Symantec Access Management

Hi All,

I have source code for active response from the siteminder sdk, which was complied and working windows, I am trying to add new active response for which I created a new .Java file, now when I am compling all .java files, I am able to get .class files and .jar file I updated the jvmoptions.txt file also with new jar file. When the flow hits the code it's getting invoked but getting below error.

03/19/2019][15:10:48.403][15:10:48][22523][139865162270464][SmAuthorization.cpp:1546][CSmAz::IsOk][][][][][][][Dealertrack][][ChangePassword][][][][][][][][][][][][Check the Policy.][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[03/19/2019][15:10:48.403][15:10:48][22523][139865162270464][SmAuthorization.cpp:1587][CSmAz::IsOk][][][][][][][Dealertrack][][][][ChangePassword-rule][][][][][][][][][][Check the Rule][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[03/19/2019][15:10:48.403][15:10:48][22523][139865162270464][SmAuthorization.cpp:809][CSmAz::TestPolicy][][][][][][][Dealertrack][][ChangePassword][][][][][][][][][][][][Evaluating policy...][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[03/19/2019][15:10:48.403][15:10:48][22523][139865162270464][SmAuthorization.cpp:1742][CSmAz::IsOk][][][][][][][Dealertrack][][ChangePassword][][ChangePassword-rule][][][][][][][][][][Policy is applicable. Rule is applicable. Get Responses.][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[03/19/2019][15:10:48.405][15:10:48][22523][139865162270464][SmActiveExpr.cpp:1032][CSmActiveExprLibrary::GetActiveValue][][][][][][][][][][][][][][Active expression 'GetActiveAttr;smjavaapi;JavaActiveExpression;com.netegrity.sdk.javaazapi.DTChangePasswordResponse http://www.dealertrack.com/DTAdministration/User/Password/Enter.aspx STATUS debug' failed with error 'java.lang.ClassNotFoundException: com.netegrity.sdk.javaazapi.DTChangePasswordResponse'][][][][][][][Leave function CSmActiveExprLibrary::GetActiveValue][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] 

Which I think is problem with compling the code. Can someone please suggest what might be wrong here. Does anyone have steps how to compile the sdk for active responses.

Hi Vikas,

when doing the compiling, are you using the same SDK version as the policy server which you are running on? I had a similar issue when trying to run code compiled with newer SDK on old policy server version.

You can also try copy all the sdk jar files into policy server siteminder_home/bin/jars folder.

then edit siteminder_home/config/JVMOptions.txt to add those jar files into -Djava.class.path

remember to backup before doing these steps.

regards,

Zen

Hi Zen_Leow, thanks for the reply, I am using the latest SDK for R12.8 SP2 and I am trying to compile using this version of SDK, the code which was developed in the past was for R12.52SP2. 

Because R12.52SP2 was 32-bit and using JDK1.7 and now R12.8SP2 is 64-bit using JDK 1.8

Can you please share your experience about this and how you get it working.

I already did that JVMotions.txt part, you said copy the sdk jars in the policy server path, but in jars folder we already get smjavaapi.jar do you think this is problem?

1) Compilation

I usually compile on the policy server, and point the javac to the one that the policy server is running. 

But usually using future version of javac, it is compatable. 

2) Debugging classpath JVMOptions.txt

It is easiest to use option 2: from here : run smpolicysrv from the command line : 

Helping to debug SSO Policy Server java processes - redirecting stdout/stderr to timestamped file. 

that way you see all the normal java stdout logs. 

Then add -verbose to JVMOptions.txt and it will show you which .jar files it loads classes from.

Then you will also get full stacktrace as per normal java failure as well - and that helps isolate the cause. 

For classnotfound exceptio  : 'java.lang.ClassNotFoundException: com.netegrity.sdk.javaazapi.DTChangePasswordResponse

usually it will be something simple and the .jar file is not in the classpath correctly.   Maybe .jar file created with wrong version of java, so not readable or can be some dependant class is not found - something like that.

That should help you progress. 

Cheers - Mark

Hi Vikas,

Apologies.

when I see "com.netegrity.sdk.javaazapi.DTChangePasswordResponse" I thought it was unable to load something in the sdk cos of "com.netegrity.sdk".

I just realise this is your custom code. Are you able to share your JVMOptions.txt -Djava.class.path setting? And forgive my silly question, did you restart policy server for so that it can reload the classpath?

Anyway as Mark mentioned, the jar you compiled with JDK 7 32bit in r12.52 should still work in r12.8 even with JDK 8 64bit. Java 8 can support Java 7 source level. And the 32bit / 64bit doesn't matter as it is more of JVM architecture thing rather than bytecode specific.

I faced problems when I tried to load my jar which was compiled with JDK 8 for r12.8 policy server into an existing r12.52 policy server using JDK7. This fails utterly for sure. noob mistake.

regards,

Zen

Thanks markodonohue Zen_Leow

I found an article https://comm.support.ca.com/kb/how-to-access-ca-sso-generated-user-attributes-in-activeresponse/kb000010590 and as per this I don't have to create a jar file and put the .class files under config/properties folder is sufficient enough but once I did that I started getting below errors:

[03/25/2019][16:33:16.994][16:33:16][22820][140363717129984][SmActiveExpr.cpp:1032][CSmActiveExprLibrary::GetActiveValue][][][][][][][][][][][][][][Active expression 'GetActiveAttr;smjavaapi;JavaActiveExpression;DTChangePasswordResponse http://www.dvt1.dealertrack.co
m/DTAdministration/User/Password/Enter.aspx STATUS debug' failed with error 'java.lang.NoClassDefFoundError: DTChangePasswordResponse (wrong name: com/netegrity/sdk/javaazapi/DTChangePasswordResponse)'][][][][][][][Leave function CSmActiveExprLibrary::GetActiveValue]
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

I don't know why it's trying to look for the full path.

I create a response with WebAgent-OnAccept-Redirect 

<@lib="smjavaapi" func="JavaActiveExpression" param="DTChangePasswordResponse http://www.dvt1.dealertrack.com/DTAdministration/User/Password/Enter.aspx STATUS debug" @>

the code doesn't have anything in it looking for the full path. Or if for OnAccect-Redirect needs .jar

markodonohueZen_Leow I think I got it working with .class files in /root/CA/siteminder/config/properties and restarting the policy server.

https://communities.ca.com/community/ca-security/ca-single-sign-on/blog/2017/08/07/tech-tip-ca-single-sign-on-policy-serverhow-to-access-ca-sso-generated-response-attributes-in-activeresponse

https://communities.ca.com/community/ca-security/ca-single-sign-on/blog/2016/09/13/tech-tip-ca-single-sign-on-policy-serverencrypted-active-response

suggested to do so.

Now I am not sure how this is different then creating a jar file and updating the JVMOption.txt, do you know if there can be issues not using jar files?

For the error : 

'java.lang.NoClassDefFoundError: DTChangePasswordResponse (wrong name: com/netegrity/sdk/javaazapi/DTChangePasswordResponse)'][][][][][][][Leave function 

That usually means there is a mismatch with the package name vs the directory path the files is in in the zip file - they have to match. 

Where In the jar file it looks like you have the .class file in the subdirectory : com/netegrity/sdk/javaazapi/

if so then to match the java class would need to be in the package :  com.netegrity.sdk.javaazapi

I am guessing your class DTChangePasswordResponse does not have a package directive, so in the jar file it should appear in the top/root directory - not in a com/netegrity/sdk/javaazapi/ directory. 

It is best to check the .java file for the package header, but this directive also points to you not using the class in a package: 

<@lib="smjavaapi" func="JavaActiveExpression" param="DTChangePasswordResponse

Cheers - Mark