Skip navigation
All Places > CA Security > CA Single Sign-On > Blog > 2016 > September
2016

Summary:

In this guide we will discuss how to write a sample java SDK agent to validate existing SSO token(SMSESSION cookie )

Environment:

  • Policy Server : R12.0+,
  • OS : ANY

Pre-requsite:

  • SDK Agent installed and configured.

Instructions:

 

Overview:

Validating the SSO token is a two step process as outlined below :

 

Step 1. Call AgentAPI.decodeSSOToken() and retreive "Session Spec" and "Session ID"

  • This will always return 0/success, as long as the SDK agent can decrypt the Session Token (even for the expired SSO token)
  • The SDK agent can decrypt the Session token as long as the Agent Keys have not changed. i.e the Agent keys used to create the SSO token (AgentAPI.createSSOToken()) and decode are same.

 

Step 2. Call AgentAPI.login() setting the "spec" and "id" field of the SessionDef to valid values retrieved from decodeSSOToken() call in step1.

 

The AgentAPI.login() will return 1/success only if login is successful.

 

Code changes:

a) Invoke decdoeSSOToken passing the existing SSO Token

 

retcode = agentapi.decodeSSOToken(expiredSSOToken,tokendesc,ssoRespAttrs,updateToken,updatedSSOToken);

 

b) Parse the "ssoResAttrs" returned from decodeSSOToken() as a HashMap()

ssoRespAttrMap =  testclient.displayAttributes(ssoRespAttrs);

 

private Map<Integer,String>
displayAttributes(AttributeList attributeList)
{
boolean isFirstElem = true;
Enumeration enumer = attributeList.attributes();
Map<Integer,String> attributesMap = new HashMap<Integer,String>();

if (!enumer.hasMoreElements())
{
Log(bundle.getString("AGENTAPI_NONE"));
}

while (enumer.hasMoreElements())
{
Attribute attr = (Attribute) enumer.nextElement();

if (!isFirstElem)
{
Log(CRLF + "\t\t\t\t\t");
}

attributesMap.put(attr.id, new String(attr.value));
Log(attr.id + "\t" + new String(attr.value));
isFirstElem = false;
}
return attributesMap;
}

 

c) Set "spec" and "ID' field of Session Def and invoke login to validate the session 

//UserCredentials usercreds = new UserCredentials(USER_NAME, USER_PWD);
UserCredentials usercreds = new UserCredentials();
SessionDef sessionDef = new SessionDef();
sessionDef.spec = ssoRespAttrMap.get(209); //set Session Spec
sessionDef.id = ssoRespAttrMap.get(205); // set Session ID
attrList = new AttributeList();

retcode = agentapi.login(agentIP,
resctxdef,
realmdef,
usercreds,
sessionDef,
attrList);

 

Attachment:

  • ValidateSSOToken.java
  • smjsdksample.properties

 

Additional Info :

This blog will server as an index to all of the article that I publish in the community :

 

Issue/Problem/Symptoms:

IIS Web Server crashes on accessing the startimp.fcc ( fcc file for Impersonation authentication scheme).

Environment:

Web Server : IIS 7.5 (applicable to other web server as well)

Web Agent Version : r12.52 SP1 CR5

Cause:

This is  a known defect in r12.52 SP1 CR5 and will be fixed in CR6.

Resolution/Workaround:

1. Downgrade web agent to 12.52SP1CR4

2. Request development fix from support.

Additional Information:

CA Internal : Dev fix available in DE204757

CA Single Sign-On Tech Tip by Sau Lai Wong, Principal Support Engineer for 13th September 2016

 

Issue: 

IdP-initiated Single Logout (SLO) is failing with following errors:

 

== AffWebserv.log ==

[12237/127507312][Thu Sep 08 2016 23:22:20][SLOService.java][ERROR][sm-FedClient-02180] "Error occurred during single logout.  Message:  Issuer is not found; unable to verify signature. Session ID: AbCnzj05I6m8JwmzAgxDvZjG9rw= Issuer: null:http://idp.com:81

 

== FWSTrace.log ==

[09/08/2016][23:22:20][12237][127507312][abcde807-9ab242d3-d9d5aacc-4e4b4259-d9f83537-46e][SLOService.java][handleLogout][
TUNNEL STATUS:
   status  : 21
   message : Issuer is not found; unable to verify signature. Session ID: AbCnzj05I6m8JwmzAgxDvZjG9rw= Issuer: null:
http://idp.com:81]
[09/08/2016][23:22:20][12237][127507312][abcde807-9ab242d3-d9d5aacc-4e4b4259-d9f83537-46e][SLOService.java][handleLogout][Output from Tunnel call:status=0&providerID=http://idp.com:81&isPOST=false&isSOAPEnabled=false;relayState=]
[09/08/2016][23:22:20][12237][127507312][abcde807-9ab242d3-d9d5aacc-4e4b4259-d9f83537-46e][SLOService.java][handleLogoutFailure][Issuer is not found; unable to verify signature. Session ID: AbCnzj05I6m8JwmzAgxDvZjG9rw= Issuer: null:http://idp.com:81]

 

== PS trace ==

[09/08/2016][23:22:20.292][12673][4023925616][SingleLogoutTunnelServiceHandler.java][tunnelHandler][1235dbac-56b8da1a-dcb1a6b3-05a0f3a7-cd62cb45-6eb][Returning from SLO tunnel. Status: status=21&message=Issuer is not found; unable to verify signature. Session ID: AbCnzj05I6m8JwmzAgxDvZjG9rw= Issuer: null:http://idp.com:81]
[09/08/2016][23:22:20.292][12673][4023925616][SingleLogoutTunnelServiceHandler.java][tunnelHandler][1235dbac-56b8da1a-dcb1a6b3-05a0f3a7-cd62cb45-6eb][Returning from SLO tunnel. Response: status=0&providerID=http://idp.com:81&isPOST=false&isSOAPEnabled=false;relayState=null]

 

Environment:

Policy Server: R12.52 SP1 CR5

Webagent & WAOP: R12.52 SP1 CR5

 

Cause:

Tunnel status = 21 is indicative of unknown issuer.

 

SLO Service location URL specifies the URL of the single logout service at the remote partner where the single logout request is sent.

 

Hence, in this use case, customer (as IdP) should have the following as SLO Service URL:

http://<sp_host:port>/affwebservices/public/saml2slo

 

Instead, customer specified IdP host in the SLO Service URL, causing the unknown issuer error.

 

Resolution:

To resolve the error, update the SLO Service URL accordingly in the IdP->SP partnership >> 4. SSO and SLO >> SLO settings.

Title:

In this guide we will write a sample Active Response which will use AES encryption algorithm to encrypt the USERDN and return an encrypted USERDN to the client.

Instruction:

Step 1: Create an active response as shown below :

Step 2 : Configure the Active Response with either OnAuthAccept or OnAccessAccept rule.

 

Step 3 : Compile the attached sample ActiveResponseSample.java &  ActiveResponseDecryptor.java classes by running java-build.bat (windows) /java-build.sh (unix).

Note: Prior to running you will need to update the path to the JDK install directory in the JAVA_HOME variable by editing the java-build.bat (windows) /java-build.sh (unix) files.

 

Step 4. Once compiled, copy the ActiveResponseSample.class and copy it to the <Policy server>/config/properties directory.

 

Note: This "properties" directory is by default in the classpath of Policy server so you don't need to modify JVMOptions.txt.

If you choose to deploy the class in any other directory, then you will need to add the path to that directory as a classpath in the JVMOptions.txt file.

 

Testing:

1. Access the resource which is configured to return the active response. Copy the value of the encrypted response returned (using the server side scripting which prints all the HTTP headers)  :

2. Next, decrpyt the encrypted response header using the attached sample ActiveResponseDecryptor class by running java-run.bat (windows) /java-run.sh (unix)

 

 

TITLE:

How to configure APS (Advanced Password Services) Forgot Password (FPS) Interface

DESCRIPTION:

Following steps will guide you through configuring APS Forgot Password Interface starting with SiteMinder release r12.5 and higher.

PREREQUISITES:

  • APS is enabled on the Policy Server.
  • APS schema is created for all the user entries.
  • APSExpire is run to initialize base APS base data for all the users
  • SmPortal.cfg is already configured (If not, steps are provided below on how to do this )

INSTRUCTIONS:

             

              1. User Directory Configuration

                   Store question number and the answer to be used during Forgot Password verify stage in any user attribute

                   exactly as shown below:

                    

                  

                        In the screen above, the user attribute 'businessCategory' is being used for storing the Question ID and the

                        corresponding answer for that question.

              2. Policy Server Configuration (Changes to APS.cfg)

                   a. (Optional) configure FPS Audit logging under [FPS] section

                        Audit Log=C:/Program Files (x86)/CA/siteminder/log/FPS.log

                    b.  Configure the directory where FPS searches the users under [FPS] section

                        Directory=cadir-01:3000

                    c. Modify Look Up attributes to match attribute name in your user directory under [FPS-Identify] section.

                        (Note , the name of the display attributes are matched from Identify.asp/Identify.jsp page)

                        Lookup=UserID=uid;Mail=mail;FirstName=~givenname;LastName=~sn;Phone=telephoneNumber,homePhone                        ;City=~l;State=st

                    d. Specify the user attribute to look up for the answer

                         Lookup=SecretAnswer=businessCategory

                    e. Specify the user attribute to look up for the question/answer that is to be used for FPS verify state.

                         This configuration is available in [FPS-Verify] section.

                         Initial=*SecretQuestion=businessCategory[format=A,Pick=2,sorted]

                    f. Specify the user attribute that needs to be displayed after the password change is successful in [FPS-Confirm]                          section

                         Initial=uid

                    (Note :

                     *) Only the most essential fields have been configured here for illustration purpose, for the detailed list of 

                       attributes available for FPS refer to APS documentation.

                   *) If Active Directory is user store, then you will also need to configure attribute mapping under [Mappings]                        section.

                  e.g.

                    inetOrgPerson=user
                    userPassword=unicodePwd
                    smapsPassword =
                    groupOfUniqueNames=group
                    uniqueMember=member

                  )

               3. Web Server Configuration (For illustration purpose, we will use IIS 7.5 web server)

Define a virtual CGI directory for the directory that contains the FPS CGI Program

      • Open IIS Manager ( type "inetmgr.exe" in the Run window and click enter)
      • Right Click on the Default Web Site and select Add Virtual Directory option. The virtual directory wizard opens.

                                  Specify as following :

                                  Alias : FPS

                                  Physical path : <Web_Agent_Installation_Directory>\win32\bin\Web\FPS

                             

      • Click Ok

 

Add ISAPI and CGI Restrictions for FPS CGI    

      • Open IIS Manager and navigate to the server level.
      • Double Click on ISAPI and CGI Restrictions
      • From the Action menu click "Add" to add new restrictions

Specify as following :

 

ISAPI or CGI path: <Web_Agent_Installation_Directory>\win32\bin\Web\FPS\Forgot.exe

Description : Forgot.exe

      • Click Ok

 

Edit Feature Permissions for the Handler Mappings Feature for FPS Virtual Directory

      • Open IIS Manager and navigate to the FPS virtual directory level.
      • In the Features View , double click Handler Mappings.
      • In the Actions pane, click Edit Feature Permissions.
      • In the Edit Feature Permissions dialog box, do the following:

        Specify as following :

Select Read

Select Scripts

Select Execute

 

      • Click Ok

 

Modify the default SmPortal.cfg file installed.

 

 

      • Edit the SmPortal.cfg file located at <Web_Agent_Installation_Directory>\win32\bin folder.

Specify as following :

MyServer.ip = <Your Policy Server IP address>

By default, FPS is configured with a 4x agent by name "FPS" with shared secret "secret"

Change password is configured with a 4x agent by name "SMCPW"" with shared secret "secret"

By logging into the Administrative UI create the matching 4x agent as below:

FPS Agent.png

SMCPW Agent.png

      • The final SmPortal.cfg should look like following :

SmPortal.cfg.png

Smportal2.png

      • Modify the Verify.asp (Verify.jsp) to store the actual questions corresponding the Question ID configured in user directory :
      • (Optional) Enable tracing for FPS and Change password services
      • Validate SmPortal.cfg configuration using the SmPortalVfy.exe tool located at<Web_Agent_Installation_Directory>\win32\bin folder. It should state the verification as successful as below :

SmportalVerify.png

 

TESTING & VERIFICATION:

 

1. Access FPS interface

    e.g. http://<server.domain.com>/FPS/forgot.exe

2. Provide Required Fields and optional fields as necessary and click Submit.

3. Once the user look up is successful using the provided user information, the user will be prompted to verify with Question and Answer

   

 

4. Upon confirmation of the question/answer, the user will finally be prompted to change his/her password

5. In the confirmation screen, the information related to the user is displayed as below:

 

 

          

 

                             

 

                                     

 

Sample policy server trace log with the FPS tracing turned on :

 

Sample FPS Audit log (FPS.log) :

 

Additional Information:

Summary:

In this guide we will discuss how to collect additional attributes from the user during login beside username and password while using custom authentication scheme.

Environment:

  • Policy Server : R12.0+
  • OS : ANY

Instructions:

1. Modify the .fcc template file (login.fcc) to collect additional attribute

Add the following line at the beginning of the file:

@password=PASSWORD=%PASSWORD%&department=%department%

If the additional attributes have special characters, the line looks like the following sample:

@password=PASSWORD=%PASSWORD%&department=%urlencode(department)%

Where, 'department' is the new attribute that you are configuring to collect from the user during login.

 

Also, create a new text field to provide the additional parameter :

<input type="text" name="department" size="30" style="margin-left: 1px">

 

Let's save this as a new customlogin.fcc file.

 

2. Modify the custom authentication scheme in the Administrative UI to pass the path to the customlogin.fcc as a parameter to the custom authentication scheme class.

 

 

3. Modify the OOTB custom authentication scheme class as below :

 

Create a method to retrieve the redirect URL :

/***
* The redirectURL is exepcted to be first parameter in the Auth scheme definition
* @param parameter
* @return
*/
String getRedirectURL(String parameter){
String redirectURL = parameter;
logInJavaUtilLogger("parameter :"+redirectURL);
if (parameter.indexOf(';') != -1)
{
String[] params = parameter.split(";");
redirectURL = params[0];
}
return redirectURL;
}

 

Modify the query() method to redirect to the custom login page as specified in the Administrative UI:

 

else if (SmAuthQueryCode.SMAUTH_QUERY_CREDENTIALS_REQ == request)
{
//response.setResponseCode(SmAuthQueryResponse.SMAUTH_CRED_BASIC);
response.setResponseCode(SmAuthQueryResponse.SMAUTH_CRED_FORM_REQUIRED);
response.setResponseBuffer(getRedirectURL(parameter));
}

 

 

Create a method to parse 'Password' field and extract additional parameters:

 

Map<String,String> parsePassword(String param)
{
logInJavaUtilLogger("Inside parsePassword param is :"+param);
Map<String, String> map = new HashMap<String, String>();

 

String[] parts = param.split("&");

for (String keypair : parts) {
String[] keyval = keypair.split("=");
try {
map.put(keyval[0], URLDecoder.decode(keyval[1], "UTF-8"));
} catch (UnsupportedEncodingException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}

}

return map;

}

 

Invoke the parsePassword method to parse the password attribute:

//String additonalParams = theUserCredentialsContext.getPassword();
Map<String,String> paramMaps = parsePassword(theUserCredentialsContext.getPassword());
String thePassword = paramMaps.get("PASSWORD");
logInJavaUtilLogger("User Password :"+thePassword);
logInJavaUtilLogger("Department :"+paramMaps.get("department"));

 

Testing:

1. Login :

2. Custom log output:

 

Sep 12, 2016 11:01:56 AM com.netegrity.sdk.javaauthapi.AuthApiSample logInJavaUtilLogger
FINE: AuthApiSample::FileLogger::Inside parsePassword param is :PASSWORD=siteminder&department=ujwol%24%25^%26
Sep 12, 2016 11:01:56 AM com.netegrity.sdk.javaauthapi.AuthApiSample logInJavaUtilLogger
FINE: AuthApiSample::FileLogger::User Password :siteminder
Sep 12, 2016 11:01:56 AM com.netegrity.sdk.javaauthapi.AuthApiSample logInJavaUtilLogger
FINE: AuthApiSample::FileLogger::Department :ujwol$%^&
Sep 12, 2016 11:01:57 AM com.netegrity.sdk.javaauthapi.AuthApiSample logInJavaUtilLogger
FINE: AuthApiSample::FileLogger::User Successfully Authenticated :shruj01
Sep 12, 2016 11:01:57 AM com.netegrity.sdk.javaauthapi.AuthApiSample logInJavaUtilLogger
FINE: AuthApiSample::FileLogger::parameter :http://iis-01.ca.com/siteminderagent/forms/customlogin.fcc

 

Attachment

  • Sample customlogin.fcc
  • Sample Custom Authentication scheme 

Additional Information:

CA Single Sign-On Tech Tip by Sau Lai Wong, Principal Support Engineer for 10th September 2016

 

Issue:

All Federation logins via the same Federation Web Services Agent are failing. FWSTrace.log is suggestive that FWS agent is unable to locate the Service Provider nor Identity Provider

 

Environment:

Apply to Webagent with Webagent Option Pack on the same server.

 

Cause:

== Affwebserv.log ==

[812/5204][Mon Sep 05 2016 18:50:23][agentcommon][INFO][sm-log-00001] missing component library (The SiteMinder Agent is initializing ..)
[812/5204][Mon Sep 05 2016 18:50:23][agentcommon][INFO][sm-log-00001] missing component library (SiteMinder Product Details: PRODUCT_VERSION=12.52, PRODUCT_NAME=Federation Web Services, PRODUCT_UPDATE=0101 , PRODUCT_LABEL=640.)
[812/5204][Mon Sep 05 2016 18:50:23][agentcommon][INFO][sm-log-00001] missing component library (Administration Manager is trying to create configuration for the SiteMinder Agent)
[812/5204][Mon Sep 05 2016 18:50:23][agentcommon][INFO][sm-log-00001] missing component library (Creating agent connection using file : C:\CA\webagent\win64\bin\IIS\WebAgent.conf)
[812/5204][Mon Sep 05 2016 18:50:25][agentcommon][INFO][sm-log-00001] missing component library (Registering the Configuration Manager with the Policy Server)
[812/5204][Mon Sep 05 2016 18:50:25][agentcommon][INFO][sm-log-00001] missing component library (Obtained data from the Policy Server for Agent Config Object "aco")
[812/5204][Mon Sep 05 2016 18:50:25][agentcommon][INFO][sm-log-00001] missing component library (Configuration Manager is creating the Configuration Management thread with pspollinterval of 30 seconds)
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library (testagent)
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library (NO)
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library (NO)
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library (NO)
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library ()
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library (0)
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library (700)
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library (SM)
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library ([SM])
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library ()
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library ()
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library ()
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library (NO)
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library ()
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library (YES)
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library (YES)
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library (en-US)
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library (en-US)
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library ()
[812/5204][Mon Sep 05 2016 18:50:25][FWSAdministrationManager.java][INFO][sm-log-00001] missing component library ()
[812/5204][Mon Sep 05 2016 18:50:25][ManageNameIDService.java][INFO][sm-log-00001] missing component library (NameID Management)
[812/5204][Mon Sep 05 2016 18:50:25][ManageNameIDService.java][INFO][sm-log-00001] missing component library (NameID Management)
[812/6664][Mon Sep 05 2016 18:50:49][SSO.java][INFO][sm-log-00001] missing component library (Single Sign-On)
[812/6664][Mon Sep 05 2016 18:50:49][SSO.java][INFO][sm-log-00001] missing component library (Single Sign-On)

[812/6664][Mon Sep 05 2016 18:50:50][SSO.java][ERROR][sm-log-00001] missing component library (1461e379-729c1ebd-7b527d92-a3aebde9-2ca4ce70-6e57, NO_PROVIDER_INFO_FOUND, , , )
[812/6664][Mon Sep 05 2016 18:50:50][SSO.java][ERROR][sm-log-00001] missing component library (wonsa03-i122123SP)
[812/6664][Mon Sep 05 2016 18:51:28][SSO.java][ERROR][sm-log-00001] missing component library (371f5a12-5f181f83-8057bcc5-30ecaf13-fa358949-3a7, NO_PROVIDER_INFO_FOUND, , , )
[812/6664][Mon Sep 05 2016 18:51:28][SSO.java][ERROR][sm-log-00001] missing component library (cn=ca support)

 

The “missing component library” message in the Affwebserv.log is indicative that the Webagent and Webagent Option Pack are installed on the same machine, but there’s a version (including Service Pack and CR release) mismatched.

 

Resolution:

If the Web Agent and Web Agent Option Pack are installed on the same machine, they must also be the same version, including the Service Pack and CR version.

Summary:

In this guide we will discuss how to configure Policy server to send an Open Format Cookie as a response header.

We will also discuss how to write a simple java client program to consume (decrypt) the OFC cookie sent by Policy server.

This can be used for Agent less single sign-on.

Environment:

  • Policy Server : R12.5+,
  • OS : ANY

Instructions:

On Policy Server:

1. Create a Web Agent Response that Generates an Open Format Cookie as below :

For detailed instruction refer to : How to Create a Web Agent Response That Generates an Open Format Cookie - CA Single Sign-On - 12.52 SP1 - CA Technologie…

Note : From the following screen make a note of following two configurations as these will be needed on the client side  :

  • Encryption Key
  • Encryption Algorithm

2. Add the OFC Cookie Response configured in step (2) to either OnAuthAccept or OnAccessAccept rule.

3. Add rule to Policy.

 

On the Client side

Modify the attached SampleOFCConsumer.java  as below :

1. Depending upon which Encryption Algorithm is used while configuring OFC cookie response , edit the following variables appropriately :

If using AES Algorithm :

public static final String DEFAULT_TRANSFORMATION = AES_TRANSFORMATION;
public static final String DEFAULT_ALGORITHM = AES_ALGORITHM;

If using DES Algorithm:

public static final String DEFAULT_TRANSFORMATION = DES_TRANSFORMATION;
public static final String DEFAULT_ALGORITHM = TRIPLE_DES_ALGORITHM;

 

2. In the decrypt() method, update the byte array KEY variable to match the Encryption Key as defined in the Admin UI.

Follow the below steps to convert the string formatted Encryption Key to Byte Array

Step 1 : Copy the value of EncryptionKey from Admin UI==>OFC Cookie Response e.g. : B4578127007497EF8A655E4986D4F63C (see above screenshot)
Step 2  Add space every two characters:
B4 57 81 27 00 74 97 EF 8A 65 5E 49 86 D4 F6 3C
Step 3  Append (byte)0x in front of every two character pairs : (byte)0xB4 (byte)0x57 (byte)0x81 (byte)0x27 (byte)0x00 (byte)0x74 (byte)0x97 (byte)0xEF (byte)0x8A (byte)0x65 (byte)0x5E (byte)0x49 (byte)0x86 (byte)0xD4 (byte)0xF6 (byte)0x3C
Step 4 Separate each two character pair using comma: (byte)0xB4,(byte)0x57,(byte)0x81,(byte)0x27,(byte)0x00,(byte)0x74,(byte)0x97,(byte)0xEF,(byte)0x8A,(byte)0x65,(byte)0x5E,(byte)0x49,(byte)0x86,(byte)0xD4,(byte)0xF6,(byte)0x3C


3. Compile the class. Note; the jre/lib should be in the class path.

4. Ensure that the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files patch have been applied to the JRE that is being used.

Testing:

1. Access the protected resource which is configured to return the OFC cookie response and copy the cookie value returned using some script which displays all the response headers :

2. Run the  SampleOFCConsumer class and provide the OFC Cookie value as the input parameter :

 

Additional Information:

Hello CA Single Sign-On Community Users,

 

Please find below the list of the latest Knowledge Base Articles  for Single Sign-On (Formerly CA SiteMinder)published or updated since 29th July 2016 for your reference:

 

While setting up a new policy server and policy store, getting the following error while running XPSDDInstall SmMaster.xdd Save Policy Store ID failed. Unable to initialize the XPS library.
Trying to install a new policy store (CA Directory) When running XPSDD install we are getting errors. Error occurred during "Modify" for xpsParameter=CA.XPS::$PolicyStoreID,ou=XPS,ou=policysvr4,ou=siteminder,ou=netegrity,O=test", text: Invalid DN syntax
Last Update: 9/7/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1714652

Xpsexport return Segmentation fault
R12SP3 xpsexport return segmentation fault
Last Update: 9/7/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1970106

What is FORMCRED cookie ?
FORMCRED Cookie and it's purpose
Last Update: 9/7/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1028321

Reports are coming blank while we try to download
Siteminder is integrated with ControlMinder.While accessing the reports from the Control Minder, reports can be viewed properly but while downloading the reports blank page is being displayed.
Last Update: 9/6/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1007723

SDK Custom Agent "Error retrying connection"
This technote discusses a specific log line from the SDK Agent.
Last Update: 9/6/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1701094

FWS Agent generates new Siteminder Session Cookie
FWS Agent generates new Siteminder Session Cookie from R12.51 release onwards
Last Update: 9/6/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1766179

What the meaning of each sockets error codes ?
Would you tell me about the meaning of each socket error code ?
Last Update: 9/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1855955

Can't stop AdminUI service properly.
When customer stopped AdminUI service, Windows service manager error as below occured, and can't stop properly.
Last Update: 9/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1319367

Encountered service.bat error.
When customer was about to "service install" command, below error message occured.
Last Update: 9/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1385076

WebAgent reject encoded request contained "%c0".
Although customer set "no" to "DisallowUtf8NonCanonical", WebAgent reject URL encoded query contained "%b".
Last Update: 9/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1378153

In Tomcat environment, SMSESSION cookie is not decode by WebAgent.
In SSO environment launched Tomcat, WebAgent can't decode SMSESSION cookie, because SMSESSION cookie contains double quatation("").
Last Update: 9/5/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1569166

Federation request is failing with Request doesn't contain session ID header error
Request doesn't contain session ID header. Session cookie[SMSESSION]is not valid
Last Update: 9/2/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1828202

Why Resource Filter is grayed in a OnAuth Rule in the AdminUI ?
This technote discusses about a specific behavior of the AdminUI when modifying an OnAuth Rule.
Last Update: 9/2/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1640245

Running XPSSweeper on Multiple Policy Servers at the Same Time
This technote discusses if we can more than one XPSSweeper command at time
Last Update: 9/2/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1710379

SDK Agent shows error java.io.IOException: Connection reset by peer
This technote discusses about a specific error seen during run time.
Last Update: 9/2/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1202265

ASA Agent 12SP2CR01 WebLogic 12C Download Link
This technote discusses about the link to use to download the ASA Agent
Last Update: 9/2/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1909761

Policy Server Data Import fails with Failed updating RootConfig Object Error
This technote discusses about limitation in the Policy Store data
Last Update: 9/2/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1487199

On Federation Transactions, the Policy Server doesn't look in to the right User Store to find the User
This technote discusses a work around about an issue fixed in 12.52
Last Update: 9/2/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1275204

SPS sends Data "Unknown=17" to APM when a Proxy Rule is fired
This technote discusses about the configuration of the SPS Proxy Rules when integrated with APM.
Last Update: 9/2/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1097603

SPS is slow to load Certificates at Start Time
This technote discusses about the performances of SPS to deliver the first request when certificates need to be loaded
Last Update: 9/2/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1720318

Partnership Entity is not visible in drop down when configuring WSFed RP->IP partnership
This knowledge document explains why the Legacy Partnership entity is not showing up, and which SAML Token Types are supported.
Last Update: 9/2/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1159351

SmRegHost.sh failing for custom agent host registration
SmRegHost.sh fails on Linux when trying to register a custom 64-bit, Pure Java Custom Agent.
Last Update: 9/1/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1810531

IIS :: Web Agent : Multiple ACO.
IIS :: Web Agent : Multiple ACO. Explains enhancement as well.
Last Update: 9/1/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC511371

IdP and SP sharing the Same Domain Name Problem in Federation Journey
This technote discusses about the problem of sharing the same domainname between IdP and SP in Federation Journey
Last Update: 8/31/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1490797

Backslash character ‘\’ (0x5C) in a form can be detected by BadFormChars
If a backslash character [\] is set to BadFormChars, does Web Agent block both of [\] and [%5c] in the form data?
Last Update: 8/31/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1447818

Configuration of Data Source using Oracle RAC Database using SCAN on Linux
This article explains how to Configure Data Source using Oracle RAC Database using SCAN on Linux.
Last Update: 8/31/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1260051

AgentName ACO Parameter Limit
This knowledge document explains why you could reach a limit in AgentName ACO parameter and how to solve it.
Last Update: 8/30/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1685548

Unable to set User Directory using the AdminUI : [Oracle] ORA-12899: value too large for column
Trying to modify a User Directory adding more servers and get an error in the AdminUI. value too large for column "SCHEMA"."SMUSERDIRECTORY5"."SERVER" It is certified to increase the column
Last Update: 8/30/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1250572

How to enable Active Directory Accounts using DMS API ?
Developing application to create accounts in Active Directory using DMS API, by default accounts are created with disabled state. You need to set the UserAccountControl properly.
Last Update: 8/30/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1760612

Web Agent reports error : Error creating semaphore using key 0xc81d247f - No space left on device (28)
Having multiple Apache Instance running with Web Agent on existing server, I cannot start all instances
Last Update: 8/29/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1910693

Daylight Saving Time (DST) Changes on Policy Server and Web Agent Servers
DST changes affecting Policy Server and Web Agent, and actions needed to prepare the change.
Last Update: 8/29/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1051986

Why the Web Agent for IIS installer modifies the web.config httpErrors existingReponse ?
The Web Agent for IIS installer modifies the httpErrors errorMode="Custom" existingResponse="Replace" with existingResponse="PassThrough". This is done to raise error that could happen in the product.
Last Update: 8/29/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1666597

Web Agent is not redirecting properly when using Cookie Provider - Loop between Web Agent and Cookie Provider
When using a Cookie Provider to access resources protected by an Anonymous Auth scheme, the browser loops between the application and the Cookie Provider, and we see the application Web Agent fails to validate the SESSION (IDENTITY coookie).
Last Update: 8/29/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1922588

Can we use relative path in Active Expressions ?
Developing a Custom Active Response that needs to read a property file, the code cannot access the file from a Relative Path
Last Update: 8/29/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1962266

Does SiteMinder 12.52SP1 support SHA-256 for SSL connection to Policy and User Store ?
Yes, Siteminder support SHA2 SHA-256 with 12.52SP1
Last Update: 8/29/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1637999

What is the recommended way to manage policy when there are mixed version of policy servers and adminui?
We are upgrading from 12.50 to 12.51 and currently in mixed mode. What is the recommended way to manage/administer this environment?
Last Update: 8/29/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1987399

CA API Gateway (formerly layer 7) fails to communicate with SiteMinder policy server (in FIPS mode) via the SiteMinder agent SDK.
CA API gateway communication issue with FIPS mode policy server
Last Update: 8/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1333249

Which work should be implemented first, upgrade and domain modification?
Since upgrade and domain change are another work, superiority are not decided in order of implementation.
Last Update: 8/26/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1260725

How to Enable SPS logs
How to Enable Secure Proxy Logging to help troubleshoot
Last Update: 8/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1528615

Enabling CA Access Gateway (formerly Secure Proxy Server) to send client certificate for authentication to a backend server
Setting up a client certificate for access to backend server in CA Access Gateway
Last Update: 8/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1059255

Siteminder administrator audit events in smaccess log
Information on how to log administrator audit events in smacess log
Last Update: 8/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1889902

SDK Custom Java Agent not initializing.
JCE patch("Unlimited Strength Jurisdiction") is required for Custom Java Agents
Last Update: 8/25/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1668961

LLAWP process CPU usage goes to 100%+
CPU Spikes to 100%+ after semaphores are removed by RHEL 7.2
Last Update: 8/23/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1235063

Notice for Oracle Java 1.7 & Oracle Java 1.8 Support
What SSO Components are supported with JAVA 1.8 ? What is the plan for SSO components running on JAVA 1.7 when it comes to security fixes ?
Last Update: 8/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1525557

FMATTR doesn't work for User Attribute Mapped Experssions
FMATTR prefix for use in printing out multi-value attributes as separate assertion attributes, rather than one carrot (^) delineated single line does not work for User Store Attribute Mapping expressions.
Last Update: 8/18/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1537107

Audit DB assertion validity attributes for non-Fed webagent requests
Some federation specific attribute values are getting updated for non-federated applications
Last Update: 8/17/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1175106

Error parsing an SLO message
When the user does an IDP-initiated Single Logout on saml2slo URL, we get an Error parsing an SLO error.
Last Update: 8/17/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1395119

Is there a security risk by adding .eot file to the IgnoreExt ACO?
EOT stands for Embedded OpenType Font. It allows the fonts used in the creation of a document to travel with that document, ensuring that a user sees documents exactly as the designer intended.
Last Update: 8/17/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1914264

Do you know of a way to verify the version of the RSA ACE Client in use by the Policy Server?
I know we were told CR05 now uses 8.1.3, but I'm curious to know if there is a way to confirm the version (for example, running commands like ldconfig on the lib).
Last Update: 8/16/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1165169

CA Access Gateway (formerly Secure Proxy Server): Commonly Tuned Parameters
How to tune CA Access Gateway (SPS) parameters in order to suit typical production environment processing needs.
Last Update: 8/15/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1929227

Resolving certificate errors for the SPS and Agent for SharePoint Tomcat Proxy.
Receiving a "Certificate for is not trusted or bad certificate" in the Secure Proxy Server/Agent for SharePoint Trace File when connecting to the back-end Server over SSL.
Last Update: 8/12/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1628104

How to resolve the "WSFED_SSO_NO_PROVIDER_ID" error for the Single Sign On Agent for SharePoint 2010/2013
After creating the SharePoint Connection, users are receiving a 403 response and the following error is logged in the Federation.log; No WSFED provider information found for RP
Last Update: 8/11/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1813362

x.509 certificate auth schemes Support for PIV/CAC cards
Does x.509 certificate auth support PIV/CAC cards using a pin code
Last Update: 8/10/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1223417

Http Headers with Special characters are getting URL Encoded Through the SAMLDataPlugin
When using Siteminder as SP ,why the Returned http Headers are getting URL encoded upon Assertion consuption
Last Update: 8/10/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1904612

How is the resolved Cookie Domain determined for a Single Sign On (fka SiteMinder) Agent?
Why are there two SMSESSION cookies created; one for domain A and the other for a subdomain of A.
Last Update: 8/9/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1300426

Steps to Re-register Admin UI
These steps describe the process of re-registering an Admin UI with the Policy server
Last Update: 8/8/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1547349

XPSRegClient and XPSExport failed.
When customer executed XPSRegClient command, below error occured and not execute properly.
Last Update: 8/8/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1990485

authentication check when multiple users are found for authentication
If the password matches either one of them the user can login. Is this technically correct behavior?
Last Update: 8/3/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1575144

Federation suddenly fails and no assertion being generated. FWSTrace.log shows SAML2Response=NO.
How to troubleshoot SAML2Response=NO
Last Update: 8/3/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1790565

Restart Policy Server when you update sm.registry file.
This article explains the required restart of Policy Server when changing value in sm.registry on Linux.
Last Update: 8/3/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1696518

Manually uninstall IIS web agent
Provide steps on how to manually uninstall IIS web agent if uninstaller didn't work
Last Update: 8/3/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1904547

Policy Server fails to locate certificate in smkeydatabase
Policy Server failed to locate the certificate due to the special character or ASCII character in the issuer DN
Last Update: 8/2/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1178062

Saving user login credentials
Explain how to setup form authentication with the option to have credentials saved for future use and how this feature works
Last Update: 8/2/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1098721

Request through SPS is not advancing as backend IIS returns status code of 301
Request through SPS is not advancing as backend IIS returns status code of 301rr
Last Update: 8/2/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1040125

What is the /config/XPS.cfg file used for?
Whenever the XPSConfig utility is used to make any changes to the default settings, these changes are stored in the XPS.cfg file. The file itself should only be created and modified by the XPSConfig utility.
Last Update: 8/2/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1607105

What does this error mean, SmServerConnection, connect, Exception calling TCP transport connect: java.nio.channels.UnresolvedAddressException?
The exception occurs when the address being used to connect to is unresolvable. In this case the Policy Server address. It could be an invalid IP address, an unresolvable hostname or a typo in the address.
Last Update: 8/2/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1233665

Getting "No Private key of Certificate chain received from policy server" in the SiteMinder logs when attempting to create SAML 1.1 artifact.
SAML 1.1 Artifact Failure
Last Update: 8/2/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1646668

Custom agent periodically crashing when making various Agent API calls.
Custom agent crashing
Last Update: 8/2/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1744713

Time-out in Federation
The timeout values in Federation are only used if Delegated Authentication is in used.
Last Update: 8/2/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1463162

What Encryption Scheme, Padding Scheme and Block cipher modes of operation are used in partnership federation in Single Sign-On ?
XML Encryption is to be used in the specification of SAML2.0 used in a partnership federation.
Last Update: 8/2/2016    Size: 82 kb    Type: Knowledge Base Articles    ID: TEC1857012

How to correct this error message, "Syntax error on line 975 of /opt/IBM/HTTPServer/conf/httpd.conf: Invalid command 'SSLOptions"
Syntax error on line 975 of /opt/IBM/HTTPServer/conf/httpd.conf: Invalid command 'SSLOptions', perhaps misspelled or defined by a module not included in the server configuration
Last Update: 8/1/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1234981

How to correct the error message, “Syntax error on line 974 of /opt/IBM/HTTPServer/conf/httpd.conf: SSL0331W: Invalid argument for SSLClientAuth: require".
“Syntax error on line 974 of /opt/IBM/HTTPServer/conf/httpd.conf: SSL0331W: Invalid argument for SSLClientAuth: require (null). The 1st value must be 0, 1, 2, none, optional, required, or required_reset”
Last Update: 8/1/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1639554

Configuring Cert and Form authentication scheme using the Web Agent configuration wizard does not throw an error, however the scheme does not work.
CA Single Sign-On Web Agent for Apache on IBM IHS(HTTP) server Cert and Form auth scheme does not work.
Last Update: 8/1/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1923838

Configuring specific authenticatipon schemes on the Web Agent on an Oracle HTTP Server requires specific SSLVerifyClient settings.
Change the value of the SSLVerifyClient directive from within the httpd.conf used by the Oracle HTTP Server to the necessary value: a. SSLVerifyClient optional b. SSLVerifyClient required
Last Update: 8/1/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1563022

Changing the IP address Impact on Agent and Policy server
Will changing the IP address on the Agent or Policy server Impact the Trust relation
Last Update: 7/29/2016    Size: 83 kb    Type: Knowledge Base Articles    ID: TEC1847543

 

Please note that you can always access the full list going to the following link:

CA Single Sign-On - CA Technologies

Feel free to post your questions in the community if you have question about any of these KB article.

 

Best Regards,

Ujwol Shrestha

Principal Support Engineer

CA Technologies

Question:

What is FORMCRED cookie ?

Environment:

Web Agent Version : v6 and above

Answer:

On a POST to an FCC the FCC will generate a number of cookies. This includes the FORMSCRED cookie which is created when FCCCompatMode is set to the value YES. This cookies represents the old way of doing
forms login and should be considered deprecated.  The functionality only exists today to provide backwards compatibility with older SiteMinder installations.  The FORMCRED cookie is generated from the USERNAME and PASSWORD variables. In the default mode (FCCCOmpatMode="NO"), The FCC will log the user in directly and on successful authentication redirect the user back to the TARGET url with a SMSESSION cookie using SSO instead of FORMCRED credentials to access the TARGET.

 

The FORMCRED cookie is further encrypted using Agent Keys.

CA Single Sign-On Tech Tip by Sau Lai Wong, Principal Support Engineer for 6th September 2016

 

Issue:

Upon upgrading Federation Gateway (SPS/ WAOP/ Federation Manager) from R12.5 to R12.52 release, notice new Siteminder Session cookie is generated by FWS Agent.

 

Environment:

Apply to R12.51, R12.52 SPS/ WAOP/ Federation Manager.

 

Cause:

Starting from R12.51 release, FWS Agent generates new Siteminder Session Cookie after validating existing session cookie successfully.

 

[07/26/2016][14:18:30][5158][819177216][aa0f058d-db896087-989afade-0ae9ff38-bff7510a-aa][FWSBase.java][createSessionCookie][Validating input...]
[07/26/2016][14:18:30][5158][819177216][aa0f058d-db896087-989afade-0ae9ff38-bff7510a-aa][FWSBase.java][createSessionCookie][Creating the smsession cookie for SP domain [CHECKPOINT = SSO_SMSESSIONFORSPDOMAIN_REQ]]
[07/26/2016][14:18:30][5158][819177216][aa0f058d-db896087-989afade-0ae9ff38-bff7510a-aa][FWSBase.java][createSessionCookie][Recived valid input. Attempting to create SESSION cookie.]
[07/26/2016][14:18:30][5158][819177216][aa0f058d-db896087-989afade-0ae9ff38-bff7510a-aa][FWSBase.java][createSessionCookie][session id is: /aaacaUi9lUagDH0dzMusCfdzsw=]
[07/26/2016][14:18:30][5158][819177216][aa0f058d-db896087-989afade-0ae9ff38-bff7510a-aa][FWSBase.java][createSessionCookie][About to create SESSION cookie.]
[07/26/2016][14:18:30][5158][819177216][aa0f058d-db896087-989afade-0ae9ff38-bff7510a-a][FWSBase.java][createSessionCookie][Placing smsession in browser [CHECKPOINT = SSO_PLACESMSSESSIONTOBROWSER_REQ]]

 

FWS Agent can reference Agent Config Object that differs from the frontend webagent. The following parameters are applicable to FWS Agent:

  • DefaultAgentName
  • TransientIDCookies
  • AcceptTPCookie
  • TransientIPCheck
  • CookieDomain
  • CookieDomainScope
  • SSOZoneName
  • SSOTrustedZone
  • FedDeploymentMode
  • FedSmConnectorEnabled
  • UseSecureCookies

 

Resolution:

Ensure that the session cookie generated by FWS Agent matches the criteria (cookie domain, secure flag) for single sign-on.

CA Single Sign-On Tech Tip by Sau Lai Wong, Principal Support Engineer for 5th September 2016

 

Introduction: 

With Secure Proxy Server, when Tomcat is shutdown/ not contactable, HTTP server error 503 is returned to end user as Apache failed to forward requests to Tomcat.


OOTB error:
======================================================
Service Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
=======================================================

 

Question: 

How to customize the error, indicative of Tomcat is not available?

 

Environment:

All SPS releases.

 

Answer:

To customize the error, update the ErrorDocument directive in <SPS>\httpd\conf\httpd.conf file.

 

The syntax of the ErrorDocument directive is:

ErrorDocument <3-digit-code> <action>

where the action will be treated as:

  1. A local URL to redirect to (if the action begins with a "/").
  2. An external URL to redirect to (if the action is a valid URL).
  3. Text to be displayed (if none of the above). The text must be wrapped in quotes (") if it consists of more than one word.

 

Additional Information:

https://httpd.apache.org/docs/2.4/custom-error.html

https://httpd.apache.org/docs/2.4/mod/core.html#errordocument

Question:

  • What is Persistent Key / Session Ticket Key ? What is it used for ?
  • Where and how is Session Ticket Key stored ?
  • What is the impact of resetting Persistent Key/ Session Ticket Key?

Environment:

Policy Server : Any 

Answer:

 

What is Persistent Key / Session Ticket Key ? What is it used for ?

Persistent/Session Ticket Key is used for following purpose by Policy Server :

  1. To encrypt Session Ticket (Spec). The session ticket is what the Policy Server uses to determine how long a user’s authentication remains valid. This session ticket is encrypted using the session ticket key and cached in the Agent User Cache.The Session Ticket can only be decrypted by Policy Server.

SESSION Ticket (Spec)contains following list of information :

  • SessionVersion
  • SessionStartTime
  • SessionLastTime
  • SessionMaxTimeout
  • SessionIdleTimeout
  • SessionLevel
  • SessionId
  • SessionIp
  • SessionDn
  • SessionDirOid
  • SessionDirName
  • SessionUnivId
  • SessionType
  • SessionAnonymous
  • SessionImpersonatorName
  • SessionLoginName
  • SessionPersistent
  • SessionDrift
  • SessionImpersonatorDirName
  • SessionAuthContext

    2.   To encrypt password service data (blob) in the user directory. The password blob contains following list of information:

    • LoginFailures (count)
    • LastLoginTime
    • PreviousLoginTime
    • PasswordHistory
    • LastPasswordChange (Date & Time)

Where and how is Session Ticket Key stored ?

Session Ticket key is stored in the Key Store.

In case of LDAP key store, it is stored under following DN :

smKeyManagementOID4=<id>,ou=PolicySrv4,ou=Siteminder,ou=Netegrity,<ROOT DN>


Example :

smKeyManagementOID4=1a-fa347804-9d33-11d3-8025-006008aaae5b,ou=PolicySvr4,ou=SiteMinder,ou=Netegrity,o=siteminder,c=in

 

In case of ODBC Key store, it is stored in KeyMangement4 table :

 

What is the impact of resetting Persistent Key/ Session Ticket Key?

Resetting persistent Key has following impacts :

  • Existing logged in user sessions will not be valid anymore. User will have to re-login to establish a new session.
  • Existing password blob will be no more be valid, which means all the information related to password change, login tracking etc. is lost.

Additional Information:

https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/administrating/configuring-and-managing-encryption-keys