Apache 2.4
Last Update: 1/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1712544

deeplinks in siteminder
How to configure deeplinks in Siteminder federation
Last Update: 1/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1120114

12.52 SP1 CR02 Adminui Failure when attempting to add a user directory to a Domain
Adminui Failure when attempting to add a user directory to a Domain
Last Update: 1/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1908608

How to Enable SPS logs
How to Enable Secure Proxy Logging to help troubleshoot
Last Update: 1/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1528615

How to configure RiskMinder component at the Policy Server manually
You configured the Policy Store manually and find the RiskMinder component is not configured. You try to configure CA Gateway(SPS) and its tomcat service is crashing. You are trying to configure SessionAssurance but Policy Server RiskMinder is not working
Last Update: 1/21/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1356284

Is RelayState part of signature verification?
SP Initiated Federation is resulting in Failed to Verify Signature. IDP Initiated Federation is working fine. Comparing the working and failing SP Initiated Federation appears to be change in the RelayState query parameter.
Last Update: 1/21/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1247034

How to protect SOI using Apache Proxy Server (with CA Single Sign-On enabled)
You already have CA Single Sign-On in your environment and want to extend its SSO to your new SOI(CA Service Operations Insight). You have Apache Proxy Server (That is CA SSO enabled) in front of SOI and would like to seamlessly SSO to SOI.
Last Update: 1/21/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1872722

Configuring SNMP Agent for CA Single Sign-On
You have a SNMP based Monitoring tool and would like to poll CA Single Sign-On Policy Server to get statistics. You have a SNMP based Monitoring tool and would like Policy Server to send trap messages to this tool for critical events.
Last Update: 1/21/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1841322

Failing to run XPSExport with error "Administrator is disabled." but the user is not in disabled state.
Unable to export policy store using XPSExport and getting error message "Administrator is disabled." but the CA Sigle Sign-On Administrative account is not disabled.
Last Update: 1/21/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1764036

How to configure APS (Advanced Password Services) Help Desk Interface (APSAdmin)
Following steps will guide you through configuring APS Help Desk Interface starting with SiteMinder release r12.5 and higher.
Last Update: 1/21/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1686359

SiteMinder SDK failing to search user post r12.52SP1 upgrade
User Directory search using SmDmsSearch API is failing to fetch user
Last Update: 1/21/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1383062

@username=%USER% and @smretries=0 are shown when accessing login.fcc
Accessing an Apache 2.2 server protected with the SiteMinder Webagent, using the login.fcc form, the @username=%USER% and @smretries=0 are shown on the top of the form. This is caused by the hostname containing an underscore "_" character
Last Update: 1/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1755981

After installing WAMUI 12:52 sp1 CR02 objects are no longer accessible
Accessing any object in WAMUI produces java.lang.NullPointerException and verifying the server.log and boot.log one can see messages "A number format exception was encounter transforming the values to longs for comparison". Policy Store upgrade required
Last Update: 1/20/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1233251

Bad or missing context 'SESSION struct' in web agent log
Information about error message Bad or missing context 'SESSION struct'
Last Update: 1/19/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1360043

Agent configuration could not be loaded when startup JBoss agent
When startup JBoss server after configure JBoss agent, it gave "Agent configuration could not be loaded" in JBoss server log
Last Update: 1/19/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1136679

Information about Response attributes 224
Policy server log show set response attribute 224. Provide information regarding this response attribute.
Last Update: 1/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1406651

Audit log show SM_STATUS "Server is Configured to Deny Anonymous Binds"
In audit log, field SM_STATUS="Server is Configured to Deny Anonymous Binds" In policy server trace log: [err=ErrCode: 48 ErrMsg: Server is Configured to Deny Anonymous Binds Ext ErrCode: Ext ErrMsg: Server is Configured to Deny Anonymous Binds Matched DN
Last Update: 1/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1029872

Configure CA Directory as a user directory for SiteMinder Advanced Password Services.
How to configure CA Directory as a user directory for SiteMinder Advanced Password Services.
Last Update: 1/13/2016    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1919596

Current Sockets Off
SiteMinder team says the current socket count metrics are off. They are comparing the smpolicyrv -stats command output on connections to the two socket metrics.
Last Update: 1/13/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1025309

Web Agent does not log its cache utilization nor how many authentications it has performed in its log files, then how can you check the statistics?
When you don't have OneView monitor or Wily Instroscope configured, you can still get cache utilization and other statistics by capturing the SMMON data in the Policy Server trace log (smtracedefault.log) that is sent by Web Agent.
Last Update: 1/13/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1479852

Why suddenly Policy Server permanently fails to connect to AD user/policy store via LDAPS connection?
Wrongly updated Active Directory Certificate may cause Policy Server permanently fails to connect to AD user/policy store via LDAPS connection. Issuing a new certificate using "Domain Controller" template resolves this problem.
Last Update: 1/13/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1436002

JBoss server throws Failed to get Enterprise certificate with JBoss agent enable
After configure JBoss agent and startup JBoss server, the JBoss server log give Enterprise certificate error ie: SM_WSC_03502 - Failed to get Enterprise certificate: java.lang.RuntimeException: SM_WSC_03503 - Could not retrieve the configured enterprise c
Last Update: 1/11/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1517733

Configure SiteMinder Administrative UI for HTTP (non SSL) connection
This article guides how to configure Administrative UI for HTTP (non SSL) connection
Last Update: 1/11/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1159552

JBoss agent unable to handshake with policy server while trusted host registration is successful.
After trusted host registration success, starup JBoss agent and policy server report handshake error with JBoss agent. JBoss server log gave Shared secret invalid.
Last Update: 1/11/2016    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1069845

How to enable SSL on proxy UI
How to setup of SSL for access to Secure Proxy Server : Administrative User Interface (proxyui)
Last Update: 1/11/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1558209

Cluster vs Non-Cluster Load Balancing
What is the difference in the Policy server load balancing mechanism when they are configured in Cluster vs Non-Cluster configuration.
Last Update: 1/11/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1696224

Policy Server Access Log Events
What are the various access log events and when are these events logged into the smacess.log (text based audit log) or audit database
Last Update: 1/11/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1417454

Can the Authentication Method Be Changed in a PIM/SSO Integration?
This document explains how the PIM integration would be affected if the CA SSO authentication method was changed.
Last Update: 1/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1318367

Policy Server :: HouseKeeping Thread
Explanation about what's the housekeeping thread of the Policy Server
Last Update: 1/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1240435

Web Agent :: Apache : @username=%USER% @smretries=0 @smheaders=sm_sdomain
Explanation how to get rid of the code shown in a login.fcc page when running on Apache
Last Update: 1/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1950321

Policy Server :: HouseKeeping Thread LDAP Request : xpsCategory
Explanations about the meaning of the filter elements of the housekeeping thread when Policy Store is LDAP
Last Update: 1/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1091288

  

Please note that you can always access the full list going to the following link:

http://www.ca.com/us/support/ca-support-online/support-by-product/ca-single-sign-on.aspx?d=t&language=en&type=Knowledge&…

 

Feel free to post your questions in the community if you have question about any of these KB article.

 

Best Regards,

Ujwol Shrestha

Principal Support Engineer

CA Technologies

Posted by Ujwol Shrestha - Principal Support Engineer in CA Security on Jan 22, 2016

 

Problem:

Customer installed and configured SiteMinder Web Agent on Apache 2.4.

He has a PHP module which is expecting some of the default SiteMinder headers e.g. SM_USER, SM_DOMAIN etc and also some custom headers which has underscore in it's name (e.g USER_NAME etc).

However, when he reads the HTTP headers using PHP module (or a CGI module) , he couldn't find any of the header with underscore in it's name being set.

All other headers are working fine.

 

Environment:

Policy Server : r12.52 SP1 CR2 (However, this is applicable for any version)

 

Root Cause:

This is a new feature introduced in Apache 2.4 in multiple modules like mod_cgi,mod_include,mod_isapi,php etc.

This was introduced to prevent cross-site-scripting attacks via header injection. Headers containing invalid characters (including underscores) are now silently dropped

 

Resolution:

 

For the default SiteMinder Headers

You can specify which naming convention the Web Agent uses for the default HTTP headers with the following parameter:

 

LegacyVariables

Specifies if the Web Agent uses underscores in HTTP header names.

 

When ,

LegacyVariables = yes (default), the HTTP Headers will have underscore (e.g SM_USER,SM_USERDN etc)

LegacyVariables = no, the HTTP headers will not have underscores (e.g SMUSER,SMUSERDN)

 

For custom HTTP Headers

LegacyVariables only controls the default SiteMInder HTTP headers. It doesn't modify the user defined HTTP Headers.

So. for bypassing this restriction in Apache 2.4, you will need to ensure that your custom HTTP header names does not have any undersore.

 

Alternatively, you can also refer to the workaround suggested by Apache, which will bascially bypass this new security restriction.

This involves setting mod_setenvif and mod_headers which allows you to still accept these headers with underscore.

Environment Variables in Apache - Apache HTTP Server Version 2.5

 

References:

Posted by Ujwol Shrestha - Principal Support Engineer in CA Security on Jan 21, 2016

 

Problem:

Customer was using SiteMinder SDK to perform user search in the directory using SmDmsSearch API.

It was working and able to fetch the user in r12.51 Policy server but after upgrade to r12.52SP1 it failed to work.

However, from the Admin UI , they were still able to search the user even in r12.52SP1.

The search root they were setting in the API call was : "dc=dn1";

The search root in their user directory definition in Admin UI was : "dc=dn2,dn1"

 

Their SDK code was as below (algorithm only):

******************************************

String SEARCH_ROOT = "dc=dn1";

SmDmsDirectoryContext dirContext = SiteminderUtils.getDirectoryContext()

Directory dmsDirectory = dirContext.getDmsDirectory();

SmDmsOrganization orgRoot = dmsDirectory.newOrganization(SEARCH_ROOT);

SmApiResult result = new SmApiResult();

 

String filter = "uid=testuser";

SmDmsSearch search = new SmDmsSearch(filter, SEARCH_ROOT);

search.setScope(2);

result = orgRoot.search(search, 10);

Vector results = search.getResults();

******************************************

 

Environment:

Policy Server : r12.52 SP1 CR2

 

Resolution:

Starting with r12.52SP1, for security reasons, SiteMinder now limits the user directory search root via API call to the search root specified in the User Directory definition in Admin UI.

 

For e.g

If the User Directory definition in Admin UI has search root : dc=dn2,dc=dn1

Then, using the Siteminder SDK API , the topmost level you can specify as the search root is dc=dn2,dc=dn1.

In the earlier SiteMinder release, it used to allow even searching to a level even higher (for e.g. dc=dn1) which could have security concerns.

In other words, it is now requirement that the, search root specified in the User Directory definition is contained (<=) within the search root specified in the API call.

If no search root is specified in the API call, it will default to the search root from the User Directory definition.

 

So the resolution for the customer was to modify the search root in the API call to "dc=dn2,dc=dn1" instead of "dc=dn1".

How long have you been at CA Mark.ODonohue ?

1.jpg  6 yrs

 

What was the career path that led you here?

     Over the years I’ve worked in a variety of software development positions, with online stockbroking applications, and then with more security & crypto related products,  before becoming involved in Siteminder/SSO deployments and then SSO support.

 

What product do you support?

     CA SSO

 

What keeps you at CA?

     I was more development & services focused, a big plus for me in moving to a support role was the ability to work mostly from home, but I enjoy the company of the other team members, and certainly there are daily challenges to keep your mind occupied.

 

What is your passion outside of work? What do you like to do?

     We live near the beach, so swimming and outdoor activities like cycling & hiking are a big part of life here.  I am also interested in food and wine, where my role is mostly as the consumer & we enjoy travelling.

 

What is your educational background?

     I have a degree in Applied Science, Majoring in Computer Science, that was a while ago now, and done a few other lone subjects, including History & Philosophy of Science & Bioinfomatics to keep my brain active.

 

How has support changed since you started?

     Better interaction via webex certainly has helped give a closer interaction and quicker resolution of priority issues.

 

Why should people be involved in the communities?

     It helps to be better informed about important produce changes and security updates.

     On a personal note, you can access some of the CA SSO tools I’ve written in the “Scripts & Tools” tag on https://communities.ca.com/community/ca-security/

 

Why should customers read Knowledge Articles?

     Apart from the stimulating plot and character development, they are a great source of insights into how to work with features of the CA SSO product.

 

Follow the Support Engineer Here: Mark.ODonohue

Location:  The product I help develop is based in Melbourne Australia, but I work remotely from Tasmania (Hobart) profile-image-display.jpg

Current Gig: Lead developer on CA Directory

One word that describes how you work: Patiently

 

How do you use CA Communities and any suggestions for others?

I find the CA Communities is a great two-way channel between product users and product developers, subject matter experts and other users allowing the fast sharing of information.

 

Mac or PC?

PC but most developing/testing is performed on virtual versions of Linux

 

Mobile Device?

iPhone

 

Apps/software/tools you can’t live without?

Work: Compiler/Debugger, VMware, WebEX & vi :-)

Personal: Cyclemeter, Candy Crush & BrewSmith2 (I’m a very keen home brewer)

 

Besides your phone and computer, what's your favorite item?

My electric guitar (Mahogany Ibanez), it sits next to my desk for a bit of thinking music.

 

What’s your daily work space like?

As I work remotely, my home office overlooks a vineyard that make a reasonable Pinot Noir.

 

How do you balance life/work?

Working smarter instead of harder and being heavily involved with family and pursuing lots of interests outside of work. I work to live, not live to work.

 

Best advice you can give and you have received?

* You learn a lot more finding a solution yourself than asking for it.

* When making a code change, always finish with less lines of code than when you started.

 

What everyday thing are you better at than anyone else?

Solving obscure problems with very little information using outside the box thinking.

In addition to over 100 known fixes, we have 3 significant new features now available:

 

1. Windows authentication directly into Office 365 for Microsoft Office applications such as Outlook, Word, and Lync. 

This feature further enhances our Office 365 integration and gets CA SSO to do the last Office 365 use case that may

have prevented organizations for using SSO to do SSO into Office 365.  (Did you know that inside of CA, when you launch

Outlook from your desktop, Outlook is authenticating into Office 365?) Now CA Single Sign-On enables this seamless

SSO completely eliminating the need for ADFS.

 

2. Ability to have a single IIs server that hosts multiple websites have different agent settings for each website. 

This has been a long asked for feature from our accounts that use a single large IIs server to host multiple websites, it
reduces Cost of ownership for accounts using this configuration and reduces complexity. 

 

3. Ability to turn off “Authorized” calls from the Web Agent to the policy server.  Typically each request made to a web server results

in the web agent asking the policy server if the user is authorized to access the page.  Some customers view this as extra “chattiness”

in the environment that adds overheard to the SSO solution.  This is necessary if you are doing page level authorization to different

types of users, but for many applications our customers are writing policies that say “if you are authenticated you are allowed  access”.

This feature will allow those applications that use such an authorization policy to remove the extra authorization calls.