Skip navigation
All Places > CA Security > CA Single Sign-On > Blog > 2016 > April
2016

Part 1 - What are they?

A lot of people are at least somewhat familiar with OAuth 2.0 and possibly OpenID Connect, an alternative to SAML for communicating identities and information about a user between identity providers and service or resource providers.

Many people are also familiar with JSON Web Tokens (JWT), which is a standard way for building a signed and if desired, encrypted token that can contain arbitrary key-value pairs of information.

It’s the combination of these three technologies that is truly powerful and I believe will be the dominant way that Web Access Management (WAM) products will produce, consume, and transform identities and claims around those identities.

The rest of this blog will focus on a vision of how those technologies fit together and solve a wide variety of current and upcoming use cases.  I’ve tried to err on the side of understand-ability and conciseness so many of the underlying protocol details have been skipped.

 

Note that this is one architects vision - none of what is described here should be construed as official commitment for new product development.

 

OpenID Connect Tokens and Endpoints

Below is a diagram that shows the components, endpoints, and typical flow for OpenID Connect. In OAuth 2.0 and OpenID connect there are three parties to the interaction (excluding the actual users). They are the client, the authorization server, and the resource server. This is different than SAML which only has two actors, the Identity Provider and the Service Provider.

 

 

OAuth and OpenID Components and flow.jpg

 

OAuth and OpenID Tokens

The format of the OAuth 2.0 access and refresh tokens are officially opaque to the client and to the resource server.

The access token is the token that the client uses to request resources from the resource server on behalf of the user. It is expected to be a short lived token (minutes or hours).

The refresh token is the token that the client uses to get a new access token from the authorization server when the current access token expires, without the user being re-challenged. Its lifetime is typically hours or days.

 

One of the weaknesses of OAuth 2.0 is that there is no prescribed way for the resource server to validate the access token or to use the access token to establish the identity of the user.

This was not a problem when the resource server and the authorization server were closely linked. The access token could just be a lookup key that the resource server checked via an internal API. What should we do if the authorization server and resource server are separate entities?

 

Google and other OAuth 2.0 providers solved this problem by providing a TokenInfo Endpoint. Resource servers could pass the access token to this endpoint and get back a JSON object that tells you whether or not the token is valid, user identity, token scope, and expiration time.

The Introspection or TokenInfo endpoint has now been formalized by RFC 7662 and is implemented by most OAuth 2.0 and OpenID connect providers. It provides a secure way for resource servers to get metadata about access and refresh tokens from the authorization server.

 

Although access and refresh tokens are defined to be opaque values, some OAuth 2.0 implementations allowed the tokens to be signed JWT tokens, which would allow the client and resource server to extract information directly from the token without having to make additional calls to the OpenID Provider UserInfo endpoint

 

This concept was expanded in OpenID Connect with the introduction of the ID token. The ID token is a signed and potentially encrypted JWT token which contains the user’s identity and any claims that were in scope.

This gives client applications and resource servers the ability to securely get information about the user directly without having to contact the authorization server every time.

There is still debate within the OpenID Connect implementer and user community as to whether the ID token is for use solely by the client, or can also be sent to the resource server.

 

Next Post

  In the next post I will describe why all of this is important and how it can be combined and used to solve real world application issues.

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 29th April 2016

 

INTRODUCTION:

Secure Proxy Server configurations that converts all HTTP to HTTPS requests.

 

QUESTION:

How to convert all HTTP requests intercepted by SPS, to HTTPS requests?

 

ENVIRONMENT:

Policy Server: R12.52 SP1 CR1

Secure Proxy Server: R12.52 SP1 CR1

 

ANSWER:

== OPTION 1 ==

Using Apache mod_rewrite module to detect any HTTP request and send a redirect to the client to come back via the HTTPS interface.

Update httpd.conf with the following:

 

LoadModule rewrite_module modules/mod_rewrite.so

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}


== OPTION 2 ==

Using SPS proxy rules via cond to test against the HTTP host name and port and send a redirect to the client to come back via the HTTPS interface.

Update the proxyrules.xml with the following:

 

<nete:cond type="host" criteria="equals">

<nete:case value="www.example.com:80">
                        <nete:redirect>https://www.example.com$0</nete:redirect>
</nete:case>

<nete:case value="www.example.com::443">

                        <nete:forward>http://backed.example.com$0</nete:forward> </nete:case>

 

<nete:default>

<nete:redirect>https://help.ca.com/error.html</nete:redirect>
</nete:default>

 

</nete:cond>

 

== OPTION 3 ==

If you have a large number of hosts where an entry per hostname is not feasible then we can use the pattern match facility to do a wildcard match via cond against the any host ending in :80 and then send a redirect to the client to come back via HTTPS URL. to give the same result for any hostname.

Update the proxyrules.xml with the following:

 

<nete:cond type="host" criteria="endswith">

<nete:case value=":80">
                        <nete:redirect>https://{{HOST}}$0</nete:redirect>
</nete:case>

<nete:case value=":443">                         <nete:forward>http://backed.example.com$0</nete:forward> </nete:case>

<nete:default>

<nete:redirect>https://help.ca.com/error.html</nete:redirect>
</nete:default>

</nete:cond>

 

NOTES:

To avoid getting into a loop, setup the default proxy rule case to forward request directly to backend server, instead of redirect back to SPS.

Getty_166273198_14.jpgWeb access management systems see a lot of user behavior. Were these systems trained to recognize exceptional behavior from typical behavior, they might act to highlight or even mitigate the risk of the exceptional behavior. Is a user accessing new or unusual data based on past history?  Is an application experiencing unusual access load or patterns? Is a certain geography exceptionally active, do users seem to suddenly originate from a certain geography that falls out of the range of typical usage? Are user authentications or authorizations for a given user spiking for some reason?

These questions and many more could be answered in real time using heuristics and a carefully assembled knowledge base.  The data is already in web access management systems today. It is in audit or access logs, health monitor data, and other data sources.  Often this data isn’t used until a breach is detected and the exceptional behavior that caused it has long passed along with the opportunity to prevent it. With an evolving knowledge base fed by continuous real time access data, an analytics engine might be trained to recognize suspicious or exceptional user access as it occurs so that meaningful mitigation processes could be enforced.  Security staff could be notified; step-up authentication enforced; access could even be blocked in the most extreme and risky circumstances.

This approach is a critical evolution for web access management solutions. Typically, a user who has successfully authenticated and authorized becomes a foot note, or non-event, in such systems. Few questions may be raised as to whether or not the access has come from lost or stolen credentials, hijacked access, or a compromised insider.  How is a valid user sitting at their desk recognized from an imposter that hurriedly sits at their recently vacated laptop to take advantage of their access? Strong authentication means may detect some questionable access during initial authentication, but what of the user compromised after this event?  A stolen phone that isn’t locked to prevent access to critical applications, a hijacked computer in the office, similar misuse of a common computing resource such as a department tablet, or Kiosk?

 

Applying behavioral analytics to these problems may open a door to future mitigation opportunities and provide a new security control for existing web access management solutions. What do you think?  Feel free to comment or “like” this post to share your opinion.

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 21st April 2016

 

ISSUE:

Policy Server logs “Error 91 - Can't connect to the LDAP server“ against the LDAP policy store, despite success with the following approaches from Policy Server:

  • telnet to the LDAP port (with hostname and IP address)
  • Test Connection via SM Management Console
  • execute the ldapsearch command

 

CAUSE:

The default Ping timeout should be 10 seconds, but with R12.52 SP1 release, somehow Policy Server is reading the value in milliseconds instead of seconds.

 

RESOLUTION:

Fix is incorporated with R12.52 SP1 CR1 release onward. With the fix, Policy Server is reading the LDAPPingTimeout value in seconds.

 

WORKAROUND:

Add/ update the following registry key in sm.registry file on UNIX or through Registry Editor on Windows:

HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Debug
LDAPPingTimeout = 10000; REG_DWORD

 

Alternatively, you can define a reasonable ping timeout in milliseconds.

Restart Policy Server after the updates.

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 18th April 2016

 

ISSUE:

Intermittently, user with expired SM session is redirected to an error page, instead of the login page.

Following error is logged in the Webagent log:

[SmApache22WebFilterCtxt.cpp:530][ERROR][sm-AgentFramework-00070] Input filter pre-fetch read error - 'Content data is not available'

Network trace logged a RST from LTM/F5.

 

CAUSE:

A policy is defined on LTM/F5 to issue RST when it detects malformed network packet – request/response that does not comply with HTTP Protocol (RFC2616), e.g: blank Content-Type.

We created a python script to POST same data to the webserver and successfully reproduced the deformed responses (blank Content-Type with the first response, followed closely with another response without headers), when Webagent is enabled.

 

Response from webserver when Webagent is enabled:

webagentenabled.PNG

Response from webserver when Webagent is disabled:

webagent.PNG

Sample python script:

script.PNG

 

RESOLUTION:

Set LegacyStreamingBehavior=yes resolved the issue.

ACO parameter -- LegacyStreamingBehavior specifies how content will be transferred to the server during POST requests.

When the value of this parameter is set to yes, all content types are streamed, except for the following:

- text/xml

- application/x-www-form-urlencoded

When the value of this parameter is set to no, all content types are spooled.

 

WORKAROUND:

Options to overcome the issue:

  • Disable POST preservation data – PreservePostData=no (Web Agent will not preserves POST data when redirecting requests to the login page)
  • Disable policy on LTM/F5 to check the HTTP request/response compliances / bypass LTM/F5

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 18th April 2016

 

ISSUE:

SP-initiated SSO is failing with error 400 - Reason: UNSUPPORTED_AUTHN_REQUEST_BINDING.

logs.PNG

 

CAUSE:

Siteminder 12.52 release onward supports SAML 2.0 HTTP POST binding as a method for exchanging requests and responses during authentication and single log-out requests.

With Siteminder release (IdP) that does not support SAML 2.0 HTTP POST binding, HTTP-Redirect binding is used by default. Hence, if Service Provider sent authentication request via HTTP-POST binding, Federation login failed at Siteminder (IdP) with the error 400.

If you are getting the same error with Siteminder release that support SAML 2.0 HTTP POST binding, it is likely that you have not configured IdP to allow HTTP-POST binding.

 

RESOLUTIONS:

Check the Siteminder Policy Server, SPS/WAOP or Federation Manager version.

  • If Siteminder version is lower than R12.52 release, upgrade Siteminder components to supported release or configure Service Provider to use HTTP-Redirect binding to send the authentication request.
  • If Siteminder version is at supported release, ensure that Authentication Request Binding is set to HTTP-POST on both IdP and SP ends.

Questions

  • What is the purpose of AgentWaitTime?
  • How do I configure it?
  • What is the default value?
  • Is there a maximum value?
  • Is there any formula to calculate optimum value?
  • Is there any disadvantages of setting it to a high value?
  • What impact does agentwaittime have on websserver stop

 

Answers

 

What is the purpose of AgentWaitTime?

It specifies the number of seconds that the Web Agent waits for the Low Level Agent Worker process (LLAWP) to become available. When the interval expires
the Web Agent tries to connect to the Policy Server. Setting this parameter may help resolve agent start-up errors related to slower network connectivity.

 

How do I configure it?

As this setting is related to Agent initialization which means it still have not contacted Policy server and loaded the ACO from the policy store, this parameter must be configured locally in the WebAgent.conf file.

 

What is the default value?

In FIPS Only mode, the default minimum value is 20 seconds

In all other FIPS mode, the default minimum value is 5 seconds

 

The default value is higher in FIPS Only mode, to account for slower ETPKI initialization time.

 

Is there a maximum value?

There is no maximum value.

 

Is there any formula to calculate optimum value?

Following formula could be used as a guidance for calculating the optimum value for AgentWaitTime

The_number_of_Policy_Servers x 30) + 10 = value of the AgentWaitTime parameter (in seconds).

For example, if you have five Policy Servers, then set value of the AgentWaitTime parameter to 160. [(5x30) + 10 = 160] (seconds).

Here, the policy servers used are the only bootstrap policy servers as specified in the SmHost.conf file. The idea is to allow at least 30 seconds interval for initialization of each boot strap policy server.

However, that said, this is just a guidance and you can choose any higher value that you feel is necessary.

 

Is there any disadvantages of setting it to a high value?

If your network is good and the LLAWP takes only few seconds to connect to Policy server and perform initialization, then even if you have specified higher value for AgentWaitTime that will not really matter.

For e.g. let’s say you have configured AgentWaitTime = 200 seconds.

But as your network is in good state and it took Web Agent only 5 seconds to initialize, then it will only spend 5 seconds in initialization, it won’t wait or the complete 200 seconds to expire.

In that sense there is NO disadvantage of setting AgentWaitTime to high value.

Moreover, the AgentWaitTime plays role only during initialization/startup, it does not have any impact whatsoever for the normal communication of the Agent to PS e.g IsProtected, IsAuthroized calls etc.

 

What impact does it have on Web Server stop

None

Questions

  • What is the purpose of LDAPPingTimeout?
  • How often does Policy server checks the availability of LDAP server ? Can the default interval be changed?
  • Is there any default value for LDAPPingTimeout?
  • What are the other implications of changing LDAPPingTimeout?

 

Answers

 

What is the purpose of LDAPPingTimeout?

 

During initialization of User Directory, a separate Ping Thread is created for each LDAP fail-over group. For each server in the group, the thread creates a ping connection and puts it in the ping connection list.

 

Periodically (the default period is 30 seconds) the Ping thread validates the connection status of all connections in the list.

The ping actually validates the connection by doing the following LDAP search:

 

Search is performed with a scope of 0 (base) and specify a single attribute to be returned (objectclass) for e.g.:

 

SRCH base="" scope=0 filter="(objectClass=*)" attrs="objectClass" and the result will be something like:

RESULT err=0 tag=101 nentries=1 etime=0

 

Now, the search time out for the above search request is controlled by a registry setting which is LDAPPingTimeout and is stored at :

 

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\Debug\LDAPPingTimeout

 

How often does Policy server checks the availability of LDAP server ? Can the default interval be changed?

The Ping thread validates the connection status of all connections in the list at a default interval of 30 seconds.

 

This can be configured by modifying the following registry under : HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Debug

LDAPServerCheckerInterval

Specifies how often (in seconds) the Policy Server polls the LDAP servers to retrieve the availability information.

Default: 30 sec (This value is also used when the registry setting does not exist.)

 

Is there any default value for LDAPPingTimeout?

 

The default value for LDAPPingTimeout is 10 seconds.

 

What are the other implications of changing LDAPPingTimeout?

 

Now, apart from controlling the search time out for LDAP Ping search, this setting also has effect on couple of other behavior with respect to LDAP connection that Policy server makes with User Directories

 

1) For LDAP PING search connection:

LDAP_X_OPT_CONNECT_TIMEOUT = LDAPPingTimeout * 1000 milliseconds.

PRLDAP_OPT_IO_MAX_TIMEOUT  = LDAPPingTimeout * 1000 milliseconds.

 

Note:

LDAP_X_OPT_CONNECT_TIMEOUT is set on the per-session handle basis.

PRLDAP_OPT_IO_MAX_TIMEOUT is set as a global session option.

 

2) For LDAP Search Connection (LDAP connection for search and updates) and LDAP User Connection (LDAP connection for user authentication):

 

LDAP_X_OPT_CONNECT_TIMEOUT = LDAPPingTimeout * 1000 milliseconds.

PRLDAP_OPT_IO_MAX_TIMEOUT = 3 * LDAPPingTimeout * 1000 milliseconds.

 

Note: LDAP_X_OPT_CONNECT_TIMEOUT is set on the per-session handle basis.

PRLDAP_OPT_IO_MAX_TIMEOUT is set as a global session option.

 

LDAP_X_OPT_CONNECT_TIMEOUT

This setting allows you to control the TCP/IP timeout while establishing new LDAP connection e.g. during LDAP bind. Normally connection attempts will block for a period of time when the connection is for a host that is not reachable.LDAP_X_OPT_CONNECT_TIMEOUT allows you to control the amount of time for which a connection attempt will block in the event that the host is not reachable. You can tell the SDK to return immediately, return after an amount of time that you specify, or to block indefinitely.

 

PRLDAP_OPT_IO_MAX_TIMEOUT

The maximum time in milliseconds to block waiting for a network I/O operation to complete.

When flag PRLDAP_OPT_IO_MAX_TIMEOUT is set the function prldap_set_session_option is used and it stores the timeout in prsessp->prsess_io_max_timeout.

 

Later this timeout is retrieved every time LDAP SDk calls to poll() function

/* call PR_Poll() to do the real work */

rc = PR_Poll( pds, nfds,

prldap_timeout2it( timeout, prsessp->prsess_io_max_timeout ));

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 15th April 2016

 

ISSUE:

SM password policy is created against Active Directory user store with LDAP namespace, to disable user after 3 successive incorrect password login.

User is continuously getting prompt after 3 successive failed login. With Enhanced AD Integration disabled, user is redirected to the SM password policy page accordingly.

 

CAUSE:

accountExpires and badPwdCount are the additional AD native attributes that Policy Server validates, when Enhanced AD Integration enabled. Hence, if user account is expired or bad password count has reached its limit on AD end, password policy will be triggered on next login and user will be redirected to the SM password policy page.

With Enhanced AD integration disabled, PS will rely on userAccountControl and SM Disabled Flag attributes to determine user status.

Additionally, if user directory has a native password policy, this policy must be less restrictive than the SM password policy or disabled.

Customer has both SM and AD native password policy set to disable user after 3 successive failed login causing conflict between both password policies.

 

RESOLUTIONS:

Update the AD native password policy to be less restrictive – disable user after 4 successive failed login.

OR

Update SM password policy to be more restrictive – disable user after 2 successive failed login.

OR

Disable AD native password policy.

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 14th April 2016

 

ISSUE:

 

Secure Proxy Server logged the exception - java.lang.OutOfMemoryError: unable to create new native thread and becomes unresponsive as load increased to a certain level. SPS needs to be restarted to return to operational state.

 

Following errors are logged corresponding to the event:

== server.log ==

[31/Mar/2016:11:19:56-699] [ERROR] - Exception in thread "ajp-bio-8009-Acceptor-0"

[31/Mar/2016:11:19:56-700] [ERROR] - java.lang.OutOfMemoryError: unable to create new native thread

[31/Mar/2016:11:19:56-700] [ERROR] - at java.lang.Thread.start0(Native Method)

[31/Mar/2016:11:19:56-700] [ERROR] - at java.lang.Thread.start(Thread.java:714)

[31/Mar/2016:11:19:56-700] [ERROR] - at java.util.concurrent.ThreadPoolExecutor.addWorker(ThreadPoolExecutor.java:949)

[31/Mar/2016:11:19:56-700] [ERROR] - at java.util.concurrent.ThreadPoolExecutor.execute(ThreadPoolExecutor.java:1371)

[31/Mar/2016:11:19:56-700] [ERROR] - at org.apache.tomcat.util.threads.ThreadPoolExecutor.execute(Unknown Source)

[31/Mar/2016:11:19:56-700] [ERROR] - at org.apache.tomcat.util.threads.ThreadPoolExecutor.execute(Unknown Source)

[31/Mar/2016:11:19:56-700] [ERROR] - at org.apache.tomcat.util.net.JIoEndpoint.processSocket(Unknown Source)

[31/Mar/2016:11:19:56-700] [ERROR] - at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(Unknown Source)

[31/Mar/2016:11:19:56-700] [ERROR] - at java.lang.Thread.run(Thread.java:745)

 

== error_log ==

[Thu Mar 31 11:18:10.576507 2016] [mpm_worker:notice] [pid 45393:tid 4151531264] AH00292: Apache/2.4.4 (Unix) mod_jk/1.2.37 configured -- resuming normal operations

[Thu Mar 31 11:18:10.576572 2016] [core:notice] [pid 45393:tid 4151531264] AH00094: Command line: '/opt/CA/secure-proxy/httpd/bin/httpd -d /opt/CA/secure-proxy/httpd'

[Thu Mar 31 11:19:56.698431 2016] [mpm_worker:alert] [pid 46743:tid 4128971632] (11)Resource temporarily unavailable: apr_thread_create: unable to create worker thread

[Thu Mar 31 11:19:56.698446 2016] [mpm_worker:alert] [pid 46737:tid 4128971632] (11)Resource temporarily unavailable: apr_thread_create: unable to create worker thread

[Thu Mar 31 11:19:56.700397 2016] [mpm_worker:alert] [pid 46740:tid 4128971632] (11)Resource temporarily unavailable: apr_thread_create: unable to create worker thread

[Thu Mar 31 11:19:56.701504 2016] [mpm_worker:alert] [pid 46742:tid 4128971632] (11)Resource temporarily unavailable: apr_thread_create: unable to create worker thread

[Thu Mar 31 11:19:56.702053 2016] [mpm_worker:emerg] [pid 46737:tid 4085238640] (22)Invalid argument: ap_queue_info_set_idle failed. Attempting to shutdown process gracefully.

[Thu Mar 31 11:19:56.702093 2016] [mpm_worker:crit] [pid 46737:tid 4116708208] (22)Invalid argument: ap_queue_pop failed

[Thu Mar 31 11:19:56.702102 2016] [mpm_worker:crit] [pid 46737:tid 4116708208] (22)Invalid argument: ap_queue_pop failed

[Thu Mar 31 11:19:56.702107 2016] [mpm_worker:crit] [pid 46737:tid 4116708208] (22)Invalid argument: ap_queue_pop failed

 

== nohup.out ==
Exception in thread "ajp-bio-8009-Acceptor-0" java.lang.OutOfMemoryError: unable to create new native thread
at java.lang.Thread.start0(Native Method)
at java.lang.Thread.start(Thread.java:714)
at java.util.concurrent.ThreadPoolExecutor.addWorker(ThreadPoolExecutor.java:949)
at java.util.concurrent.ThreadPoolExecutor.execute(ThreadPoolExecutor.java:1371)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.execute(Unknown Source)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.execute(Unknown Source)
at org.apache.tomcat.util.net.JIoEndpoint.processSocket(Unknown Source)
at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(Unknown Source)
at java.lang.Thread.run(Thread.java:745)

== mod_jk.log ==
[[Thu Mar 31 11:19:56.702 2016] [17852:4095728496] [error] ajp_get_reply::jk_ajp_common.c (2126): (ajp13) Tomcat is down or refused connection. No response has been sent to the client (yet)
[[Thu Mar 31 11:19:56.702 2016] [17852:4095728496] [error] ajp_service::jk_ajp_common.c (2643): (ajp13) connecting to tomcat failed.

  

CAUSE:

 

Following are some settings on SPS:

== httpd-mpm.conf ==
<IfModule mpm_worker_module>
StartServers 3
MinSpareThreads 75
MaxSpareThreads 250
ThreadsPerChild 25
MaxRequestWorkers 400
MaxConnectionsPerChild 0
ThreadLimit 128
MaxClients 800
ServerLimit 800
</IfModule>

== Server.conf ==
ajp13.accept_count=10
ajp13.min_spare_threads=10
ajp13.max_threads=410
worker.ajp13.connection_pool_timeout=0

http_connection_pool_min_size="4"
http_connection_pool_max_size="420"
http_connection_pool_incremental_factor="4"

 

== SmSpsProxyEngine.properties ==
SpsNETE_SPS_PROXYENGINE_CMD="%NETE_SPS_JAVA_HOME%\bin\java.exe" -Xms512m –Xmx2048m -XX:MaxPermSize=256M

== proxyserver.sh ==
JVM_MEM_OPTS="-ms256m –mx2048m"

  

Customer is using ‘spsuser’ account to run both Apache and Tomcat processes. ‘spsuser’ account has max user processes (ulimit –u) set to 1024. Hence, the user is restricted to a total of 1024 threads/processes across the whole Linux server.

As load increases, Apache spawns more child processes and each child process takes up a further 27 threads. However, the Tomcat process takes up to a total of ~410 threads. That only leaves 614 threads/processes - which is equivalent to 22 httpd processes (providing the user is not running any other process or command). When 22 httpd processes are reached and Tomcat process logged the “unable to create new native thread” exception and SPS hangs.

 

[spsuser@wonsa03-I151000 proxy-engine]$ ps -o nlwp,pid,lwp,args -u spsuser | sort -n

NLWP PID   LWP COMMAND

   1 11331 11331 bash

   1 11371 11371 -bash

   1 11565 11565 -bash

   1 11761 11761 bash

   1 13262 13262 /opt/CA/secure-proxy/httpd/bin/httpd -d /opt/CA/secure-proxy/httpd -k start

   1 13264 13264 /opt/CA/secure-proxy/httpd/bin/rotatelogs /opt/CA/secure-proxy/httpd/logs/mod_jk.log 10M

   1 16462 16462 ps -o nlwp,pid,lwp,args -u spsuser

   1 16463 16463 sort -n

1  4078  4078 sshd: spsuser@pts/0

1  4079  4079 -bash

  27 13282 13282 /opt/CA/secure-proxy/httpd/bin/httpd -d /opt/CA/secure-proxy/httpd -k start

  27 13283 13283 /opt/CA/secure-proxy/httpd/bin/httpd -d /opt/CA/secure-proxy/httpd -k start

  27 13901 13901 /opt/CA/secure-proxy/httpd/bin/httpd -d /opt/CA/secure-proxy/httpd -k start

  27 13960 13960 /opt/CA/secure-proxy/httpd/bin/httpd -d /opt/CA/secure-proxy/httpd -k start

  27 13961 13961 /opt/CA/secure-proxy/httpd/bin/httpd -d /opt/CA/secure-proxy/httpd -k start

  27 14074 14074 /opt/CA/secure-proxy/httpd/bin/httpd -d /opt/CA/secure-proxy/httpd -k start

  27 14080 14080 /opt/CA/secure-proxy/httpd/bin/httpd -d /opt/CA/secure-proxy/httpd -k start

  27 14299 14299 /opt/CA/secure-proxy/httpd/bin/httpd -d /opt/CA/secure-proxy/httpd -k start

  27 14303 14303 /opt/CA/secure-proxy/httpd/bin/httpd -d /opt/CA/secure-proxy/httpd -k start

  27 14304 14304 /opt/CA/secure-proxy/httpd/bin/httpd -d /opt/CA/secure-proxy/httpd -k start

256 13831 13831 /opt/CA/jdk1.7.0_65/bin/java -ms256m -mx2048m -server -XX:MaxPermSize=256M -Dcatalina.base=/opt/CA/secure-proxy/Tomcat -Dcatalina.home=/opt/CA/secure-proxy/Tomcat -Djava.io.tmpdir=/opt/CA/secure-proxy/Tomcat/temp -DHTTPClient.log.mask=0 -DHTTPClient.Modules=HTTPClient.RetryModule|org.tigris.noodle.NoodleCookieModule|HTTPClient.DefaultModule -Dlogger.properties=/opt/CA/secure-proxy/Tomcat/properties/logger.properties -Dhttp_connection_timeout=60000 -Dhttp_socket_timeout=60000 -Djava.endorsed.dirs=/opt/CA/secure-proxy/Tomcat/endorsed -DNETE_WA_ROOT= -DPWD=/opt/CA/secure-proxy -classpath /opt/CA/secure-proxy/Tomcat/bin/proxybootstrap.jar:/opt/CA/secure-proxy/Tomcat/properties:/opt/CA/secure-proxy/resources:/opt/CA/jdk1.7.0_65/lib/tools.jar:/opt/CA/secure-proxy/Tomcat/bin/bootstrap.jar:/opt/CA/secure-proxy/Tomcat/lib/smi18n.jar com.netegrity.proxy.ProxyBootstrap -config /opt/CA/secure-proxy/proxy-engine/conf/server.conf

 

The above command output all the running threads/processes associated with spsuser. The result indicates that each httpd process is associated with 27 threads while the Tomcat process is associated with 256 threads at the time that this command is executed.

 

[spsuser@wonsa03-I151000 proxy-engine]$ ps -o nlwp,pid,lwp,args -u spsuser | sort -n | grep -v "NLWP" | cut -c1-5 | paste -sd+ | bc

539

 

In total, spsuser is associated with ~539 running threads/processes.

  

The most important directives used to control Apache MPM worker are ThreadsPerChild, which controls the number of threads deployed by each child process and MaxRequestWorkers, which controls the maximum total number of threads that may be launched. The maximum number of clients that may be served simultaneously (i.e., the maximum total number of threads in all processes) is determined by the MaxRequestWorkers directive. The maximum number of active child processes is determined by the MaxRequestWorkers directive divided by the ThreadsPerChild directive.

With MaxRequestWorkers=400 and ThreadsPerChild=25 in httpd-mpm.conf, we expect maximum of 16 active child processes.

However, we observed more than 16 httpd processes during load test. This is due to the conflicting directives in httpd-mpm.conf -- MaxClients vs MaxRequestWorkers. MaxRequestWorkers was called MaxClients before version 2.3.13. However, the old name is still supported.
 

RESOLUTION:

 

Options to overcome the issue:

  • increase the max user processes (ulimit -u)
  • remove the conflicting directive (MaxClients) from httpd-mpm.conf to restrict the number of active Apache child processes

Problem Summary

With SiteMinder configured, ASP.NET MVC Website shows HTTP 404 when application pipeline mode is integrated.

However, if SiteMinder is unconfigured, ASP.NET 4.5 MVC Website works without any issue when application pipeline mode is Integrated.

 

Environment

  • Web Agent Version : R12.52 SP1, R12.5
  • Web Server : IIS 7.5
  • ASP.NET version: - ASP.net

 

Root Cause

When SiteMInder is enabled, somehow for the integrated pipeline mode the "UrlRoutingModule-4.0 " is not triggered.
This module is required for the MVC routing to work for the extension less Url.

 

Solution

  1. Set runallmanagedmodulesforallrequests=true
    This is not a recommended approach , as this means that all the managed module will be run for all the request irrespective of the "managedHandler" precondition.
  2. An alternate and better configuration would be enable the SiteMInder handler for the Integrated Pipeline mode also :
    i) Change :

<add name="handler-wa-32" path="*" verb="*" modules="IsapiModule" scriptProcessor="C:\F6\CA\webagent\win32\bin\ISAPI6WebAgent.dll" resourceType="Unspecified" requireAccess="None" preCondition="classicMode,bitness32" />


To :
<add name="handler-wa-32" path="*" verb="*" modules="IsapiModule" scriptProcessor="C:\F6\CA\webagent\win32\bin\ISAPI6WebAgent.dll" resourceType="Unspecified" requireAccess="None" preCondition="bitness32" />


ii) Change :
<add name="handler-wa" path="*" verb="*" modules="IsapiModule" scriptProcessor="C:\F6\CA\webagent\win64\bin\ISAPI6WebAgent.dll" resourceType="Unspecified" requireAccess="None" preCondition="classicMode,bitness64" />

 

To:
<add name="handler-wa" path="*" verb="*" modules="IsapiModule" scriptProcessor="C:\F6\CA\webagent\win64\bin\ISAPI6WebAgent.dll" resourceType="Unspecified" requireAccess="None" preCondition="bitness64" />

Basically, remove the "classicMode" precondition from the SiteMinder Handlers.
With this change in place, the UrlRoutingModule-4.0 triggered properly and the MVC website worked as expected.

References

https://msdn.microsoft.com/en-us/library/dd381612(v=vs.98).aspx

Hello CA Single Sign-On Community Users,

 

Please find below the list of the latest Knowledge Base Articles  for Single Sign-On (Formerly CA SiteMinder) published or updated since 10th March 2016 for your reference:

 

CA SSO/Siteminder ERP Agent compatibility with Session-linker.
Product ERP Agent for CA SSO/Siteminder referencing by SessionLinker Product release.
Last Update: 4/1/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1422071

ASA Agent Configuration error "The SMSESSION cookie is malformed, the session spec field is missing".
ASA Agent configuration returns an error during initialization as a result of an incorrect Agent parameter,AcceptTpCookie=Yes
Last Update: 4/1/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1199389

CA SSO/Siteminder Product Support Matrix for ERP Server Agents and SessionLinker.
Product Support Matrix for CA SSO/Siteminder referencing Product by ERP Server Agent & SessionLinker.
Last Update: 4/1/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1515173

ASA Agent Configuration error "Failed to Create Agent Configuration"
ASA Agent configuration returns an error during initialization as a result of an incorrect Java.home path variable.
Last Update: 4/1/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1581017

Policy Server log showing error "Connection not open"
Policy server returns an error (IDM / SiteMinder intergration -"DO NOT REMOVE - For use by Identity Manager" ).
Last Update: 4/1/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1934643

CA SSO/Siteminder Build Mappings Matrix.
Product Information Matrix for CA SSO/Siteminder referencing product release by build number.
Last Update: 4/1/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1911819

Introscope Error on Unix
We are receiving a "Failed to initialize event handler library" when attempting to initialize XPSConfig.
Last Update: 4/1/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1530935

Introscope Error on Windows
We are receiving a "Failed to initialize event handler library" when attempting to initialize XPSConfig.
Last Update: 4/1/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1322531

How to fully uninstall the Administrative UI on Windows
We are trying to uninstall and reinstall the adminui, but there seems to be residual files left over that prevent us from cleanly reinstalling, and fully wiping the server is not an option.
Last Update: 4/1/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1858775

SMPS logs is reporting failover and failback, however can’t determine which type of repository is failing over
SMPS logs is reporting failover and failback for Policy store, key store or session store we are unable to determine what store is failing the log is only reporting type
Last Update: 4/1/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1199337

Performance issues observed after deploying/enabling CA directory as a session store in the environment
Single sign-on policy server can get into a state where it is unable to keep up with Session store maintenance when CA LDAP Directory is deployed as the session store that is not properly configured performance degradation can occur on the policy server
Last Update: 4/1/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1948652

SiteMinder with CA Directory as policy store store high availability
SiteMinder with CA Directory as policy store high availability replication
Last Update: 4/1/2016    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC577451

Login Error when trying to connect to Policy Server from Java SDK (Legacy_Onyx KB Id: 117673)
Login Error when trying to connect to Policy Server from Sample program Java SDK
Last Update: 3/31/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC450777

SPS support SSH (Secure Socket Shell) protocol
SSH (Secure Socket Shell) protocol
Last Update: 3/31/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1741952

Enable Unauthorized Access Redirect" is not working as expected
Enable Unauthorized Access Redirect" is not working
Last Update: 3/31/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1631483

How to change adminui/wamui SSL port number
Steps to change and update the adminui/wamui SSL port number.
Last Update: 3/31/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1942934

Warning message while when we are trying to start or stop the AdminUI jboss
WARN [JDBCSupport] SQLException caught, SQLState XCL18 code:20000- assuming deadlock detected, try:2
Last Update: 3/31/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1739135

Error while installing the secure proxy server or policy server in RHEL 6
In RHEL 6 Installer is looking at a different place i.e. /etc/issue instead of /etc/redhat-release; Error "cat : etc/issue: permission denied" while installing the SPS and PS.
Last Update: 3/31/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1793668

What is the meaning of the WebAgent error message 20-0004?
What is the meaning of the WebAgent error message 20-0004?
Last Update: 3/30/2016    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC479707

Reasons why the affwebservices log might not be generated
Affwebservices Log Not Generated
Last Update: 3/30/2016    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1564704

RelayState truncated in SAML 2.0 POST
How to post RelayState data while posting assertion to consumer service?
Last Update: 3/30/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC529287

Comma Added to Target
A comma is being added to the target page when multiple ISAPI filters are used.
Last Update: 3/29/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1871556

Backend server timeout
In certain versions of CA SPS, a timeout message shows up in the trace logs, ex.: timeout = 60000, and as needed, both the server.conf configuration file, as well as the proxyserver.sh script need to be adjusted to tweak this timeout value.
Last Update: 3/29/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1477716

Server Error 10-0004
The web agent logs are receiving 500 errors, followed by the agent error code 10-0004. However, users do not report this error, and this is only present in the logs.
Last Update: 3/29/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1605152

"http/1.1 405 Method not allowed" when trying to log in to an IIS site using forms authentication (Legacy_Onyx KB Id: 119928)
http/1.1 405 Method not allowed when trying to log in to an IIS site using forms authentication (Legacy_Onyx KB Id: 119928)
Last Update: 3/29/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC450780

What does the "1 Parameter(s) loaded from Policy Store, 1 total." refer to?
These parameters are actually a count of the XPSConfig Global Parameters that the Policy Store is loading.
Last Update: 3/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1128973

Weg Agent Error: Unable to load Smhost.conf file. (Legacy_Onyx KB Id: 119277)
Weg Agent Error: Unable to load Smhost.conf file. (Legacy_Onyx KB Id: 119277)
Last Update: 3/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC450779

Why is the encrypted admin password is different for each policy server?
The AdminPW for the policy store defined in the sm.registry is different between servers. However, they can all connect to the policy store. My understanding is that the value stored in the sm.registry file is encrypted with the encryption key entered at installation time, and that key should be the same for all servers that share a policy store. Why the encrypted admin password is different?
Last Update: 3/28/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1421115

We are getting a HTTP 500 Internal Server error when accessing an URL ending with ".sac" extension, how can we correct it?
This is caused as .sac extension matches Session Assurance flow data. Workaround available with SACExt ACO parameter.
Last Update: 3/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1447652

The characters "\5c" are inserted into search filter resulting in a failed search.
Users incorrectly fail to authenticate due to characters added to the user search lookup filter.
Last Update: 3/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1041189

How to configure event handling for SiteMinder Advanced Password Services.
This document explains how to configure the necessary objects for SSO Advanced Password Services event handling.
Last Update: 3/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1605197

Unable to Import Identity Mapping Domain Object
This article discusses how to work around the problem of not being able to import an Identity Mapping Domain Object.
Last Update: 3/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1299634

Cross-site Scripting with Smsession Cookie
Will a Smsession cookie be blocked once the cross-scripting check is turned on in Agent ACO?
Last Update: 3/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1654363

SPS installer gives error about older release existing during upgrade.
SPS installer fails in upgrade with getting error complaining about “SPS 6 exists and wants to do migration."
Last Update: 3/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1806446

Impersonation not working on some versions of agents
Impersonation not working on some versions of Apache agents, after upgrade of Siteminder to 12.52.
Last Update: 3/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1683909

LDAP failover time interval
Can the LDAP failover CA Directory be configured for zero downtime?
Last Update: 3/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1630355

Maximum size limit on SAML attribute as POST parameter.
What is the SAML attribute Maximum size limit, as a POST parameter?
Last Update: 3/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1059183

Upgrade the SOA Security Manager Gateway from Version 12.1 to 12.1 SP3
This document outlines the procedure to upgrade the SOA Security Manager Gateway from Version 12.1 to 12.1 SP3.
Last Update: 3/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC574134

Configure CA Directory as a user directory for SiteMinder Advanced Password Services.
How to configure CA Directory as a user directory for SiteMinder Advanced Password Services.
Last Update: 3/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1919596

"Allow Nested Groups" checkbox not displaying
When configuring a SAML Service Provider object for legacy federation, the "Allow Nested Groups" checkbox is missing when you select a user store that is a non-LDAP directory.
Last Update: 3/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1572423

Unable to disable XPSSweeper Autosweep
When trying to disable XPSSweeper from automatically running through the XPSConfig utility, the value for Autosweep will not update.
Last Update: 3/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1453454

Assertion Generation Failure
Bad installation or configuration, Assertion handler can't be initialized. Leaving Assertion Generator Framework.
Last Update: 3/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1791429

Create a Cron Job to dump Policy Server stats in the SMPS.log
This article details the steps necessary to create a cron job that will dump statistics related to the Policy Server processes into the SMPS.log for further troubleshooting for performance-related issues.
Last Update: 3/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1348499

Apache service is not starting up on Windows
Apache Web Server fails to start while loading SiteMinder module mod_sm24/mod_sm22, and following error message appears in Windows event viewer.
Last Update: 3/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1957282

Does the policy server process all requests before the policy server has an normal shutdown?
The customer is asking if a SiteMinder policy server is shutdown, does it stop receiving new requests? Does the policy server process all requests before the policy server goes down?
Last Update: 3/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1990543

How do the ca single sign on custom sdk API agents get updated agent keys from the doManagement call function?
Just need confirmation on how the custom API agts get updated keys from doManagement call function?
Last Update: 3/24/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1171204

Why are we continually getting SmSessionServer Failed error code 2 and 3 in smps.log?
[SmSessionServer.cpp:571][ERROR][sm-Server-06007] failed. Error code : 2 and Error code : 3
Last Update: 3/23/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1440317

When trying to configure assertion encryption, there is an error in Policy Server: "Error Encrypting Assertion." and "Error Encrypting NameID." and "AssertionHandler postProcess() failed".
This technote discusses on how to solve issue reported as Error Encrypting NameID in the assertion generator of the Policy Server
Last Update: 3/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC510842

Error when adding some users with People picker to manage applications.
Policy server traces : Message : [Message='No results left in the page for UserDir=XXXXX.'][][Return from call CSmUserMgmtApi::SearchUsers]
Last Update: 3/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1722016

Could we have more information on IISEnableChildRequest ACO parameter?
Information about IISEnableChildRequest ACO parameter to control child request spawning on web server.
Last Update: 3/22/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1837667

Creating an “Idea” (Enhancement Request)
How to submit Ideas/Enhancement Requests through CA Communities.
Last Update: 3/21/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1579832

AuthContext not raising score
How to adjust a protection level of a particular resource in the Federation Partnership context.
Last Update: 3/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1132863

EPM Logging Relocated from SMPS.log to SMTraceDefault.log
The expected behaviors are that EPM Auth/Az role evaluation logging is 1) Set to "True" by default, and 2) expected to show in the smps.log.
Last Update: 3/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1387053

Unable To Import Certificate
An issue occurs when metadata import fails, but the Certificate within the metadata is successfully imported. The certificate appears in the CDS, but is not selectable in the Admin UI
Last Update: 3/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1193876

Back channel SLO not working
Back channel SLO will fail when OSCP is enabled on the Weblogic Application Server. A workaround to remove/comment out the ... code in the security.xml file will resolve the issue.
Last Update: 3/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1922098

Setting URLs generated by Federation Web Services to use "https" instead of "http".
When using FWS behing a SSL acceslerator URLS are transformed from SSL to non Secure port. The GetPortFromHeader and HTTPSPorts ACO parameters are not read
Last Update: 3/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC491578

SiteMinder ERP Agent for PeopleSoft - PeopleSoft User Auditing Limitation
This article discusses the need of having DEFAULT_USER instead of username in audit log for ERP Agent for PeopleSoft
Last Update: 3/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC484935

Is Policy server restart required after importing certificates?
Certificated added to the key store
Last Update: 3/17/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC529630

Is there a size Limit of SAML Assertion?
This article covers the size limit of a SAML Assertion
Last Update: 3/17/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC498765

Preventing Cross Site Scripting in Federation Web Services URLs.
This gives tips on how configure an environment to prevent cross scripting with federation
Last Update: 3/17/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC491841

Steps to Re-register Admin UI
These steps describe the process of re-registering an Admin UI with the Policy server
Last Update: 3/17/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1547349

Mapping AppID to an AgentName
AppID AgentName mapping
Last Update: 3/17/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1129454

Disable Client Loopback
The Agent for SharePoint has a client loopback feature that lets you create policies in your SharePoint environment using directory attribute values that do not yet exist.
Last Update: 3/17/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC581291

How do I use APSTestSettings to test my APS.cfg file?
This technote give a sample on how to use APSTestSettings to trouble shoot the configuration of APS configuration
Last Update: 3/17/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC477876

AJAX used by Wordpress admin UI blocked by SSO Web Agent
After a Wordpress admin has authenticated via SSO Agent, and is using Wordpress, the AJAX called are intercepted by the agent. This is not expected.
Last Update: 3/16/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1228728

IWA authentication creds.ntc issues 404 error
IIS, IWA, Creds.ntc, 404, Error
Last Update: 3/16/2016    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1657586

Does SiteMinder support SHA256 certificates for SSL connection to LDap Store ?
You can configure secure connections for SiteMinder to connect to an LDAP Store (User / PStore). You have to specify the rootCA certificate and create a cert8.db as specified in the doc. What kind of algorithm is supported? Is SHA-256 supported?
Last Update: 3/16/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1383762

Can we load custom jars at policy server start-up ?
using SDK to develop active responses, can we load them at PS startup to make sure that everything is correctly setup ?
Last Update: 3/16/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1301894

Administrative UI installation fails with error "Could not initialise deployment"
This technote give a possible solution for an error seen during the initialization of the AdminUI
Last Update: 3/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC528825

Running Policy Server ‘start-all’ shell script creates .java_pidNNNN file under /tmp directory
This article explains a Policy Server ‘start-all’ problem of .java_pidNNNN file left under /tmp directory as well as the workaround.
Last Update: 3/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1599586

Why does the PeopleSoft PS Admin tool display all users as the default user?
Explanation on how the Users authenticated by SiteMinder are bounced to PeopleSoft by using the PSAdminTool
Last Update: 3/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC532985

Supplemental LoginLibrary API Documentation - SiteMinder ERP Agent v5.6 SP4 for PeopleSoft.
Additional documentation on the LoginLibrary API
Last Update: 3/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC486031

How do I tune Solaris 10 for semaphores and shared memory for the Siteminder Web Agent v6.x?
Guide for tunning Semaphores for Apache Webagent 6 on Solaris. It may be also be interesting for other webagent versions.
Last Update: 3/14/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC485876

Please note that you can always access the full list going to the following link:

http://www.ca.com/us/support/ca-support-online/support-by-product/ca-single-sign-on.aspx?d=t&language=en&type=Knowledge&…

 

Feel free to post your questions in the community if you have question about any of these KB article.

 

Best Regards,

Ujwol Shrestha

Principal Support Engineer

CA Technologies

Posted by Ujwol Shrestha Employee in CA Security on April 1 2016 2:42:50 PM

 

Posted by Ujwol Shrestha - Principal Support Engineer in CA Security on April 1 2016

 

Questions

  • What is X-Frame-Options response header? What is the implication of setting it ?
  • What are the different options for X-Frame-Options response header?
  • What are the other considerations ?
  • Does Single Sign-On Web Agent have support for X-Frame-Options response header?

 

Answers

 

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites.

 

X-Frame-Options Header Types

There are three possible values for the X-Frame-Options header:

  • DENY, which prevents any domain from framing the content. The "DENY" setting is recommended unless a specific need has been identified for framing.
  • SAMEORIGIN, which only allows the current site to frame the content.
  • ALLOW-FROM uri, which permits the specified 'uri' to frame this page. (e.g., ALLOW-FROM http://www.example.com)

 

Browser Support

The following browsers support X-Frame-Options headers.

BrowserDENY/SAMEORIGIN Support IntroducedALLOW-FROM Support Introduced
Chrome4.1.249.1042Not supported/Bug reported
Firefox (Gecko)3.6.9 (1.9.2.9)18.0
Internet Explorer8.09.0
Opera10.50
Safari4.0Not supported/Bug reported

 

Note :

  • X-Frame-Options Deprecated While the X-Frame-Options header is supported by the major browsers, it was never standardized and has been deprecated in favour of the frame-ancestors directive from the CSP Level 2 specification.

 

Single Sign-on Web Agent support for X-Frame-Options

 

Single Sign-on Web Agent r12.5 (as of CR5) does not have support for XFrameOptions ACO Parameter.

It also drops the X-Frame-Options header even if the header is set from the Web Server directly.

For e.g To configure Apache to send the X-Frame-Options header for all pages, you will add following configuration to your site's configuration (httpd.conf):

 

     Header always append X-Frame-Options SAMEORIGIN

However, even when you have this, if the WebSite is protected by SiteMinder web agent, it drops this header from reaching to the client/browser.

In other words, Single Sign-on Web Agent doesn't honor the web-server setting for X-Frame-Options.

 

Single Sign-on Web Agent r12.51 CR4 and above does have support for XFrameOptions ACO Parameter.

The options for the XFrameOptions parameter are the same as the values for the X-Frame-Options response header:

Options: DENY, SAMEORIGIN, ALLOW-FROM uri

r12.51 CR4 and above Web Agent, also do honor this header if it is being set by the WebServer itself and let the header pass to the client/browser.

 

References

Clickjacking Defense Cheat Sheet - OWASP

The X-Frame-Options response header - HTTP | MDN

Help Prevent Attacks - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation