Skip navigation
All Places > CA Security > CA Single Sign-On > Blog > Authors Kelly Wong
1 2 3 Previous Next

CA Single Sign-On

37 Posts authored by: Kelly Wong Employee

CA Single Sign-On Tech Tip by Sau Lai Wong, Principal Support Engineer for 13th September 2016

 

Issue: 

IdP-initiated Single Logout (SLO) is failing with following errors:

 

== AffWebserv.log ==

[12237/127507312][Thu Sep 08 2016 23:22:20][SLOService.java][ERROR][sm-FedClient-02180] "Error occurred during single logout.  Message:  Issuer is not found; unable to verify signature. Session ID: AbCnzj05I6m8JwmzAgxDvZjG9rw= Issuer: null:http://idp.com:81

 

== FWSTrace.log ==

[09/08/2016][23:22:20][12237][127507312][abcde807-9ab242d3-d9d5aacc-4e4b4259-d9f83537-46e][SLOService.java][handleLogout][
TUNNEL STATUS:
   status  : 21
   message : Issuer is not found; unable to verify signature. Session ID: AbCnzj05I6m8JwmzAgxDvZjG9rw= Issuer: null:
http://idp.com:81]
[09/08/2016][23:22:20][12237][127507312][abcde807-9ab242d3-d9d5aacc-4e4b4259-d9f83537-46e][SLOService.java][handleLogout][Output from Tunnel call:status=0&providerID=http://idp.com:81&isPOST=false&isSOAPEnabled=false;relayState=]
[09/08/2016][23:22:20][12237][127507312][abcde807-9ab242d3-d9d5aacc-4e4b4259-d9f83537-46e][SLOService.java][handleLogoutFailure][Issuer is not found; unable to verify signature. Session ID: AbCnzj05I6m8JwmzAgxDvZjG9rw= Issuer: null:http://idp.com:81]

 

== PS trace ==

[09/08/2016][23:22:20.292][12673][4023925616][SingleLogoutTunnelServiceHandler.java][tunnelHandler][1235dbac-56b8da1a-dcb1a6b3-05a0f3a7-cd62cb45-6eb][Returning from SLO tunnel. Status: status=21&message=Issuer is not found; unable to verify signature. Session ID: AbCnzj05I6m8JwmzAgxDvZjG9rw= Issuer: null:http://idp.com:81]
[09/08/2016][23:22:20.292][12673][4023925616][SingleLogoutTunnelServiceHandler.java][tunnelHandler][1235dbac-56b8da1a-dcb1a6b3-05a0f3a7-cd62cb45-6eb][Returning from SLO tunnel. Response: status=0&providerID=http://idp.com:81&isPOST=false&isSOAPEnabled=false;relayState=null]

 

Environment:

Policy Server: R12.52 SP1 CR5

Webagent & WAOP: R12.52 SP1 CR5

 

Cause:

Tunnel status = 21 is indicative of unknown issuer.

 

SLO Service location URL specifies the URL of the single logout service at the remote partner where the single logout request is sent.

 

Hence, in this use case, customer (as IdP) should have the following as SLO Service URL:

http://<sp_host:port>/affwebservices/public/saml2slo

 

Instead, customer specified IdP host in the SLO Service URL, causing the unknown issuer error.

 

Resolution:

To resolve the error, update the SLO Service URL accordingly in the IdP->SP partnership >> 4. SSO and SLO >> SLO settings.

CA Single Sign-On Tech Tip by Sau Lai Wong, Principal Support Engineer for 10th September 2016

 

Issue:

All Federation logins via the same Federation Web Services Agent are failing. FWSTrace.log is suggestive that FWS agent is unable to locate the Service Provider nor Identity Provider

 

Environment:

Apply to Webagent with Webagent Option Pack on the same server.

 

Cause:

== Affwebserv.log ==

[812/5204][Mon Sep 05 2016 18:50:23][agentcommon][INFO][sm-log-00001] missing component library (The SiteMinder Agent is initializing ..)
[812/5204][Mon Sep 05 2016 18:50:23][agentcommon][INFO][sm-log-00001] missing component library (SiteMinder Product Details: PRODUCT_VERSION=12.52, PRODUCT_NAME=Federation Web Services, PRODUCT_UPDATE=0101 , PRODUCT_LABEL=640.)
[812/5204][Mon Sep 05 2016 18:50:23][agentcommon][INFO][sm-log-00001] missing component library (Administration Manager is trying to create configuration for the SiteMinder Agent)
[812/5204][Mon Sep 05 2016 18:50:23][agentcommon][INFO][sm-log-00001] missing component library (Creating agent connection using file : C:\CA\webagent\win64\bin\IIS\WebAgent.conf)
[812/5204][Mon Sep 05 2016 18:50:25][agentcommon][INFO][sm-log-00001] missing component library (Registering the Configuration Manager with the Policy Server)
[812/5204][Mon Sep 05 2016 18:50:25][agentcommon][INFO][sm-log-00001] missing component library (Obtained data from the Policy Server for Agent Config Object "aco")
[812/5204][Mon Sep 05 2016 18:50:25][agentcommon][INFO][sm-log-00001] missing component library (Configuration Manager is creating the Configuration Management thread with pspollinterval of 30 seconds)
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library (testagent)
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library (NO)
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library (NO)
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library (NO)
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library ()
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library (0)
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library (700)
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library (SM)
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library ([SM])
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library ()
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library ()
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library ()
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library (NO)
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library ()
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library (YES)
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library (YES)
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library (en-US)
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library (en-US)
[812/5204][Mon Sep 05 2016 18:50:25][FWSAgentConfig.java][INFO][sm-log-00001] missing component library ()
[812/5204][Mon Sep 05 2016 18:50:25][FWSAdministrationManager.java][INFO][sm-log-00001] missing component library ()
[812/5204][Mon Sep 05 2016 18:50:25][ManageNameIDService.java][INFO][sm-log-00001] missing component library (NameID Management)
[812/5204][Mon Sep 05 2016 18:50:25][ManageNameIDService.java][INFO][sm-log-00001] missing component library (NameID Management)
[812/6664][Mon Sep 05 2016 18:50:49][SSO.java][INFO][sm-log-00001] missing component library (Single Sign-On)
[812/6664][Mon Sep 05 2016 18:50:49][SSO.java][INFO][sm-log-00001] missing component library (Single Sign-On)

[812/6664][Mon Sep 05 2016 18:50:50][SSO.java][ERROR][sm-log-00001] missing component library (1461e379-729c1ebd-7b527d92-a3aebde9-2ca4ce70-6e57, NO_PROVIDER_INFO_FOUND, , , )
[812/6664][Mon Sep 05 2016 18:50:50][SSO.java][ERROR][sm-log-00001] missing component library (wonsa03-i122123SP)
[812/6664][Mon Sep 05 2016 18:51:28][SSO.java][ERROR][sm-log-00001] missing component library (371f5a12-5f181f83-8057bcc5-30ecaf13-fa358949-3a7, NO_PROVIDER_INFO_FOUND, , , )
[812/6664][Mon Sep 05 2016 18:51:28][SSO.java][ERROR][sm-log-00001] missing component library (cn=ca support)

 

The “missing component library” message in the Affwebserv.log is indicative that the Webagent and Webagent Option Pack are installed on the same machine, but there’s a version (including Service Pack and CR release) mismatched.

 

Resolution:

If the Web Agent and Web Agent Option Pack are installed on the same machine, they must also be the same version, including the Service Pack and CR version.

CA Single Sign-On Tech Tip by Sau Lai Wong, Principal Support Engineer for 6th September 2016

 

Issue:

Upon upgrading Federation Gateway (SPS/ WAOP/ Federation Manager) from R12.5 to R12.52 release, notice new Siteminder Session cookie is generated by FWS Agent.

 

Environment:

Apply to R12.51, R12.52 SPS/ WAOP/ Federation Manager.

 

Cause:

Starting from R12.51 release, FWS Agent generates new Siteminder Session Cookie after validating existing session cookie successfully.

 

[07/26/2016][14:18:30][5158][819177216][aa0f058d-db896087-989afade-0ae9ff38-bff7510a-aa][FWSBase.java][createSessionCookie][Validating input...]
[07/26/2016][14:18:30][5158][819177216][aa0f058d-db896087-989afade-0ae9ff38-bff7510a-aa][FWSBase.java][createSessionCookie][Creating the smsession cookie for SP domain [CHECKPOINT = SSO_SMSESSIONFORSPDOMAIN_REQ]]
[07/26/2016][14:18:30][5158][819177216][aa0f058d-db896087-989afade-0ae9ff38-bff7510a-aa][FWSBase.java][createSessionCookie][Recived valid input. Attempting to create SESSION cookie.]
[07/26/2016][14:18:30][5158][819177216][aa0f058d-db896087-989afade-0ae9ff38-bff7510a-aa][FWSBase.java][createSessionCookie][session id is: /aaacaUi9lUagDH0dzMusCfdzsw=]
[07/26/2016][14:18:30][5158][819177216][aa0f058d-db896087-989afade-0ae9ff38-bff7510a-aa][FWSBase.java][createSessionCookie][About to create SESSION cookie.]
[07/26/2016][14:18:30][5158][819177216][aa0f058d-db896087-989afade-0ae9ff38-bff7510a-a][FWSBase.java][createSessionCookie][Placing smsession in browser [CHECKPOINT = SSO_PLACESMSSESSIONTOBROWSER_REQ]]

 

FWS Agent can reference Agent Config Object that differs from the frontend webagent. The following parameters are applicable to FWS Agent:

  • DefaultAgentName
  • TransientIDCookies
  • AcceptTPCookie
  • TransientIPCheck
  • CookieDomain
  • CookieDomainScope
  • SSOZoneName
  • SSOTrustedZone
  • FedDeploymentMode
  • FedSmConnectorEnabled
  • UseSecureCookies

 

Resolution:

Ensure that the session cookie generated by FWS Agent matches the criteria (cookie domain, secure flag) for single sign-on.

CA Single Sign-On Tech Tip by Sau Lai Wong, Principal Support Engineer for 5th September 2016

 

Introduction: 

With Secure Proxy Server, when Tomcat is shutdown/ not contactable, HTTP server error 503 is returned to end user as Apache failed to forward requests to Tomcat.


OOTB error:
======================================================
Service Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.
=======================================================

 

Question: 

How to customize the error, indicative of Tomcat is not available?

 

Environment:

All SPS releases.

 

Answer:

To customize the error, update the ErrorDocument directive in <SPS>\httpd\conf\httpd.conf file.

 

The syntax of the ErrorDocument directive is:

ErrorDocument <3-digit-code> <action>

where the action will be treated as:

  1. A local URL to redirect to (if the action begins with a "/").
  2. An external URL to redirect to (if the action is a valid URL).
  3. Text to be displayed (if none of the above). The text must be wrapped in quotes (") if it consists of more than one word.

 

Additional Information:

https://httpd.apache.org/docs/2.4/custom-error.html

https://httpd.apache.org/docs/2.4/mod/core.html#errordocument

CA Single Sign-On Tech Tip by Sau Lai Wong, Principal Support Engineer for 25th August 2016

 

Issue: 

Running into following exception when admin attempts to run Policy Server configuration wizard:

This Application has Unexpectedly Quit: Invocation of this Java Application has caused an InvocationTargetException. This application will now exit. (LAX)

Exception running install action:
 java.lang.StackOverflowError
    at java.lang.StringBuffer.append(Unknown Source)
    at com.zerog.ia.installer.util.VariableManager.stripDELIM(Unknown Source)
    at com.zerog.ia.installer.util.VariableManager.aa(Unknown Source)
    at com.zerog.ia.installer.util.VariableManager.getVariable(Unknown Source)
    at com.zerog.ia.installer.util.VariableManager.getValueOfVariable(Unknown Source)
    at com.zerog.ia.installer.util.IAVariableStringResolver.getValueOfVariable(Unknown Source)
    at com.zerog.ia.installer.util.VariableManager.substitute(Unknown Source)

 

Environment:

Policy Server: R12.52  SP1 CR2 on RHEL 6

 

Cause:

Variables in ca-ps-installer.properties file are not resolving to values accordingly, resulting the configuration wizard to fail. The values should be picked up during the Policy Server installation.

 

Resolution:

Update ca-ps-installer.properties file - enter value for respective field accordingly.

CA Single Sign-On Tech Tip by Sau Lai Wong, Principal Support Engineer for 23rd August 2016

 

Issue:

Following error is logged in smps.log:

“Timestamp parameters with a scale, must have a scale less than ten and a precision equal to 20 plus the scale. You specified a precision of 32 and scale of 12. Error in parameter 1."

 

Environment:

Policy Store: IBM DB2 10.x

Policy Server: R12.52 SP1 CR1

 

Cause:

This is a known issue with Data Direct driver v07.12 against IBM DB2 10.x. R12.52 SP1 CR1 Policy Server is using Data Direct driver v07.12.0056 (B0067, U0042).

 

The connection option "WorkArounds2=2" is not functioning properly against DB2 LUW 10.x with the ODBC 7.1 DB2 driver.  This option causes the driver to ignore the ColumnSize and DecimalDigits specified in SQLBindParameter.  When executing a parameterized UPDATE statement against a timestamp, an error occurs due to the option "WorkArounds2=2" is not functioning correctly.  This only occurs against DB2 LUW 10.x.


Timestamps for DB2 10.x have a precision and scale of 32 and 12. The connection option "WorkArounds2=2" was not handling the precision of greater than 30 correctly.

Resolution:

The issue is addressed with Data Direct driver v07.13.0105 (B0111, U0073).

R12.52 SP1 CR2 Policy Server uses Data Direct driver v07.15.

 

Additional Information:

http://knowledgebase.progress.com/articles/Article/000049211

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 11th August 2016

 

Introduction:

Administrative UI/ application server is installed with an embedded certificate database.

 

To configure external administrator store connection over SSL, we have to add the Root Certificate Authority to the Administrative UI/ application server’s certificate database.

With the bundled JBOSS, the trust store resides under <adminui>\server\default\conf\ directory. Run the following command to add the Root Certificate Authority to Administrative UI certificate database:

keytool.exe -importcert -trustcacerts -alias <alias> -file <CACertificate> -keystore trustStore.jks -storepass <truststore_password> -v

 

Question:

After the external administrator store connection over SSL is configured successfully, following error is constantly getting logged in the Policy Server log:

[ERROR]SmDsLdapConnMgr Bind. Server host.domain.com : 636. Error 81-Can't contact LDAPserver

 

Environment:

Policy Server R12.52 SP1 release onward.

 

Answer:

Following policy objects are created automatically once external administrator store configuration is completed successfully:

  • AdvAuthExternalRDBDir /AdvAuthExternalLDAPDir – depending if the external admin store is on LDAP or ODBC repository
  • AdvAuthNAuthZDomain
  • AdvAuthNAuthZRealm – protected resource = “/sampleresource.html
  • AdvAuthNAuthZAgent
  • AdvAuthNAuthZQueryScheme

 

‘AdvAuthExternalLDAPDir’ user directory is created with details gathered during the external administrator store configuration. When SSL is enabled for the external admin store, we need to manually import the Root Certificate Authority and Server certificates to Policy Server’s certificate database, after 'AdvAuthExternalLDAPDir' user directory is created. If this manual step is not done, Policy Server will not be able to connect to the backed LDAP user directory over SSL and log the LDAP error.

 

Additional Information:

Details in adding the certificates, please refer to the following link:

https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052%20SP1-ENU/Bookshelf_Files/HTML/idocs/index.htm?toc.htm?1905764.html

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 3rd August 2016

 

Introduction:

Customer observes following errors in Webagent log, every now and then:

== Webagent log ==
[15951/3267352320][Tue May 10 2016 11:03:34][CSmResponseManager.cpp:222][ERROR][sm-AgentFramework-00460] HLA: Analyzer from module 'SM_WAF_HTTP_PLUGIN' returned unknown response code '-1' for component 'Response Manager'.


[15951/3267352320][Tue May 10 2016 11:03:34][CSmHighLevelAgent.cpp:1244][ERROR][sm-AgentFramework-00420] HLA: Component reported fatal error: 'Authentication Manager'.

 

Question:

What invokes the above HLA/LLA error and how to resolve it?

 

Environment:

Apply to all R12.x webagents that protect resources with form authentication.

 

Answer:

Following are the log snippets corresponding to the HLA/LLA error in Webagent log:

 

== Webagent Trace ==

[05/10/2016][11:03:34][15951][3267352320][CSmHighLevelAgent.cpp:960][ProcessAdvancedAuthentication][c2bfd700-149d60cceda2][][][][][][Start new request.]
[05/10/2016][11:03:34][15951][3267352320][CSmResourceManager.cpp:180][CSmResourceManager::ProcessAdvancedAuthResource][c2bfd700-149d60cceda2][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource.]
[05/10/2016][11:03:34][15951][3267352320][CSmHttpPlugin.cpp:8554][CSmHttpPlugin::ProcessAdvancedAuthResource][c2bfd700-149d60cceda2][][][][][][Resolved HTTP_HOST: 'www.support.com'.]
[05/10/2016][11:03:34][15951][3267352320][CSmHttpPlugin.cpp:5165][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.support.com]
[05/10/2016][11:03:34][15951][3267352320][CSmHttpPlugin.cpp:5509][CSmHttpPlugin::ResolveClientIp][c2bfd700-149d60cceda2][][][][][][Resolved Client IP address '202.123.49.123' from header 'X-Forwarded-For'.]
[05/10/2016][11:03:34][15951][3267352320][SmFCC.cpp:2915][SmFcc::getLocalePath][c2bfd700-149d60cceda2][*202.111.49.196][][][][][Localized Path = /opt/CA/webagent/siteminderagent/login.fcc, working locale = default]
[05/10/2016][11:03:34][15951][3267352320][CSmFormTemplateCache.cpp:196][CSmFormTemplateCache::GetForm][][][][][][][Serving form template '/opt/CA/webagent/siteminderagent/login.fcc' from cache.]
[05/10/2016][11:03:34][15951][3267352320][SmAdvancedAuthCore.cpp:632][SmAdvancedAuthCore::parseTargetUrl][c2bfd700-149d60cceda2][*202.111.49.196][][][/nikko/app?action][][Resolved cookie domain '.support.com'.]
[05/10/2016][11:03:34][15951][3267352320][CSmResourceManager.cpp:218][CSmResourceManager::ProcessAdvancedAuthResource][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource returned SmSuccess.]
[05/10/2016][11:03:34][15951][3267352320][CSmLowLevelAgent.cpp:499][IsResourceProtected][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][Resource is protected from cache.]
[05/10/2016][11:03:34][15951][3267352320][CSmResponseManager.cpp:193][ProcessResponses][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]
[05/10/2016][11:03:34][15951][3267352320][CSmHttpPlugin.cpp:2777][CSmHttpPlugin::ProcessResponses][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][Processing IsProtected responses.]
[05/10/2016][11:03:34][15951][3267352320][CSmResponseManager.cpp:231][ProcessResponses][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]
[05/10/2016][11:03:34][15951][3267352320][CSmCredentialManager.cpp:222][CSmCredentialManager::GatherAdvancedAuthCredentials][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]
[05/10/2016][11:03:34][15951][3267352320][SmFCC.cpp:703][SmFcc::getCredentials][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][Success in collecting credentials.]
[05/10/2016][11:03:34][15951][3267352320][SmPluginUtilities.cpp:481][HandleCredCollectorReturn][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][POST preservation, handling return from credential collector.]
[05/10/2016][11:03:34][15951][3267352320][SmPluginUtilities.cpp:618][HandleCredCollectorReturn][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][http response
HTTP://www.support.com/nikko/app?action]
[05/10/2016][11:03:34][15951][3267352320][CSmCredentialManager.cpp:260][CSmCredentialManager::GatherAdvancedAuthCredentials][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmSuccess.]
[05/10/2016][11:03:34][15951][3267352320][CSmLowLevelAgent.cpp:1332][AuthenticateUser][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][User 'wonsa03' is not authenticated by Policy Server.]
[05/10/2016][11:03:34][15951][3267352320][CSmResponseManager.cpp:193][ProcessResponses][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]
[05/10/2016][11:03:34][15951][3267352320][CSmHttpPlugin.cpp:2942][CSmHttpPlugin::ProcessResponses][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][Processing Authentication responses.]
[05/10/2016][11:03:34][15951][3267352320][SmFCC.cpp:2915][SmFcc::getLocalePath][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][Localized Path = /opt/CA/webagent/siteminderagent/login.fcc, working locale = default]
[05/10/2016][11:03:34][15951][3267352320][SmFCC.cpp:2409][SmFcc::doUnauthorized][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][Displaying error page: '/opt/CA/webagent/siteminderagent/login.unauth'.]
[05/10/2016][11:03:34][15951][3267352320][CSmFormTemplateCache.cpp:196][CSmFormTemplateCache::GetForm][][][][][][][Serving form template '/var/www/html/login/login.unauth' from cache.]
[05/10/2016][11:03:34][15951][3267352320][CSmHttpPlugin.cpp:3025][CSmHttpPlugin::ProcessResponses][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][Unable to verify tryno count, exiting with SmFailure.]
[05/10/2016][11:03:34][15951][3267352320][SmPluginUtilities.cpp:166][DeleteCookie][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][Deleted cookie 'SMTRYNO'.]
[05/10/2016][11:03:34][15951][3267352320][CSmResponseManager.cpp:223][ProcessResponses][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmFailure.]
[05/10/2016][11:03:34][15951][3267352320][CSmAuthenticationManager.cpp:207][CSmAuthenticationManager::AuthenticateUser][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][ResponseManager ProcessResponses returned SmFailure.]
[05/10/2016][11:03:34][15951][3267352320][CSmHighLevelAgent.cpp:1246][ProcessAdvancedAuthentication][c2bfd700-149d60cceda2][*202.111.49.196][][agent.apache][/nikko/app?action][][AuthenticationManager returned SmFailure, end new request.]
[05/10/2016][11:03:34][15951][3267352320][CSmLowLevelAgent.cpp:3466][ReportHealthData][][][][][][][Accumulating HealthMonitorCtxt.]

 

== Policy Server log ==
[1853/4086664048][Tue May 10 2016 11:03:34][SmDsLdapFunctionImpl.cpp:494][ERROR][sm-Ldap-00770] (AuthenticateUser) DN: 'uid=wonsa03,dc=support, dc=com' . Status: Error 49 . Invalid credentials

 

By design, the error is logged when the failed login attempt count tracked by the SMTRYNO cookie >= to the limit defined with smretries directive in the login form.

 

In customer case, the smretries was set to 1. Hence, whenever user failed to be authenticated, the error is invoked. Hence, the error is expected and it does not impact the web agent operations.

 

To avoid the error, set smretries to 0, meaning to say user has unlimited login attempts unless limited by password policy.

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 3rd August 2016

 

Introduction:

The Name ID attribute, a required assertion attribute, identifies a user in a unique way. The Name ID format indicates the identifier type that the federated partners support. The Name ID type specifies the user profile attribute that is associated with the name ID format. The user profile attributes come from a user store or the session store.

At the relying party, the partner must be able to locate a user in the local user directory. Locating the user in the user directory is the process of disambiguation. Configure the identity attribute for user disambiguation in the User Identification dialog.

The Policy Server can use one of the following methods for the disambiguation process:

  • Extract the Name ID value from the assertion.
  • Use the value of a specific attribute from the assertion.
  • Use the value that the Xpath query obtains.The Xpath query locates and extracts an attribute other than the Name ID from the assertion.

After you determine which attribute is extracted from the assertion, include this attribute in a search specification. After a successful disambiguation process, the Policy Server generates a session for the user.

Question:

How to nominate preferred attribute as Name Identifier/Name ID in the assertion?

Environment:

Applies to all Federation Gateway : Webagent Option Pack, Secure Proxy Server and Federation Manager.

Answer:

For Partnership Federation, Identity Provider can specify their preferred attribute as Name Identifier. Partnerships >> Assertion ConfigurationPartnershipFor Legacy Federation, Name Identifier is fixated:

  • ODBC user store -- Name attribute
  • LDAP user store -- User DN attribute

The additional attribute is included under <SM: SMprofile> tag. Use XPath query to locate and extract an attribute other than the Name ID from the assertion for disambiguation process.

Legacy

CA Single Sign-On Tech Tip by Sau Lai Wong, Principal Support Engineer for 2nd August 2016

 

Symptoms:

Federation login is failing at Service Provider's signature verification stage:


[03/06/2016][12:49:16.935][12:49:16][26708][4065954672][Saml2Validator.java][verifyXML][1a6f01f9-66967cfe-40e2fce5-b49f63cc-ed28766f-e7][Could not get certificate from trusted key database (IssuerName: EMAILADDRESS=federation@ca.com, CN=CA Certificate Authority - CA, OU="(c) CA, Inc.", O=www.ca.com/lcf is incorporated by reference, L="CA, Inc.", S=PA, C=US US Serial Number: 12345) ]


[03/06/2016][12:49:16.936][12:49:16][26708][4065954672][Saml2Validator.java][verifySignature][1a6f01f9-66967cfe-40e2fce5-b49f63cc-ed28766f-e7][Exception while verifying signature:
com.netegrity.ps.auth.saml.SamlValidationException: Could not get the certificate from the trusted key database.
at com.netegrity.ps.auth.saml.Saml2Validator.verifyXML(Saml2Validator.java:3220)
at com.netegrity.ps.auth.saml.Saml2Validator.verifySignature(Saml2Validator.java:596)
at com.netegrity.ps.auth.saml.Saml2Validator.smAuthenticate(Saml2Validator.java:881)
at com.netegrity.ps.auth.saml.SamlValidator.smAuthenticate(SamlValidator.java:380)

 

Validated that the highlighted certificate (with CertificateEnntry type) exists in the smkeydatabase and Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction patches  are applied.

 

Environment:

R12.52 SP1 Federation Manager or Policy Server release

 

Cause:

Policy Server failed to locate the certificate due to the special character or ASCII character in the issuer DN.

 

Resolution:

Fix is incorporated with R12.52 SP1 CR6 Policy Server and Federation Manager releases.

CA Single Sign-On Tech Tip by Sau Lai Wong, Principal Support Engineer for 18th July 2016

Issue:

Tomcat Proxy-Engine is crashing with SPS R12.52 SP1 CR5 release.

 

Following is logged in the nohup.log:

Jun 11, 2016 11:11:11 AM org.apache.catalina.loader.WebappClassLoader loadClass
INFO: Illegal access: this web application instance has been stopped already.  Could not load org.apache.commons.pool.impl.CursorableLinkedList$Cursor.  The eventual following stack trace is caused by an error thrown for debugging purposes as well as to attempt to terminate the thread which caused the illegal access, and has no functional impact.
java.lang.IllegalStateException
    at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1612)
    at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1571)
    at org.apache.commons.pool.impl.CursorableLinkedList.cursor(CursorableLinkedList.java:305)
    at org.apache.commons.pool.impl.GenericObjectPool.evict(GenericObjectPool.java:1488)
    at org.apache.commons.pool.impl.GenericObjectPool$Evictor.run(GenericObjectPool.java:1700)
    at java.util.TimerThread.mainLoop(Timer.java:555)
    at java.util.TimerThread.run(Timer.java:505)

Exception in thread "Timer-1" java.lang.NoClassDefFoundError: org/apache/commons/pool/impl/CursorableLinkedList$Cursor
    at org.apache.commons.pool.impl.CursorableLinkedList.cursor(CursorableLinkedList.java:305)
    at org.apache.commons.pool.impl.GenericObjectPool.evict(GenericObjectPool.java:1488)
    at org.apache.commons.pool.impl.GenericObjectPool$Evictor.run(GenericObjectPool.java:1700)
    at java.util.TimerThread.mainLoop(Timer.java:555)
    at java.util.TimerThread.run(Timer.java:505)
Caused by: java.lang.ClassNotFoundException: org.apache.commons.pool.impl.CursorableLinkedList$Cursor
    at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1720)
    at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1571)
    ... 5 more
#
# A fatal error has been detected by the Java Runtime Environment:
#
#  EXCEPTION_UNCAUGHT_CXX_EXCEPTION (0xe06d7363) at pc=0x764ac54f, pid=1111, tid=0x00001374
#
# JRE version: Java(TM) SE Runtime Environment (7.0_101-b31) (build 1.7.0_101-b31)
# Java VM: Java HotSpot(TM) Client VM (24.101-b31 mixed mode windows-x86 )
# Problematic frame:
# C  [KERNELBASE.dll+0xc54f]
#
# Core dump written. Default location: d:\Program Files (x86)\CA\secure-proxy\proxy-engine\hs_err_pid1111.mdmp
#
# An error report file with more information is saved as:
# d:\Program Files (x86)\CA\secure-proxy\proxy-engine\hs_err_pid1111.log
#
# If you would like to submit a bug report, please visit:
#  
http://bugreport.java.com/bugreport/crash.jsp
# The crash happened outside the Java Virtual Machine in native code.
# See problematic frame for where to report the bug.
#

Environment:

R12.52 SP1 CR5 Secure Proxy Server

 

Cause:

Stack trace from hs_err_pidxxxx.log:

Stack: [0x5ca20000,0x5ca70000],  sp=0x5ca6ec48,  free space=315k
Native frames: (J=compiled Java code, j=interpreted, Vv=VM code, C=native code)
C  [KERNELBASE.dll+0xc54f]
C  [MSVCR80.dll+0x28e89]
C  [MSVCP80.dll+0x2b3e7]
C  [MSVCP80.dll+0x38e7]
C  [MSVCP80.dll+0x4845]
C  [SPS60Agent.dll+0x58cd]
C  [HttpPlugin.dll+0xa758]

The core file analysis indicates that the crash happened under specific circumstances while SMSESSION cookie is being deleted. The crash is introduced by a fix (DE99753) incorporated with CR5 release.

 

Resolution:

Crash condition is addressed. Fix is scheduled to be released with R12.52 SP1 CR6 SPS release.

CA Single Sign-On Tech Tip by Sau Lai Wong, Principal Support Engineer for 12th July 2016

 

1. Create a new database on IBM DB2 server.

 

2. Setup Siteminder schema with sm_db2_ps.sql from <siteminder>\db\tier2\DB2 directory. Copy the sm_db2_ps.sql content into a query (from DB2 Control Center against the new database) and execute the query.

 

3. Getting some errors against some database table creation:

==============================================

CREATE TABLE smactiveexpr5 ( activeexproid VARCHAR(64) NOT NULL, domainoid VARCHAR(64) NOT NULL, usesvariables INTEGER NOT NULL DEFAULT 0, expr VARCHAR(4000), PRIMARY KEY (activeexproid) )

DB21034E The command was processed as an SQL statement because it was not a valid Command Line Processor command. During SQL processing it returned: SQL0286N A default table space could not be found with a page size of at least "8192" that authorization ID "DB2ADMIN" is authorized to use. SQLSTATE=42727

 

CREATE TABLE smvariable5 ( variableoid VARCHAR(64) NOT NULL, domainoid VARCHAR(64) NOT NULL, variablename VARCHAR(255) NOT NULL, definition VARCHAR(4000) NOT NULL, prefetchflag INTEGER NOT NULL DEFAULT 0, returntype INTEGER NOT NULL DEFAULT 0, metadata VARCHAR(4000), variabletype VARCHAR(64), variabledesc VARCHAR(1024), PRIMARY KEY (variableoid) )

DB21034E The command was processed as an SQL statement because it was not a valid Command Line Processor command. During SQL processing it returned: SQL0286N A default table space could not be found with a page size of at least "16384" that authorization ID "DB2ADMIN" is authorized to use. SQLSTATE=42727

 

CREATE TABLE smodbcquery4 ( odbcqueryoid VARCHAR(64) NOT NULL, odbcqueryname VARCHAR(255) NOT NULL, odbcquerydesc VARCHAR(255), queryenumerate VARCHAR(2000), querygetobjinfo VARCHAR(2000), querylookup VARCHAR(2000), queryinituser VARCHAR(2000), queryauthenticateuser VARCHAR(2000), querygetuserprop VARCHAR(2000), querysetuserprop VARCHAR(2000), querygetuserprops VARCHAR(2000), querylookupuser VARCHAR(2000), querygetgroups VARCHAR(2000), queryisgroupmember VARCHAR(2000), querygetgroupprop VARCHAR(2000), querysetgroupprop VARCHAR(2000), querygetgroupprops VARCHAR(2000), querylookupgroup VARCHAR(2000), querysetpassword VARCHAR(2000), PRIMARY KEY (odbcqueryoid), UNIQUE (odbcqueryname) )

DB21034E The command was processed as an SQL statement because it was not a valid Command Line Processor command. During SQL processing it returned: SQL0286N A default table space could not be found with a page size of at least "32768" that authorization ID "DB2ADMIN" is authorized to use.  SQLSTATE=42727

==============================================

 

4. Create buffer pools with various sizes and table spaces that associated with each buffer pool:

db2 create bufferpool bp8k pagesize 8K

db2 create tablespace db8k pagesize 8K bufferpool bp8K

 

db2 create bufferpool bp16k pagesize 16K

db2 create tablespace db16k pagesize 16K bufferpool bp16K

 

db2 create bufferpool bp32k pagesize 32K

db2 create tablespace db32k pagesize 32K bufferpool bp32

 

5. Run the sm_db2_ps.sql script again and it’s executed successfully this time.

 

6. Copy XPS schema file DB2.sql from <siteminder>\xps\db directory to the IBM DB2 server.

 

7. Open Command Window from DB2 and execute the following command:

td@ -v -f C:\Users\Administrator\Desktop\db2.sql

 

 

8. Once the above script executed successfully, configure the IBM DB2 Data Source (via system_odbc.ini (UNIX) or ODBC Data Source) and configure Policy Server to reference this IBM DB2 as policy store (via SM Management Console).

 

9. Reset Siteminder superuser password with following command:

smreg –su <password>

 

10. Import the Default Policy Store Data Definitions, run the following command from Policy Server (<sitmeinder>\xps\dd):

XPSDDInstall SmMaster.xdd

 

 

11. Getting the following error from XPSDDInstall command:

==============================================

[XPSDDInstall - XPS Version 12.52.0101.640]

Log output: /opt/CA/siteminder/log/XPSDDInstall.2016-07-11_152449.log

Initializing database, please wait...

(ERROR) : [sm-xpsxps-00870] An error occurred when calling "SQLExecDirect" for "Initial Policy Data Read" query

(ERROR) : [sm-xpsxps-00810] Native Diagnostic: HY000:-1585 [DataDirect][ODBC DB2 Wire Protocol driver][UDB DB2 for Windows, UNIX, and Linux]A system temporary table space with sufficient page size does not exist.

(ERROR) : [sm-xpsxps-00810] Native Diagnostic: 56098:-727 [DataDirect][ODBC DB2 Wire Protocol driver][UDB DB2 for Windows, UNIX, and Linux]An error occurred during implicit system action type '2'. Information returned for the error includes SQLCODE '-1585', SQLSTATE '54048' and message tokens ''.

(ERROR) : [sm-xadobj-00020] Failed to initialize global objects.

(FATAL) : [sm-xpsxps-03570] SiteMinder interface initialization failed.

(FATAL) : [sm-xpsxps-04120] Unable to initialize the XPS library.

==============================================

 

12. Create system temporary table spaces associated with the various size of buffer pool:

db2 CREATE SYSTEM TEMPORARY TABLESPACE ts8k PAGESIZE 8192 MANAGED BY SYSTEM USING ('C:\DB2 9.5\ts8k', 'C:\ts8k') bufferpool bp8k

 

db2 CREATE SYSTEM TEMPORARY TABLESPACE ts16k PAGESIZE 16384 MANAGED BY SYSTEM USING ('C:\DB2 9.5\ts16k', 'C:\ts16k') bufferpool bp16k

 

db2 CREATE SYSTEM TEMPORARY TABLESPACE ts32k PAGESIZE 32768 MANAGED BY SYSTEM USING ('C:\DB2 9.5\ts32k', 'C:\ts32k') bufferpool bp32k

 

13. Run XPSDDInstall again and it’s executed successfully this time.

 

14. Import the Default Policy Store Objects, run the following command from Policy Server (<siteminder>\db):

XPSImport smpolicy.xml –npass

 

15. Once the import is executed successfully, start Policy Server and check on the smps.log.

 

 

NOTE: Ensure that the admin account defined in the SM Management Console has the appropriate privileges for the driver to create and bind packages with this specified admin. These privileges are BINDADD for binding packages, CREATEIN on the collection specified by the Package Collection option, and GRANT EXECUTE on the PUBLIC group for executing the packages. These are typically the permissions of a Database Administrator (DBA).

 

Test  with bind27 executable residing under <siteminder>\odbc\bin -- bind27 <DSN> . It will return with error if user does not have the privilege/ authority to create package.

 

Example:
[smuser@wonsa03-I151000 bin]$ ./bind27 'SiteMinder Data Source'
Datasource not found.[smuser@wonsa03-I151000 bin]$ ./bind27 'SiteMinder Data Source'
User Name: ssoadmin
Password:
SecurityMechanism: ''
Creating packages ...Packages created and bound.

 

Also, by default, Policy Server through ODBC driver is sending clear-text user credentials (AuthenticatioMethod=0) to DB2 for authentication. If other authentication method is configured at DB2, please update AuthenticationMethod accordingly.

CA Single Sign-On Tech Tip by Sau Lai Wong, Principal Support Engineer for 7th July 2016

 

Issue:

Federation login is failing at IdP -- Secure Proxy Server as Identity Provider and third-party Federation Gateway as Service Provider. No error from the internet browser.

 

Environment:

Secure Proxy Server: R12.52 SP1 CR4

 

Cause:

The default page under IIS virtual directory is used to invoke IdP-initiated federation. However, the request failed at the point of where SPS is forwarding the request to the backend IIS.

 

== SPS agent trace ==

[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][ProxyValve::invoke][ProxyValve.invoke() Setting HTTP status to 200 allowing this request to proceeed. Return Code from HLA = 4]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][Tomcat5serializedAgentData.setStatus][Setting response status = 200]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][ProxyValve::invoke][The agent finished processing the request.]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][Noodle::service][Method is: GET Content length is: 0]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][addRequestHeaders][Need to preseve Proxy HOST Header.Sending Proxy Host to the backend web server]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][execute][Sending request to backend = support.ca.com url = http://support.ca.com/protected]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][requestConnection(): ][Get connection: HttpRoute[{}->http://support.ca.com], timeout = 180000]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][openConnection()][Connecting to support.ca.com/172.88.99.100]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][execute][Response status code from backend webserver is 301]
[07/05/2016][21:56:54][5936][5760][15a90c68-43f0a390-04e49fda-24d4e3bb-b3ea128e-3f56][Noodle::doGet][Received redirect status code = 301]

 

== HTTP Client log ==

Jul 05, 2016 9:56:54 PM org.apache.http.impl.conn.Wire wire
FINE: << "<head><title>Document Moved</title></head>[\n]"
Jul 05, 2016 9:56:54 PM org.apache.http.impl.conn.Wire wire
FINE: << "<body><h1>Object Moved</h1>This document may be found <a HREF=http://support.ca.com/protected/>here</a></body>"

 

The status code of 301 is returned because IIS is expecting trailing slash since the URI is referencing a directory:

https://support.microsoft.com/en-au/kb/298408

 

The user request ended at the redirection to the backend, with no further advancement.

 

Resolution:

Add trailing slash to the URL or specify the default page e.g: index.asp in the URL.

CA Single Sign-On Tech Tip by Sau Lai Wong, Principal Support Engineer for 5th July 2016

 

Issue:

Active Directory service account (admin account defined with the AD user store setup) is getting locked out frequently.

End users are able to login to protected resources accordingly.

 

Environment:

Policy Server: R12.52 SP1

User Directory: Active Directory with LDAP namespace

“Enhance Active Directory Integration” is unchecked

 

Cause:

With “Use authenticated user’s security context” checked in the user store setup, Policy Server validates the service account against ADSI when end user is authenticated (despite the authorization status).

 

During this validation, Policy Server sends encrypted password to ADSI. However, ADSI does not accept encrypted password hence this validation failure increases service account’s badPwdCount. Eventually the account is locked out when max failed attempts threshold is reached.

 

Resolution:

This defect is addressed with R12.52 SP1 CR4 release. Policy Server now sends clear text password to ADSI for service account validation.

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 22nd June 2016

 

Issue:

The REMOTE_USER HTTP header value is set to null as user accessed the protected resources from backend Weblogic server. Web Agent is installed on the frontend SunOne webserver.

Siteminder response is invoked accordingly but the header dump page shows REMOTE_USER HTTP header is associated with null value.

 

== Settings ==

ACO parameters:

  • SetRemoteUser = Yes
  • RemoteUserVar = REMOTE_USER

 

Web Agent response attribute type -- WebAgent-HTTP-Header-Variable associate it with an OnAuthAccept rule.

 

Environment:

Webserver: SunOne 6.1 with Weblogic 9.2 SP2 plugin

Webagent: 6QMR5 HF21

 

Cause:

Weblogic returns "null" in response to getRemoteUser() call to guard against a security vulnerability – identity spoofing.

 

Workaround:

Start Weblogic with the following run time argument:

-Dweblogic.http.enableRemoteUserHeader=true

 

Important Note: Please be informed that by enabling this feature, the system would be vulnerable to the REMOTE_USER HTTP header spoofing.