Symantec Access Management

Expand all | Collapse all

CA SiteMinder WebAgent for App deployed on AWS

  • 1.  CA SiteMinder WebAgent for App deployed on AWS

    Posted Oct 10, 2017 04:39 PM

    Experts, need your help with below issue -

     

    We have on-premise SiteMinder R12.52 policy server and application on AWS server.

     

    AWS Server - Windows Server 2016(64 bit) with IIS10

     

    I have downloaded the agent from CA support site and installed it AWS Server. The agent is intercepting the request and presenting the login page. But post successful authentication, it's redirecting to URL which does not exist.

     

    App AWS URL - https://ec2.test-us-wc2.***.com

     

    I copied the URL after prompted for login page by agent and Target is something like -

    https%3a%2f%2fec2%2etest--us--wc2%2exxx%2ecom

     

    However, after successful auth/az, it's redirecting to https://ec2.test which ends up in giving 404 error.

     

    If we see the Target url then it's adding extra hyphen(-) and I am not sure if it's causing an issue. Could you please help me with this?



  • 2.  Re: CA SiteMinder WebAgent for App deployed on AWS
    Best Answer

    Posted Oct 10, 2017 09:38 PM

    Hi VK,

     

    If LegacyEncoding=No, then hyphen  is used delimiter character.

    So if the URL has hyphen in it , it will be encoded as -- during redirection.

     

    To fix this , you can change LegacyEncoding=Yes. In this case web agent uses $ as delimiter so wouldn't encode hyphen character.

     

    If you have more than one agents, ensure that all agents have the identical configuration for this ACO.


    Regards,

    Ujwol

     



  • 3.  Re: CA SiteMinder WebAgent for App deployed on AWS

    Posted Oct 11, 2017 05:38 PM

    Thanks Ujwol !

     

    This fixed URL redirection issue, however we started getting HTTP 500 - Internal Server error on .fcc page. We are using centralized custom login pages with cookie domain .***.***.

     

    The AWS Server URL is - ***.us-west-2.elasticbeans.com.

     

    The cookie domains are different and we don't have any cookie Provider setup in place for cross domain SSO.

     

    So, when we access AWS Server URL, we are getting the SiteMinder login page(From centralized server) and posting credentials, it's giving HTTP 500 error on redirection to .fcc page.

     

    [10/11/2017][14:23:12][10984][1912366848][00000000000000000000000041be100a-2ae8-59de8bc0-71fc6700-5848509ec926][SmFcc::setup][Unable to process form /opt/CA/webagent/samples/forms/login.fcc.]
    [10/11/2017][14:23:12][10984][1912366848][00000000000000000000000041be100a-2ae8-59de8bc0-71fc6700-5848509ec926][SmAdvancedAuthCore::parseTargetUrl][Resolved cookie domain '.***.***'.]
    [10/11/2017][14:23:12][10984][1912366848][00000000000000000000000041be100a-2ae8-59de8bc0-71fc6700-5848509ec926][ProcessResource][Plugins did not collect required resource data.]
    [10/11/2017][14:23:12][10984][1912366848][00000000000000000000000041be100a-2ae8-59de8bc0-71fc6700-5848509ec926][IsResourceProtected][Communication failure between SiteMinder policy server and web agent.]
    [10/11/2017][14:23:12][10984][1912366848][00000000000000000000000041be100a-2ae8-59de8bc0-71fc6700-5848509ec926][CSmProtectionManager::DoIsProtected][LowLevelAgent returned SmFailure.]

     

    However, if I try to other protected on premise application, this works perfectly fine.

     

    Do you suggest any work around here?



  • 4.  Re: CA SiteMinder WebAgent for App deployed on AWS

    Posted Oct 11, 2017 07:01 PM

    Hi VK,

     

    Please confirm if my understanding of your setup is correct here:

     

    Login Agent : cookie domain : .a.com 

    Target App   : cookie domain : .b.com 

     

    In this case, after authentication the SMSESSION cookie would be created based on the Login Agent configuration .. ideally it will set cookie in .a.com cookie domain which is not valid for Target App (.b.com) 

     

    This won't work. This will need cookie provider.

     

    However as far as the error "Unable to process form /opt/CA/webagent/samples/forms/login.fcc" is concerned that seems to be resulting due to something else.

     

    • Is the version of AWS (target) agent and Login agent same ? What version are they ?
    • What is the value of ACO parameter Localization both these agents ?
    • Could you share few trace lines before this line :

    10/11/2017][14:23:12][10984][1912366848][00000000000000000000000041be100a-2ae8-59de8bc0-71fc6700-5848509ec926][SmFcc::setup][Unable to process form /opt/CA/webagent/samples/forms/login.fcc.]

     

     

    If Localization=yes, try setting it to No for the Login agent and see if that makes a diffence :

    After Web Agent upgrade from 12SP3 to 12.52SP1, the .fcc page shows its code instead of the login page. 

     

    Regards,

    Ujwol Shrestha

    Ujwol's Single Sign-On Blog 



  • 5.  Re: CA SiteMinder WebAgent for App deployed on AWS

    Posted Oct 11, 2017 07:28 PM

    Yes, cookie domains are different for Login agent and Target application agent. As I mentioned in earlier post, we don’t have cookie provider implementation place, so it’s expected not to work. But I am wondering, why it’s giving the error on login.fcc page post entering credentials.

     

    AWS Server Agent version – R12.52 SP01 CR06

    Login Agent version – R12 SP03 CR05

    Policy Server version – R12.52 SP02

    Localization attribute is disabled in both the agents.

    Logs –

    [10/11/2017][14:23:12][10984][1912366848][00000000000000000000000041be100a-2ae8-59de8bc0-71fc6700-5848509ec926][ProcessRequest][Start new request.]

    [10/11/2017][14:23:12][10984][1912366848][][CSmApache22WebFilterCtxt::SetP3PCompactPolicy][sP3PCompactPolicy: '']

    [10/11/2017][14:23:12][10984][1912366848][00000000000000000000000041be100a-2ae8-59de8bc0-71fc6700-5848509ec926][CSmHttpPlugin::ProcessResource][Resolved HTTP_HOST: 'xxxx.xxxx.xx’.]

    [10/11/2017][14:23:12][10984][1912366848][][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][ xxxx.xxxx.xx]

    [10/11/2017][14:23:12][10984][1912366848][00000000000000000000000041be100a-2ae8-59de8bc0-71fc6700-5848509ec926][CSmHttpPlugin::ProcessResource][Resolved hostname: 'xxxx.xxxx.xx’.]

    [10/11/2017][14:23:12][10984][1912366848][00000000000000000000000041be100a-2ae8-59de8bc0-71fc6700-5848509ec926][CSmHttpPlugin::ProcessResource][Resolved agentname: 'loginserveragent'.]

    [10/11/2017][14:23:12][10984][1912366848][][CSmHttpPlugin::ResolveClientIp][Resolved Client IP address ' xx.xx.***.xx '.]

    [10/11/2017][14:23:12][10984][1912366848][00000000000000000000000041be100a-2ae8-59de8bc0-71fc6700-5848509ec926][CSmHttpPlugin::ProcessResource][Resolved URL: '/siteminderagent/forms/login.fcc'.]

    [10/11/2017][14:23:12][10984][1912366848][00000000000000000000000041be100a-2ae8-59de8bc0-71fc6700-5848509ec926][CSmHttpPlugin::ProcessResource][Resolved METHOD: 'POST'.]

    [10/11/2017][14:23:12][10984][1912366848][00000000000000000000000041be100a-2ae8-59de8bc0-71fc6700-5848509ec926][CSmHttpPlugin::ProcessResource][Resolved cookie domain: '.xxxx.xx'.]

    [10/11/2017][14:23:12][10984][1912366848][00000000000000000000000041be100a-2ae8-59de8bc0-71fc6700-5848509ec926][CSmSessionManager::EstablishSession][No plugins responded, returning SmNoAction.]

    [10/11/2017][14:23:12][10984][1912366848][00000000000000000000000041be100a-2ae8-59de8bc0-71fc6700-5848509ec926][IsResourceProtected][Resource is not protected from Policy Server.]

    [10/11/2017][14:23:12][10984][1912366848][00000000000000000000000041be100a-2ae8-59de8bc0-71fc6700-5848509ec926][CSmHttpPlugin::ProcessResponses][Processing IsProtected responses.]

    [10/11/2017][14:23:12][10984][1912366848][00000000000000000000000041be100a-2ae8-59de8bc0-71fc6700-5848509ec926][CSmSessionManager::CreateSession][No plugins responded, returning SmNoAction.]

    [10/11/2017][14:23:12][10984][1912366848][00000000000000000000000041be100a-2ae8-59de8bc0-71fc6700-5848509ec926][ProcessRequest][ProtectionManager returned SmNo, end new request.]

    [10/11/2017][14:23:12][10984][1912366848][][ReportHealthData][Accumulating HealthMonitorCtxt.]

    [10/11/2017][14:23:12][10984][1912366848][00000000000000000000000041be100a-2ae8-59de8bc0-71fc6700-5848509ec926][ProcessAdvancedAuthentication][Start new request.]

    [10/11/2017][14:23:12][10984][1912366848][][CSmHttpPlugin::ResolveClientIp][Resolved Client IP address 'xx.xx.***.xx'.]

    [10/11/2017][14:23:12][10984][1912366848][][CSmFormTemplateCache::GetForm][Form template '/opt/CA/webagent/samples/forms/login.fcc' not found in cache.]

    [10/11/2017][14:23:12][10984][1912366848][][CSmFormTemplateObj::LoadFormTemplate][No such file or directory]

    [10/11/2017][14:23:12][10984][1912366848][][CSmFormTemplateCache::GetForm][Unable to serve form template '/opt/CA/webagent/samples/forms/login.fcc' from disk.]

    [10/11/2017][14:23:12][10984][1912366848][00000000000000000000000041be100a-2ae8-59de8bc0-71fc6700-5848509ec926][SmFcc::setup][Unable to process form /opt/CA/webagent/samples/forms/login.fcc.]

    [10/11/2017][14:23:12][10984][1912366848][00000000000000000000000041be100a-2ae8-59de8bc0-71fc6700-5848509ec926][SmAdvancedAuthCore::parseTargetUrl][Resolved cookie domain '.xxxx.***’.]

    [10/11/2017][14:23:12][10984][1912366848][00000000000000000000000041be100a-2ae8-59de8bc0-71fc6700-5848509ec926][ProcessResource][Plugins did not collect required resource data.]

    [10/11/2017][14:23:12][10984][1912366848][00000000000000000000000041be100a-2ae8-59de8bc0-71fc6700-5848509ec926][IsResourceProtected][Communication failure between SiteMinder policy server and web agent.]

    [10/11/2017][14:23:12][10984][1912366848][00000000000000000000000041be100a-2ae8-59de8bc0-71fc6700-5848509ec926][CSmProtectionManager::DoIsProtected][LowLevelAgent returned SmFailure.]

    [10/11/2017][14:23:12][10984][1912366848][00000000000000000000000041be100a-2ae8-59de8bc0-71fc6700-5848509ec926][ProcessAdvancedAuthentication][ProtectionManager returned SmNoAction or SmFailure, end new request.]

    [10/11/2017][14:23:12][10984][1912366848][][ReportHealthData][Accumulating HealthMonitorCtxt.]



  • 6.  Re: CA SiteMinder WebAgent for App deployed on AWS

    Posted Oct 11, 2017 07:55 PM

    [Unable to serve form template '/opt/CA/webagent/samples/forms/login.fcc' from disk.]

     

    Do you have the login.fcc in that location ? and does the agent has read access to it ?



  • 7.  Re: CA SiteMinder WebAgent for App deployed on AWS

    Posted Oct 12, 2017 12:02 PM

    Yes, login fcc does exist and the account with which agent is installed having rwx permission on this file.



  • 8.  Re: CA SiteMinder WebAgent for App deployed on AWS

    Posted Oct 12, 2017 12:11 PM

    Are you simple able to access login.fcc on the browser i.e. https://FQDN/siteminderagent/forms/login.fcc? Does the page render. If not then we need to look at additional configurations.



  • 9.  Re: CA SiteMinder WebAgent for App deployed on AWS

    Posted Oct 12, 2017 12:51 PM

    The custom .fcc page which we are using on our login form doesn't exist on login agent server. Surprisingly, it works fine for all other applications

     

    [10/12/2017][09:31:49][7251][1912366848][][ReportHealthData][Accumulating HealthMonitorCtxt.]
    [10/12/2017][09:31:49][7251][1912366848][00000000000000000000000041be100a-1c53-59df98f5-71fc6700-3f3243d2c612][ProcessAdvancedAuthentication][Start new request.]
    [10/12/2017][09:31:49][7251][1912366848][][CSmHttpPlugin::ResolveClientIp][Resolved Client IP address 'xx.xx.***.xx'.]
    [10/12/2017][09:31:49][7251][1912366848][][CSmFormTemplateCache::GetForm][Form template '/opt/CA/webagent/samples/forms/CustomFCC.fcc' not found in cache.]
    [10/12/2017][09:31:49][7251][1912366848][][CSmFormTemplateObj::LoadFormTemplate][No such file or directory]
    [10/12/2017][09:31:49][7251][1912366848][][CSmFormTemplateCache::GetForm][Unable to serve form template '/opt/CA/webagent/samples/forms/CustomFCC.fcc' from disk.]
    [10/12/2017][09:31:49][7251][1912366848][00000000000000000000000041be100a-1c53-59df98f5-71fc6700-3f3243d2c612][SmFcc::setup][Unable to process form /opt/CA/webagent/samples/forms/CustomFCC.fcc.]
    [10/12/2017][09:31:49][7251][1912366848][00000000000000000000000041be100a-1c53-59df98f5-71fc6700-3f3243d2c612][SmAdvancedAuthCore::parseTargetUrl][Resolved cookie domain '.xxxxx.***'.]
    [10/12/2017][09:31:49][7251][1912366848][00000000000000000000000041be100a-1c53-59df98f5-71fc6700-3f3243d2c612][IsResourceProtected][Resource is protected from cache.]
    [10/12/2017][09:31:49][7251][1912366848][00000000000000000000000041be100a-1c53-59df98f5-71fc6700-3f3243d2c612][CSmHttpPlugin::ProcessResponses][Processing IsProtected responses.]
    [10/12/2017][09:31:49][7251][1912366848][00000000000000000000000041be100a-1c53-59df98f5-71fc6700-3f3243d2c612][SmFcc::getCredentials][Success in collecting credentials.]
    [10/12/2017][09:31:49][7251][1912366848][00000000000000000000000041be100a-1c53-59df98f5-71fc6700-3f3243d2c612][HandleCredCollectorReturn][POST preservation, handling return from credential collector.]
    [10/12/2017][09:31:50][25425][1912366848][00000000000000000000000041be100a-6351-59df98f6-71fc6700-28131d78d8ef][ProcessRequest][Start new request.]
    [10/12/2017][09:31:50][25425][1912366848][][CSmApache22WebFilterCtxt::SetP3PCompactPolicy][sP3PCompactPolicy: '']
    [10/12/2017][09:31:50][25425][1912366848][00000000000000000000000041be100a-6351-59df98f6-71fc6700-28131d78d8ef][ProcessResource][Plugins did not collect required resource data.]
    [10/12/2017][09:31:50][25425][1912366848][00000000000000000000000041be100a-6351-59df98f6-71fc6700-28131d78d8ef][ProcessRequest][ResourceManager returned SmExit, end new request.]
    [10/12/2017][09:31:50][25425][1912366848][][ReportHealthData][Accumulating HealthMonitorCtxt.]
    [10/12/2017][09:31:50][7251][1912366848][00000000000000000000000041be100a-1c53-59df98f5-71fc6700-3f3243d2c612][AuthenticateUser][User 'xxxxx' is authenticated by Policy Server.]



  • 10.  Re: CA SiteMinder WebAgent for App deployed on AWS

    Posted Oct 12, 2017 01:00 PM

    What is FCCCompatMode set to (Yes / No)?



  • 11.  Re: CA SiteMinder WebAgent for App deployed on AWS

    Posted Oct 12, 2017 01:10 PM

    It is set to no. I reckon by default it's disabled only.



  • 12.  Re: CA SiteMinder WebAgent for App deployed on AWS

    Posted Oct 12, 2017 03:04 PM

    I was trying to find a blog which I read a while back. Ujwol may remember it as well. It spoke about WebAgent intercepting the request when it see FCC & collecting the credentials on the request stream. I am thinking is that what is happening here.

     

     

    The transaction ID is the same. But FCC file itself was not loaded, however the WebAgent was still able to authenticate. I am thinking would FCCCompatMode=NO supplemented with the way WebAgent handles FCC (Credential Collector) is making this to work (in the scenario where there is a different Originating WebAgent i.e. AWS in your case).

     

     

    Do you have a front-end Login page (on Login Web Server / WebAgent) which does a POST to /CustomFCC.fcc?



  • 13.  Re: CA SiteMinder WebAgent for App deployed on AWS

    Posted Oct 13, 2017 12:03 AM

    So it seems that you are using custom login page..

    When using custom login page , there are certain mandatory fields you need to post to the fcc 

     

    Custom Login Page 

     

    When SecureURLs=No

    =================

    The post form data contains following :

     

    Required:

    • target
    • smagentname

     

    Optional:

    • smenc
    • smlocale
    • smquerydata
    • postpreservationdata
    • smauthreason

     

    Post URL : /siteminderagent/forms/login.fcc

     

    When SecureURLs=YES

    ===================

    The post form data contains following :

     

    Required:

    • smquerydata

     

    Optional:

    • smenc
    • smlocale
    • target
    • smauthreason
    • postpreservationdata
    • smagentname

     

    Post URL : /siteminderagent/forms/login.fcc?SMQUERYDATA=******

     

    Also, I think in older version it was optional to have the physical fcc file if you are using it only for POST (not for GET which obviously need the physical file).

    However, I believe with the newer agent version, even for POST it requires physical fcc file.

     

    Next Action

    =========

    • Capture filddler log (capturing the POST to Customlogin.fcc) and ensure the posted form has the required fields)
    • If still not working, create Customlogin.fcc (you can just copy and rename the default login.fcc)

     

     



  • 14.  Re: CA SiteMinder WebAgent for App deployed on AWS

    Posted Oct 18, 2017 07:38 PM

    Sorry for delayed reply !

     

    To rule out the possibility of cookie provider issue because of different domains in place, we have AWS server domain joined and now the application URL cookie domain is same to what we have on login server. Also, the login.fcc page is present in <agent_home>/samples/forms folder on login server.

     

    However, I am still getting HTTP 500 Internal server error and Communication Failure message on WebAgent logs.

     

    Is it because of agent version difference? For IIS10 agent, I am using the same ACO(except agentname & defaultagentname) settings when application was deployed on prem. Will it make any difference?

     

    AWS Server Agent version – R12.52 SP01 CR06

    Login Agent version – R12 SP03 CR05
    Policy Server version – R12.52 SP02

     

    Policy server and AWS server agent trace logs are not helping much to troubleshoot it further.



  • 15.  Re: CA SiteMinder WebAgent for App deployed on AWS

    Posted Oct 18, 2017 07:56 PM

    My thought is we are missing some element in POSTING to login.fcc. Typically we need mandatory values as USERNAME, PASSWORD and TARGET (protected). If smagentname is hardcoded within the FCC then no need to include in the post, else need that as well. Ujwol has added details and a link to a tech note with sample. Did you review that with your setup.

     

    Additionally, if there is still a challenge, I think we should raise a support case and have the following uploaded to investigate.

    • Custom Login Page which is Posting to FCC.
    • Fiddler Trace.
    • WebAgent.log and WebAgentTrace.log from AWS Server. Get a fresh set of logs after restart.
    • WebAgent.log and WebAgentTrace.log from Login Server. Get a fresh set of logs after restart.


  • 16.  Re: CA SiteMinder WebAgent for App deployed on AWS

    Posted Oct 18, 2017 11:12 PM

    Thanks Hubert !

     

    Login.fcc page is having below elements 

     

    @username=%username%
    @password=%password%
    @smretries=20
    @target=%target%

     

    The same login.fcc on login server works perfectly fine for other on premise applications. Application team changed there url like - http://win2-app.xxxx.xxxx/ . The cookie domain is same for both AWS and Login server.

     

    However, interesting thing is when I set LegacyEncoding to No, it pass through the Login.fcc and redirect to Target which it reads as http://win2/ and gives an error. I can see SMSESSION gets created in this case.

     

    On setting up LegacyEncoding to Yes, it gives HTTP 500 Internal server error on Login.fcc.

     

    Do you suggest any work around here?

     

    FYI, I have opened up a support case with CA.



  • 17.  Re: CA SiteMinder WebAgent for App deployed on AWS

    Posted Oct 18, 2017 11:26 PM

    Please share the fiddler logs for the non working use case.



  • 18.  Re: CA SiteMinder WebAgent for App deployed on AWS

    Posted Oct 18, 2017 11:34 PM

    Also please confirm if you have  LegacyEncoding=YES for both the following agents :

     

    AWS Server Agent version – R12.52 SP01 CR06

    Login Agent version – R12 SP03 CR05



  • 19.  Re: CA SiteMinder WebAgent for App deployed on AWS

    Posted Oct 19, 2017 12:22 AM

    Yes, LegacyEncoding is set to YES for both AWS & Login server agents.

     

    Please find below fiddler log when posting credential to using the Login page.

     

    Cookie domain - .***.***

     

    POST https://login.***.***/siteminderagent/forms/LoginFCC.fcc HTTP/1.1
    Accept: text/html, application/xhtml+xml, */*
    Referer: https://login.***.***/LoginPages/Login.jsp?TYPE=33554433&REALMOID=06-c87ef160-4f45-4d55-9b1f-71790f3b027f&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=awstest-agent&TARGET=$SM$http%3a%2f%2fwin-test1.***.***%2f
    Accept-Language: en-US
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Host: ssotest.nordstrom.net
    Content-Length: 105
    DNT: 1
    Connection: Keep-Alive
    Cache-Control: no-cache
    Cookie: ROUTEID=.node1

     

    username=xxxx&password=xxxx&smagentname=awstest-agent&target=test1.***.***%2F&x=12&y=8

     

    If you see the last line, then it's setting target by removing string before '-'.



  • 20.  Re: CA SiteMinder WebAgent for App deployed on AWS

    Posted Oct 19, 2017 12:37 AM

    Hi VK,

     

    If possible I would like to review the actual fiddler and agent trace logs. You said you opened a support case? Can I have the case #, I can check in there if you have uploaded the logs ?

     

    Regards,

    Ujwol



  • 21.  Re: CA SiteMinder WebAgent for App deployed on AWS

    Posted Oct 19, 2017 12:42 AM

    Another thing to check, is there any URL decoding logic on the login.jsp.

     

    It is the login.jsp which is reading the TARGET from query parameter and Posting to FCC.

     

     

     

    Regards

     

    Hubert



  • 22.  Re: CA SiteMinder WebAgent for App deployed on AWS

    Posted Oct 19, 2017 01:07 AM

    That's right Hubert. I have the same doubt. As it couldn't resolve the target, it is giving error "

    Plugins did not collect required resource data

    Which means , agent couldn't identify the resource (target) context.

    I have setup a remote session with VK , will see how it goes.



  • 23.  Re: CA SiteMinder WebAgent for App deployed on AWS

    Posted Oct 19, 2017 04:08 PM

    I guess below piece of code in Login page is causing an issue -

     

    <%@ page language="java" contentType="text/html; charset=ISO-8859-1"

                    pageEncoding="ISO-8859-1"%>

    <%

    targets = request.getParameter("TARGET");

    agentName = request.getParameter("SMAGENTNAME");

    authReason = request.getParameter("SMAUTHREASON");

    int aReason = 0;

    if (null != targets) {

    StringTokenizer tokenTarget = new StringTokenizer(targets,"-");

                    tokenTarget.nextToken();

                    targets = tokenTarget.nextToken();

                    session.setAttribute("initialTarget", targets);

                    session.setMaxInactiveInterval(Integer.parseInt(initialTargetTime));

                    }

    %>



  • 24.  Re: CA SiteMinder WebAgent for App deployed on AWS

    Posted Oct 19, 2017 05:30 PM

    Seems so.....Yes!

     

    StringTokenizer tokenTarget = new StringTokenizer(targets,"-");

                    tokenTarget.nextToken();

                    targets = tokenTarget.nextToken();



  • 25.  Re: CA SiteMinder WebAgent for App deployed on AWS

    Posted Oct 19, 2017 10:02 PM

    100% that is the culprit.

    Proof  

     

    Look at the output.

     

     

    Next Action :

    You should NOT modify the target and keep as it is.