Skip navigation
All People > SungHoon_Kim > Sung Hoon Kim's Blog > 2016 > February
2016

The use case is, the PS is crashing on linux.

User has pkgapp script and is trying to collect a packaged core file.

 

The pkgapp script usage can by found simply by running the pkgapp script itself without any parameters.

(This is based on pkgapp 3.4, not the latest)

pkgapp

* ------------------------------------------------------------------------------

* Oracle Corporation CSD pkgapp 3.4 Linux                           [02/25/2016]

* ------------------------------------------------------------------------------

pkgapp 3.4, an Oracle Corporation data gathering utility.

Usage:

  pkgapp [options] -p <active pid> -a <full path to process binary> [-c <core file>] [-s path to write tar file]

 

 

Required parameters:

-p <pid of a active process>

    Note: pid should of the same type/path to match -a & -c that produced the core

-a <full path to to and including the process binary> (ns-slapd, imapd, httpd etc.)

 

 

Optional parameters:

-c <core file>

-i (Include a previously generated core file with the final tar.gz)

-j FUNCTION DISABLED (Javacore; process a java core)

    NOTE jstack/jinfo etc. are not available on Linux platforms

-r (Remove all temp files)

-t (Remove all history files)

-q (Quiet)

-d (Debug)

-J FUNCTION DISABLED <JstackPath; path to the jstack (jdk) commands>

        defaults to /usr/jdk/instances/...

    NOTE jstack/jinfo etc. are not available on Linux platforms

-l <ldd Path; path to a known good ldd/list of the core or process>

-s <Storage; path to store the final tar file in>

 

 

usage:  pkgapp -p <pid of the running app> -a <path to process binary>

 

 

Examples: these are examples mixing various parameters

 

 

The example paths are examples only, not to be used in your environment.

-e Locate the correct path for the -a value on your system before using.

 

 

Directory Server

pkgapp -ir -p 9965 -c ./core.14740 -a /var/mps/ds52p4/bin/slapd/server/64/ns-slapd

 

 

Messaging Server

pkgapp -p 9965 -c ./core.3496 -a /opt/SUNWmsgsr/lib/stored

 

 

Web Server

pkgapp -p 9965 -c ./core.1092 -a /space/iws70/lib/httpd -s /var/crash

 

 

Calendar Server

pkgapp -r -p 9965 -c ./core -a /opt/SUNWics5/cal/lib/cshttpd

 

 

Cacao (java)

pkgapp -j -i -r -p 9965 -c ./core -a /opt/dsee63/jre/bin/java

 

 

Sendmail

pkgapp -i -p 9965 -c 512 -a /usr/lib/sendmail

 

 

Mysqld

pkgapp -i -r -p 9965 -c ./core -a /support/mysql-5.0.41/bin/mysqld

 

But before running the script, you must ensure that you have switched to the user account that runs the service and that you have sourced the environment variables.

 

So you need to switch to smuser (su - smuser) and then source the environment variable(. ./ca_ps_env.ksh).

Then you need to run the policy server if it is not already running. (This is to give sufficient information to the pkgapp script to possibly collect all the library files that are referenced in the core file)

 

Following is the environment information.

core file filepath is /apps/core-smpolicysrv-2615-500-11-1451996208

smpolicysrv file path is /apps/CA/siteminder/bin/smpolicysrv

currently running smpolicysrv pid is 20541

pkgapp filepath is /apps/binary/pkgapp/pkgapp

 

When creating packaged core file, you need to have access to various system resources(/var/log/messages) so smuser may not be sufficient to collect all that information but you can still run pkgapp as smuser.

So, switch to either root (su -) or smuser (su - smuser).

Source the environment variable (. /apps/CA/siteminder/ca_ps_env.ksh)

 

Then run pkgapp as below:

cd /apps

/apps/binary/pkgapp/pkgapp -p 20541 -a /apps/CA/siteminder/bin/smpolicysrv -c /apps/core-smpolicysrv-2615-500-11-1451996208 -i -s /apps

 

pkgapp result

[smuser@redhatlinux apps]$ /apps/binary/pkgapp/pkgapp -p 20541 -a /apps/CA/siteminder/bin/smpolicysrv -c /apps/core-smpolicysrv-2615-500-11-1451996208 -i -s /apps

* ------------------------------------------------------------------------------

* Oracle Corporation CSD pkgapp 3.4 Linux                           [02/25/2016]

* ------------------------------------------------------------------------------

* Checking install epoch/delta           [good, 59 seconds]

* Checking pkgapp path                   [using /apps/binary/pkgapp]

* Checking for locale en_US.utf8         [success]

* Checking usage history                 [not recently run]

* OS Release [Linux]                     [2.6.32-504.el6.x86_64]

* Platform/Type                          [x86_64 x86_64]

* Checking [-p] pid                      [using pid 20541]

* Checking [-a] path                     [using /apps/CA/siteminder/bin/smpolicysrv]

* Process root                           [/apps/CA/siteminder/bin/smpolicysrv]

* Checking [-c] core                     [using core /apps/core-smpolicysrv-2615-500-11-1451996208]

* Databin parameter [-s] checks          [success]

* Databin found                          [/apps]

* Databin writable check                 [success]

* Databin used/created is                [/apps/pkgapp-022516-05]

* Creating temp area                     [/tmp/pkgapp.23249/]

* Process binary                         [smpolicysrv]

* smpolicysrv binary bit version         [32]

* core-smpolicysrv-2615-500-11-1451996208 bit version [32]

* Checking path [-a] to binary name      [success, path includes binary name]

* Checking path [-a] exists              [success]

* Locating smpolicysrv                   [success]

* Checking located smpolicysrv is 32 bits. [success]

* Binary located                         [/apps/CA/siteminder/bin/smpolicysrv]

* Adding binary to pkgapp.pldd           [success]

* Grabbing libs from /proc               [success]

* Grabbing gdb backtrace                 Missing separate debuginfo for /apps/jdk1.7.0_80/jre/lib/i386/server/libjvm.so

Try: yum --enablerepo='*-debug*' install /usr/lib/debug/.build-id/00/9c8f6ad2d8577fef41a38f1ac9e3407be3c0e6

 

 

warning: .dynamic section for "/apps/CA/siteminder/lib/libsmobjldap.so" is not at the expected address (wrong library or version mismatch?)

Missing separate debuginfo for

Try: yum --enablerepo='*-debug*' install /usr/lib/debug/.build-id/09/8872f5308ed76cfe3e97cfaea495b50cfaac38

Missing separate debuginfo for /apps/jdk1.7.0_80/jre/lib/i386/server/libjvm.so

Try: yum --enablerepo='*-debug*' install /usr/lib/debug/.build-id/00/9c8f6ad2d8577fef41a38f1ac9e3407be3c0e6.debug

[success]

* Grabbing [-i] core/gcore               [success]

* Grabbing core/gcore cksum              [success]

* Javatools [-j] not available           [skipped]

* Grabbing /var/log/messages             [success]

* Grabbing uname -a                      [success]

* Grabbing date/time                     [success]

* Grabbing rpm -qa                       [success]

* Grabbing /etc/redhat-release           [success]

* Grabbing ulimit -a                     [success]

* Grabbing libs                          [success]

* Making lib paths app/                  [success]

* Making lib paths libs/                 [success]                                                                                                                                              * Linking libraries29 of 129              [success]

* Libraries linked                       [129 ttl]

*

* Using hostid for naming .tar.gz        [007f0101]

* Writing file                           [pkgapp-007f0101-{hostname}-160225-123614.tar.gz]

*

* Done gathering files

* Writing dbxrc & opencore.sh files      [success]

* Writing validate-libs.sh file          [success]

* Writing manifest-160225-123614.log     [success]

* Writing pkgapp-args-160225-123614      [success]

* Creating final tarfile                 tar: os-info/messages/messages: Cannot open: Permission denied

tar: Exiting with failure status due to previous errors

[success]

* Compressing tarfile                    [success]

* End of runtime logging

* Saving history info                    [success]

* Saving runtime log                     [success]

* Saving Library list                    [success]

* Saving Library list README             [success]

* Removing [-r] temp area/files          [left alone]

*

* Operations Complete

* Total runtime                          [11 minutes]

* ------------------------------------------------------------------------------

* Upload the following file(s) to http://supportfiles.sun.com Cores Directory at

Oracle

 

 

1) File(s) located in directory /apps/pkgapp-022516-05

 

 

                [ pkgapp-007f0101-{hostname}-160225-123614.tar.gz ]

 

 

 

 

 

 

                                Thank you.

                                Customer Service Delivery

                                Global Systems Support

 

 

 

 

NOTES:

1) You can check for updates to this script here:

        BigAdmin - http://www.sun.com/bigadmin/scripts/indexSjs.html

        Blog - http://blogs.sun.com/Dirtracer

 

 

2) GDD information located here:

        Rel Notes - http://docs.sun.com/app/docs/doc/820-0437

        Docs - http://www.sun.com/service/gdd/index.xml

        Video - http://mediacast.sun.com/search?query=gdd

        Video - http://mediacast.sun.com/search?query=dirtracer

 

 

3) Please send all Bugs and RFE's to the following address:

        Subject "pkgapp bug/rfe" - pkgapp-feedback_ww@oracle.com

 

 

4) See the following reference files.

        /var/tmp/pkgapp-history/runtime-160225-123614.log

        /var/tmp/pkgapp-history/history-160225-123614.log

        /var/tmp/pkgapp-history/library.list-160225-123614

        /var/tmp/pkgapp-history/library.list-160225-123614.README

 

Now, let's say you received this file (/apps/pkgapp-022516-05/pkgapp-007f0101-{hostname}-160225-123614.tar.gz), what next?

(The assumption is that you do not have access to the machine that generated the core)

 

You need to extract this(tar zxvf pkgapp-007f0101-{hostname}-160225-123614.tar.gz) on a machine where you have the gdb installed.

 

If the machine that generated this core and the packaged core file had *gdb* installed, you will be able to find the backtrace information in "<pkgapp-007f0101-{hostname}-123614.tar.gz>/proctool-info/pkgapp.backtrace-xxxx-yyyyy"

 

But in most cases, the production servers will not have gdb installed so it could be missing that file.

If you find it, it will look something like the attachment (pkgapp.backtrace-xxxx-yyyyy).

Note: The attachment's extension is zip but it is actually just a text file. zip extension was appended automatically.

 

 

Now, since you did not have the above file, you need to get it yourself.

 

Extracted files (/apps/pkgapp-022516-05)

[smuser@redhatlinux pkgapp-022516-05]$ ls

app  core-lib-data  opencore.sh  os-info  pkgapp-007f0101-{hostname}-160225-123614.tar.gz  pkgapp-info  proctool-info  runtime-160225-123614.log  validate-libs.sh

 

Run the opencore.sh file (./opencore.sh)

opencore.sh

[smuser@redhatlinux pkgapp-022516-05]$ ./opencore.sh

GNU gdb (GDB) Red Hat Enterprise Linux (7.2-75.el6)

Copyright (C) 2010 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.  Type "show copying"

and "show warranty" for details.

This GDB was configured as "x86_64-redhat-linux-gnu".

For bug reporting instructions, please see:

<http://www.gnu.org/software/gdb/bugs/>...

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/bin/smpolicysrv...expanding to full symbols...(no debugging symbols found)...done.

[New Thread 2699]

[New Thread 2765]

[New Thread 2701]

[New Thread 2804]

[New Thread 2763]

[New Thread 2806]

[New Thread 2807]

[New Thread 2825]

[New Thread 2764]

[New Thread 2798]

[New Thread 2799]

[New Thread 2805]

[New Thread 2808]

[New Thread 2824]

[New Thread 2826]

[New Thread 2827]

[New Thread 2828]

[New Thread 2829]

[New Thread 2830]

[New Thread 2831]

[New Thread 2832]

[New Thread 2675]

[New Thread 2833]

[New Thread 2698]

[New Thread 2837]

[New Thread 2639]

[New Thread 2841]

[New Thread 2645]

[New Thread 2757]

[New Thread 2876]

[New Thread 2637]

[New Thread 2671]

[New Thread 2877]

[New Thread 2669]

[New Thread 2615]

[New Thread 2656]

[New Thread 2622]

[New Thread 2727]

[New Thread 2654]

[New Thread 2624]

[New Thread 2710]

[New Thread 2632]

[New Thread 2625]

[New Thread 2696]

[New Thread 2627]

[New Thread 2704]

[New Thread 2673]

[New Thread 2628]

[New Thread 2686]

[New Thread 2665]

[New Thread 2650]

[New Thread 2695]

[New Thread 2737]

[New Thread 2758]

[New Thread 2702]

[New Thread 2746]

[New Thread 2721]

[New Thread 2668]

[New Thread 2690]

[New Thread 2685]

[New Thread 2749]

[New Thread 2682]

[New Thread 2743]

[New Thread 2726]

[New Thread 2693]

[New Thread 2640]

[New Thread 2672]

[New Thread 2692]

[New Thread 2646]

[New Thread 2694]

[New Thread 2687]

[New Thread 2642]

[New Thread 2661]

[New Thread 2741]

[New Thread 2742]

[New Thread 2739]

[New Thread 2750]

[New Thread 2633]

[New Thread 2657]

[New Thread 2630]

[New Thread 2738]

[New Thread 2644]

[New Thread 2718]

[New Thread 2755]

[New Thread 2715]

[New Thread 2744]

[New Thread 2730]

[New Thread 2647]

[New Thread 2722]

[New Thread 2634]

[New Thread 2712]

[New Thread 2659]

[New Thread 2708]

[New Thread 2649]

[New Thread 2751]

[New Thread 2653]

[New Thread 2667]

[New Thread 2759]

[New Thread 2679]

[New Thread 2638]

[New Thread 2691]

[New Thread 2641]

[New Thread 2724]

[New Thread 2631]

[New Thread 2717]

[New Thread 2662]

[New Thread 2733]

[New Thread 2723]

[New Thread 2683]

[New Thread 2648]

[New Thread 2753]

[New Thread 2700]

[New Thread 2756]

[New Thread 2719]

[New Thread 2752]

[New Thread 2664]

[New Thread 2689]

[New Thread 2677]

[New Thread 2666]

[New Thread 2658]

[New Thread 2728]

[New Thread 2735]

[New Thread 2684]

[New Thread 2635]

[New Thread 2651]

[New Thread 2697]

[New Thread 2703]

[New Thread 2725]

[New Thread 2714]

[New Thread 2740]

[New Thread 2732]

[New Thread 2731]

[New Thread 2734]

[New Thread 2747]

[New Thread 2713]

[New Thread 2655]

[New Thread 2729]

[New Thread 2670]

[New Thread 2761]

[New Thread 2663]

[New Thread 2674]

[New Thread 2716]

[New Thread 2705]

[New Thread 2680]

[New Thread 2736]

[New Thread 2643]

[New Thread 2660]

[New Thread 2711]

[New Thread 2720]

[New Thread 2629]

[New Thread 2760]

[New Thread 2676]

[New Thread 2762]

[New Thread 2709]

[New Thread 2626]

[New Thread 2748]

[New Thread 2754]

[New Thread 2688]

[New Thread 2636]

[New Thread 2652]

[New Thread 2623]

[New Thread 2834]

Missing separate debuginfo for /apps/jdk1.7.0_80/jre/lib/i386/server/libjvm.so

Try: yum --enablerepo='*-debug*' install /usr/lib/debug/.build-id/00/9c8f6ad2d8577fef41a38f1ac9e3407be3c0e6

Missing separate debuginfo for

Try: yum --enablerepo='*-debug*' install /usr/lib/debug/.build-id/09/8872f5308ed76cfe3e97cfaea495b50cfaac38

Reading symbols from /apps/jdk1.7.0_80/jre/lib/i386/server/libjvm.so...Missing separate debuginfo for /apps/jdk1.7.0_80/jre/lib/i386/server/libjvm.so

Try: yum --enablerepo='*-debug*' install /usr/lib/debug/.build-id/00/9c8f6ad2d8577fef41a38f1ac9e3407be3c0e6.debug

expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/jdk1.7.0_80/jre/lib/i386/server/libjvm.so

Reading symbols from /lib/libpthread.so.0...expanding to full symbols...(no debugging symbols found)...done.

[Thread debugging using libthread_db enabled]

Loaded symbols for /lib/libpthread.so.0

Reading symbols from /lib/libdl.so.2...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /lib/libdl.so.2

Reading symbols from /lib/librt.so.1...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /lib/librt.so.1

Reading symbols from /usr/lib/libstdc++.so.6...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /usr/lib/libstdc++.so.6

Reading symbols from /lib/libm.so.6...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /lib/libm.so.6

Reading symbols from /lib/libgcc_s.so.1...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /lib/libgcc_s.so.1

Reading symbols from /lib/libc.so.6...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /lib/libc.so.6

Reading symbols from /lib/ld-linux.so.2...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /lib/ld-linux.so.2

Reading symbols from /lib/libnsl.so.1...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /lib/libnsl.so.1

Reading symbols from /lib/libnss_files.so.2...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /lib/libnss_files.so.2

Reading symbols from /lib/libnss_dns.so.2...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /lib/libnss_dns.so.2

Reading symbols from /lib/libresolv.so.2...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /lib/libresolv.so.2

Core was generated by `smpolicysrv'.

Program terminated with signal 11, Segmentation fault.

#0  0x03654b06 in __strlen_sse2_bsf () from /lib/libc.so.6

Missing separate debuginfos, use: debuginfo-install glibc-2.12-1.149.el6.i686 libgcc-4.4.7-11.el6.i686 libstdc++-4.4.7-11.el6.i686

 

You will get brief information about which process generated the core file and why.

And you will also see lots of messages (or no messages) about symbols not found.

 

What you need to ensure is, the gdb will reference the binaries/libraries that came with the packaged core file.

At the current folder(/apps/pkgapp-022516-05) you will find the "core-lib-data" folder.

Under that folder there is "libs" folder which has the collection of files from the machine where the core file was generated.

Those are the ones that you have to tell gdb to load, not your local system files.

 

Run the following commands within gdb.

set solib-absolute-prefix /apps/pkgapp-022516-05/core-lib-data/libs

What this does is to tell gbd to prefix "/apps/pkgapp-022516-05/core-lib-data/libs" to any file reference.

So, if it wanted to look for /lib/ld-linux.so.2 then it will actually be /apps/pkgapp-022516-05/core-lib-data/libs/lib/ld-linux.so.2

Or, you can also  run "set sysroot /apps/pkgapp-022516-05/core-lib-data/libs" gdb will look for files from there.

set solib-absolute-prefix /apps/pkgapp-022516-05/core-lib-data/libs

(gdb) set solib-absolute-prefix /apps/pkgapp-022516-05/core-lib-data/libs

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmartheap_smp.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmartheap_smp.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmutilities.so...expanding to full symbols...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmutilities.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libGCL.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libGCL.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmcommonutil.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmcommonutil.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmi18n.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmi18n.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libicudata.so.49...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libicudata.so.49

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libicui18n.so.49...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libicui18n.so.49

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libicuio.so.49...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libicuio.so.49

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libicuuc.so.49...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libicuuc.so.49

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobj.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobj.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmauth.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmauth.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmreports.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmreports.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmplatform.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmplatform.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmds.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmds.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmadmobj.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmadmobj.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmaz.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmaz.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmauthcert.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmauthcert.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmjvmsupport.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmjvmsupport.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmvariable.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmvariable.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmconapi.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmconapi.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmerrlog.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmerrlog.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmradius.so...expanding to full symbols...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmradius.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libldap60.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libldap60.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libssldap60.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libssldap60.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libssl3.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libssl3.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libprldap60.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libprldap60.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libnss3.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libnss3.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libnspr4.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libnspr4.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libnssutil3.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libnssutil3.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libplds4.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libplds4.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/jdk1.7.0_80/jre/lib/i386/server/libjvm.so...Missing separate debuginfo for /apps/pkgapp-022516-05/core-lib-data/libs/apps/jdk1.7.0_80/jre/lib/i386/server/libjvm.so

Try: yum --enablerepo='*-debug*' install /usr/lib/debug/.build-id/00/9c8f6ad2d8577fef41a38f1ac9e3407be3c0e6.debug

expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/jdk1.7.0_80/jre/lib/i386/server/libjvm.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmmonapips.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmmonapips.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libXPS.so...expanding to full symbols...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libXPS.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libXPSAudit.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libXPSAudit.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libXLogger.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libXLogger.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libSmXlate.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libSmXlate.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libxerces-c.so.28...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libxerces-c.so.28

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libxerces-depdom.so.28...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libxerces-depdom.so.28

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmazuser.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmazuser.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmpolicyapi45.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmpolicyapi45.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmfedconfig.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmfedconfig.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libaceclnt.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libaceclnt.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libSmShutdownManager.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libSmShutdownManager.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsoftokn3.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsoftokn3.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libplc4.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libplc4.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libz.so.1...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libz.so.1

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/lib/ld-linux.so.2...Missing separate debuginfo for /apps/pkgapp-022516-05/core-lib-data/libs/lib/ld-linux.so.2

Try: yum --enablerepo='*-debug*' install /usr/lib/debug/.build-id/cf/64bd33f05b1081feb1b9a01e9ae82ed098bd80.debug

expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/lib/ld-linux.so.2

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsqlite3.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsqlite3.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmidentity.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmidentity.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmagentfunccomponent.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmagentfunccomponent.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmagentconmgrcomponent.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmagentconmgrcomponent.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmservercomponent.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmservercomponent.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmisprotectedcomponent.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmisprotectedcomponent.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmloginlogoutcomponent.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmloginlogoutcomponent.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmisauthorizedcomponent.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmisauthorizedcomponent.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmtunnelcomponent.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmtunnelcomponent.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmjavaapicomponent.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmjavaapicomponent.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmdirectorycomponent.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmdirectorycomponent.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmodbccomponent.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmodbccomponent.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmldapcomponent.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmldapcomponent.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmimscomponent.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmimscomponent.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libtxmcomponent.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libtxmcomponent.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmfedservercomponent.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmfedservercomponent.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmdlpcomponent.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmdlpcomponent.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmgda.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmgda.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libfipsmode.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libfipsmode.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI/Linux/x86/32/lib/libcapki.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI/Linux/x86/32/lib/libcapki.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI/Linux/x86/32/lib/libcaopenssl_crypto.so...expanding to full symbols...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI/Linux/x86/32/lib/libcaopenssl_crypto.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI/Linux/x86/32/lib/libcaopenssl_ssl.so...expanding to full symbols...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI/Linux/x86/32/lib/libcaopenssl_ssl.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI/Linux/x86/32/lib//libcapki_thread_posix.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI/Linux/x86/32/lib//libcapki_thread_posix.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI//Linux/x86/32/lib/libcryptocme.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI//Linux/x86/32/lib/libcryptocme.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI//Linux/x86/32/lib/libccme_base.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI//Linux/x86/32/lib/libccme_base.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI//Linux/x86/32/lib/libccme_asym.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI//Linux/x86/32/lib/libccme_asym.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI//Linux/x86/32/lib/libccme_ecc.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI//Linux/x86/32/lib/libccme_ecc.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI//Linux/x86/32/lib/libccme_ecdrbg.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI//Linux/x86/32/lib/libccme_ecdrbg.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI//Linux/x86/32/lib/libccme_ecc_accel_fips.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI//Linux/x86/32/lib/libccme_ecc_accel_fips.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI//Linux/x86/32/lib/libccme_error_info.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI//Linux/x86/32/lib/libccme_error_info.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/lib/libnss_files.so.2...Missing separate debuginfo for /apps/pkgapp-022516-05/core-lib-data/libs/lib/libnss_files.so.2

Try: yum --enablerepo='*-debug*' install /usr/lib/debug/.build-id/1b/e2ab751dc66899f491d8050600112b35136a8a.debug

expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/lib/libnss_files.so.2

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmtransact.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmtransact.so

warning: .dynamic section for "/apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobjldap.so" is not at the expected address (wrong library or version mismatch?)

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobjldap.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobjldap.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmldapps.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmldapps.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobjldapims.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobjldapims.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobjims.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobjims.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libimsds.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libimsds.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libimsutil.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libimsutil.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmreportstextlog.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmreportstextlog.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libXPSEval.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libXPSEval.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmprovider.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmprovider.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libXPSLDAP.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libXPSLDAP.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libSmObjects.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libSmObjects.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobjadapter.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobjadapter.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmtransactadapter.so...expanding to full symbols...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmtransactadapter.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libfmdeploy.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libfmdeploy.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmtransactems2.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmtransactems2.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libmigration.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libmigration.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libSoaObjects.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libSoaObjects.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libFssObjects.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libFssObjects.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libIdMObjects.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libIdMObjects.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libEPMObjects.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libEPMObjects.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libSmRLS.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libSmRLS.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmdsadapter.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmdsadapter.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libCDSObjects.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libCDSObjects.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libFedObjects.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libFedObjects.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libJVMSupportAdapter.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libJVMSupportAdapter.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libSmCounters.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libSmCounters.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/odbc/lib/libodbc.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/odbc/lib/libodbc.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/odbc/lib/libodbcinst.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/odbc/lib/libodbcinst.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/odbc/lib/libNSicu27.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/odbc/lib/libNSicu27.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmaps.so...expanding to full symbols...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmaps.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libAPSMail.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libAPSMail.so

Reading symbols from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libbtunicode.so...expanding to full symbols...(no debugging symbols found)...done.

Loaded symbols for /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libbtunicode.so

(gdb)

 

Now, when you run the "where" command to get the back trace, if it resolves all the symbols then you should not see any "??".

Following is where it actually shows unresolved ones.

where

(gdb) where

#0  0x03654b06 in ?? ()

#1  0xc91132b7 in ?? ()

#2  0x0806ca6f in CpaStream& CpaStream::append<char const*>(char const*) ()

#3  0x0806ca46 in CpaStream::operator<<(char const*) ()

#4  0x0806c990 in CpaArgList& CpaArgList::add<char const*>(char const* const&) ()

#5  0x0806c191 in char const* CSmErrLogMessage::FormatMessage<char const*, char const*>(unsigned int, char const* const&, char const* const&) ()

#6  0x03acd10b in SmBindLDAP () from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobjldap.so

#7  0x03acf5ba in SmImproveConnection(int) () from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobjldap.so

#8  0x03ad0513 in SmSearchLDAP () from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobjldap.so

#9  0x03a17bb8 in AgentKey_Search () from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobjldap.so

#10 0x00a42367 in CSmObjProvider::Fetch(CSmObjBase&) const () from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobj.so

#11 0x00a8c903 in CSmObjStore::Fetch(CSmObjBase&, unsigned int, void const*, CString const&) () from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobj.so

#12 0x08070a0d in CSm_Auth_Message::DoManagement() ()

#13 0x080668ae in CSm_Auth_Message::ProcessAgentMessage() ()

#14 0x080bc6f8 in CSm_Auth_Message::ProcessMessage() ()

#15 0x08125a15 in CSmPolicyServer::vOnRequest(CClientSession const*, CString const&, unsigned int, CSmAgentTliPacket&, CSmAgentTliPacket&, int) ()

#16 0x00e1632d in CServer::ProcessRequest(CClientSession*, CString const&, unsigned int, CSmAgentTliPacket&, CSmAgentTliPacket&, int) ()

   from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmutilities.so

#17 0x00df0790 in CAgentMessageHandler::DoWork(unsigned char*, unsigned char*, int) () from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmutilities.so

#18 0x00de855f in ThreadPool::Run(bool) () from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmutilities.so

#19 0x00e96ca4 in ThreadPoolBase::ThreadProc(void*) () from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmutilities.so

#20 0x00173f05 in BtThreadBase(ThreadArgs*) () from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmcommonutil.so

#21 0x00836b39 in ?? ()

#22 0x090640c0 in ?? ()

#23 0x036b6c1e in ?? ()

 

Although gdb was told to lookup the /apps/pkgapp-022516-05/core-lib-data/libs folder, problem is it is not finding some files in that folder structure.

 

You can get a list of libraries and see which one is missing.

 

info sharedlibrary

(gdb) info sharedlibrary

From        To          Syms Read   Shared Object Library

0x004256f0  0x004313c6  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmartheap_smp.so

0x00dc61e0  0x00f383c0  Yes         /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmutilities.so

0x0085ff94  0x008666ac  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libGCL.so

0x00156558  0x0018c3b0  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmcommonutil.so

0x007d564c  0x0081278c  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmi18n.so

0x00f9c1fc  0x00f9c1fc  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libicudata.so.49

0x0021a6c0  0x0035d7e4  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libicui18n.so.49

0x004af414  0x004b5654  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libicuio.so.49

0x004f0b4c  0x005b3ff0  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libicuuc.so.49

0x009c8408  0x00ab3388  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobj.so

0x0064b594  0x00722524  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmauth.so

0x003b3b80  0x003c257c  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmreports.so

0x003d7890  0x003e96ec  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmplatform.so

0x00886360  0x008dc94c  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmds.so

0x0044fb0c  0x0047ab2c  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmadmobj.so

0x00b27184  0x00b7df24  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmaz.so

0x00bba300  0x00cadf60  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmauthcert.so

0x003f8784  0x00400bac  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmjvmsupport.so

0x0075f628  0x0076fb70  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmvariable.so

0x00789f54  0x0079a200  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmconapi.so

0x020cb158  0x020df43c  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmerrlog.so

0x008fc4d0  0x00912a4c  Yes         /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmradius.so

0x00cdd204  0x00cfd2e0  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libldap60.so

0x004052f4  0x0040717c  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libssldap60.so

0x00d06718  0x00d276b4  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libssl3.so

0x0040d650  0x0040f23c  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libprldap60.so

0x08269ae4  0x083330a0  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libnss3.so

0x02130dbc  0x0214ffd4  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libnspr4.so

0x00493e24  0x0049e278  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libnssutil3.so

0x00411bb0  0x0041298c  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libplds4.so

0x022324b0  0x02966c68  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/jdk1.7.0_80/jre/lib/i386/server/libjvm.so

0x00419298  0x0041e564  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmmonapips.so

                       No          /lib/libpthread.so.0

                        No          /lib/libdl.so.2

                        No          /lib/librt.so.1

0x07339f40  0x07534cac  Yes         /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libXPS.so

0x02e7eae8  0x02eb3690  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libXPSAudit.so

0x084accec  0x084b9f64  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libXLogger.so

0x031f3abc  0x0320ddb4  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libSmXlate.so

0x03337194  0x034c4344  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libxerces-c.so.28

0x03039728  0x03063560  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libxerces-depdom.so.28

0x040fafac  0x0413b3b4  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmazuser.so

0x02ee4a44  0x02f7bd20  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmpolicyapi45.so

0x0092efc4  0x009353e4  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmfedconfig.so

0x048b87a0  0x048f6c94  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libaceclnt.so

0x0084ed48  0x00850f24  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libSmShutdownManager.so

                       No          /usr/lib/libstdc++.so.6

                        No          /lib/libm.so.6

                        No          /lib/libgcc_s.so.1

                        No          /lib/libc.so.6

0x06726f98  0x0674dafc  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsoftokn3.so

0x00853f6c  0x008555e8  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libplc4.so

0x02fbf6d4  0x02fcce60  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libz.so.1

0x00942830  0x0095a47f  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/lib/ld-linux.so.2

                       No          /lib/libnsl.so.1

0x054eed10  0x0553eeb4  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsqlite3.so

0x004aab48  0x004ab304  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmidentity.so

0x00918bf8  0x00919084  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmagentfunccomponent.so

---Type <return> to continue, or q <return> to quit---

0x0091bbc4  0x0091c050  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmagentconmgrcomponent.so

0x0092002c  0x0092064c  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmservercomponent.so

0x00924ef0  0x009254d8  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmisprotectedcomponent.so

0x0093b6f8  0x0093bd18  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmloginlogoutcomponent.so

0x0093ffe8  0x00940604  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmisauthorizedcomponent.so

0x00d2bf5c  0x00d2c578  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmtunnelcomponent.so

0x00d2f2d0  0x00d2f8f0  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmjavaapicomponent.so

0x088ea184  0x088ea7a0  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmdirectorycomponent.so

0x03f6a048  0x03f6a664  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmodbccomponent.so

0x02fef5c8  0x02fefbe8  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmldapcomponent.so

0x05460540  0x05460b60  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmimscomponent.so

0x05814fe8  0x05815604  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libtxmcomponent.so

0x0782de98  0x0782e324  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmfedservercomponent.so

0x046faf10  0x046fb52c  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmdlpcomponent.so

0x083f1b38  0x083f1fd0  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmgda.so

0x02ff2b04  0x02ff2f28  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libfipsmode.so

0x06ce2540  0x06db9e94  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI/Linux/x86/32/lib/libcapki.so

0x03093340  0x031892a4  Yes         /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI/Linux/x86/32/lib/libcaopenssl_crypto.so

0x06ba13c0  0x06c020d4  Yes         /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI/Linux/x86/32/lib/libcaopenssl_ssl.so

0x05fd3d40  0x05fd5694  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI/Linux/x86/32/lib//libcapki_thread_posix.so

0x038e87f0  0x03918fe8  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI//Linux/x86/32/lib/libcryptocme.so

0x07e12a30  0x07e3df18  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI//Linux/x86/32/lib/libccme_base.so

0x0376cf80  0x0379a3cc  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI//Linux/x86/32/lib/libccme_asym.so

0x037a46d0  0x0380001c  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI//Linux/x86/32/lib/libccme_ecc.so

0x03829e10  0x0383eb28  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI//Linux/x86/32/lib/libccme_ecdrbg.so

0x03920510  0x03920658  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI//Linux/x86/32/lib/libccme_ecc_accel_fips.so

0x02ff57cc  0x02ff591c  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/CAPKI//Linux/x86/32/lib/libccme_error_info.so

0x02ff9aa0  0x03001e98  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/lib/libnss_files.so.2

0x05e44d9c  0x05e4f358  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmtransact.so

0x03a0abc4  0x03ae1f28  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobjldap.so

0x058c8374  0x058eb744  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmldapps.so

0x03d3721c  0x03e4f780  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobjldapims.so

0x041c0e78  0x04509ed4  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobjims.so

0x03b2a9fc  0x03b6095c  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libimsds.so

0x03bb82b4  0x03bf90d0  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libimsutil.so

                        No          /lib/libnss_dns.so.2

                        No          /lib/libresolv.so.2

0x038adb60  0x038b636c  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmreportstextlog.so

0x0474eb40  0x0483efa4  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libXPSEval.so

0x0300c4f0  0x03010810  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmprovider.so

0x03c30ff8  0x03c5c930  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libXPSLDAP.so

0x07c27d9c  0x07c99afc  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libSmObjects.so

0x03ff2dd0  0x040854a8  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobjadapter.so

0x03c81c90  0x03c98fbc  Yes         /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmtransactadapter.so

0x07dff4a8  0x07dff5a8  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libfmdeploy.so

0x05580638  0x05645688  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmtransactems2.so

0x03cbfc30  0x03ce21ec  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libmigration.so

0x038c0624  0x038c4da0  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libSoaObjects.so

0x066d68ac  0x066fa644  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libFssObjects.so

0x038d0bac  0x038d7b68  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libIdMObjects.so

0x08d5269c  0x08d6b9a8  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libEPMObjects.so

0x03cf6d38  0x03cfb644  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libSmRLS.so

0x03ea0bbc  0x03eb94e8  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmdsadapter.so

0x038e0e54  0x038e236c  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libCDSObjects.so

0x056cb370  0x05777ce8  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libFedObjects.so

0x08bf07b8  0x08bf0924  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libJVMSupportAdapter.so

0x031c17cc  0x031c2cd0  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libSmCounters.so

0x0592ac40  0x059f78f4  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/odbc/lib/libodbc.so

0x0460aa40  0x0467fac4  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/odbc/lib/libodbcinst.so

---Type <return> to continue, or q <return> to quit---

0x9b32f3e0  0x9b3d8bb4  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/odbc/lib/libNSicu27.so

0x05a3f760  0x05b521ac  Yes         /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmaps.so

0x03ec7e20  0x03ede3f8  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libAPSMail.so

0x05c385cc  0x05cc12a8  Yes (*)     /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libbtunicode.so

                       No          /apps/CA/siteminder/lib/libsmauthhtml.so

                        No          /apps/CA/siteminder/lib/libsmdsldap.so

                        No          /apps/CA/siteminder/lib/libsmdsplugin_Sun.so

(*): Shared library is missing debugging information.

 

You can see what files are not collected by the pkgapp script.

Those files must be collected from the machine that generated the core.

You need to copy them to the /apps/pkgapp-022516-05/core-lib/data/libs/xxxxxxx folder to match the structure.

For example, /apps/CA/siteminder/lib/libsmdsplugin_Sun.so was missing.

You must copy this to "/apps/pkgapp-022516-05/core-lib/data/libs/apps/CA/siteminder/lib/" folder.

 

Quit the gdb(quit) and run opencore.sh again.

Run "set solib-absolute-prefix /apps/pkgapp-022516-05/core-lib-data/libs" or "set sysroot /apps/pkgapp-022516-05/core-lib-data/libs" again.

Then run the "info sharedlibrary" to confirm all library files are available.

 

Then run the "where" again.

where

(gdb) where

#0  0x03654b06 in __strlen_sse2_bsf () from /lib/libc.so.6

#1  0x076e58f3 in std::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator+=(char const*) () from /usr/lib/libstdc++.so.6

#2  0x0806ca6f in CpaStream& CpaStream::append<char const*>(char const*) ()

#3  0x0806ca46 in CpaStream::operator<<(char const*) ()

#4  0x0806c990 in CpaArgList& CpaArgList::add<char const*>(char const* const&) ()

#5  0x0806c191 in char const* CSmErrLogMessage::FormatMessage<char const*, char const*>(unsigned int, char const* const&, char const* const&) ()

#6  0x03acd10b in SmBindLDAP () from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobjldap.so

#7  0x03acf5ba in SmImproveConnection(int) () from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobjldap.so

#8  0x03ad0513 in SmSearchLDAP () from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobjldap.so

#9  0x03a17bb8 in AgentKey_Search () from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobjldap.so

#10 0x00a42367 in CSmObjProvider::Fetch(CSmObjBase&) const () from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobj.so

#11 0x00a8c903 in CSmObjStore::Fetch(CSmObjBase&, unsigned int, void const*, CString const&) () from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmobj.so

#12 0x08070a0d in CSm_Auth_Message::DoManagement() ()

#13 0x080668ae in CSm_Auth_Message::ProcessAgentMessage() ()

#14 0x080bc6f8 in CSm_Auth_Message::ProcessMessage() ()

#15 0x08125a15 in CSmPolicyServer::vOnRequest(CClientSession const*, CString const&, unsigned int, CSmAgentTliPacket&, CSmAgentTliPacket&, int) ()

#16 0x00e1632d in CServer::ProcessRequest(CClientSession*, CString const&, unsigned int, CSmAgentTliPacket&, CSmAgentTliPacket&, int) ()

   from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmutilities.so

#17 0x00df0790 in CAgentMessageHandler::DoWork(unsigned char*, unsigned char*, int) () from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmutilities.so

#18 0x00de855f in ThreadPool::Run(bool) () from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmutilities.so

#19 0x00e96ca4 in ThreadPoolBase::ThreadProc(void*) () from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmutilities.so

#20 0x00173f05 in BtThreadBase(ThreadArgs*) () from /apps/pkgapp-022516-05/core-lib-data/libs/apps/CA/siteminder/lib/libsmcommonutil.so

#21 0x00836b39 in start_thread () from /lib/libpthread.so.0

#22 0x036b6c1e in clone () from /lib/libc.so.6

(gdb)

 

This back trace is what need to be reviewed.

Running "bt" also displays the thread that caused the crash. (It will actually display the current *selected* thread, by default thread #1 (not LWP #1) is selected and is the thread that caused the crash *in general*) But "where" should be the one to run as that will display the thread that caused the crash.

If you have debug symbol files, running "where full" or "bt full" would give you more information.

 

Another useful information would be to know what other threads were doing at that moment.

Following command will give you the list of all threads.

The crashing thread would usually be at the very bottom.

info threads

(gdb) info threads

  162 Thread 0x958f0b70 (LWP 2834)  0x00927430 in __kernel_vsyscall ()

  161 Thread 0xf755db70 (LWP 2623)  0x00927430 in __kernel_vsyscall ()

  160 Thread 0xe5340b70 (LWP 2652)  0x00927430 in __kernel_vsyscall ()

  159 Thread 0xef350b70 (LWP 2636)  0x00927430 in __kernel_vsyscall ()

  158 Thread 0xcff1eb70 (LWP 2688)  0x00927430 in __kernel_vsyscall ()

  157 Thread 0xa88dfb70 (LWP 2754)  0x00927430 in __kernel_vsyscall ()

  156 Thread 0xac4e5b70 (LWP 2748)  0x00927430 in __kernel_vsyscall ()

  155 Thread 0xf575ab70 (LWP 2626)  0x00927430 in __kernel_vsyscall ()

  154 Thread 0xc410bb70 (LWP 2709)  0x00927430 in __kernel_vsyscall ()

  153 Thread 0xa38d7b70 (LWP 2762)  0x00927430 in __kernel_vsyscall ()

  152 Thread 0xd6328b70 (LWP 2676)  0x00927430 in __kernel_vsyscall ()

  151 Thread 0xa4cd9b70 (LWP 2760)  0x00927430 in __kernel_vsyscall ()

  150 Thread 0xf3957b70 (LWP 2629)  0x00927430 in __kernel_vsyscall ()

  149 Thread 0xbd300b70 (LWP 2720)  0x00927430 in __kernel_vsyscall ()

  148 Thread 0xc2d09b70 (LWP 2711)  0x00927430 in __kernel_vsyscall ()

  147 Thread 0xe0338b70 (LWP 2660)  0x00927430 in __kernel_vsyscall ()

  146 Thread 0xead49b70 (LWP 2643)  0x00927430 in __kernel_vsyscall ()

  145 Thread 0xb32f0b70 (LWP 2736)  0x00927430 in __kernel_vsyscall ()

  144 Thread 0xd4525b70 (LWP 2680)  0x00927430 in __kernel_vsyscall ()

  143 Thread 0xc550db70 (LWP 2705)  0x00927430 in __kernel_vsyscall ()

  142 Thread 0xbfb04b70 (LWP 2716)  0x00927430 in __kernel_vsyscall ()

  141 Thread 0xd772ab70 (LWP 2674)  0x00927430 in __kernel_vsyscall ()

  140 Thread 0xde535b70 (LWP 2663)  0x00927430 in __kernel_vsyscall ()

  139 Thread 0xa42d8b70 (LWP 2761)  0x00927430 in __kernel_vsyscall ()

  138 Thread 0xd9f2eb70 (LWP 2670)  0x00927430 in __kernel_vsyscall ()

  137 Thread 0xb78f7b70 (LWP 2729)  0x00927430 in __kernel_vsyscall ()

  136 Thread 0xe353db70 (LWP 2655)  0x00927430 in __kernel_vsyscall ()

  135 Thread 0xc1907b70 (LWP 2713)  0x00927430 in __kernel_vsyscall ()

  134 Thread 0xacee6b70 (LWP 2747)  0x00927430 in __kernel_vsyscall ()

  133 Thread 0xb46f2b70 (LWP 2734)  0x00927430 in __kernel_vsyscall ()

  132 Thread 0xb64f5b70 (LWP 2731)  0x00927430 in __kernel_vsyscall ()

  131 Thread 0xb5af4b70 (LWP 2732)  0x00927430 in __kernel_vsyscall ()

  130 Thread 0xb0aecb70 (LWP 2740)  0x00927430 in __kernel_vsyscall ()

  129 Thread 0xc0f06b70 (LWP 2714)  0x00927430 in __kernel_vsyscall ()

  128 Thread 0xba0fbb70 (LWP 2725)  0x00927430 in __kernel_vsyscall ()

  127 Thread 0xc690fb70 (LWP 2703)  0x00927430 in __kernel_vsyscall ()

  126 Thread 0xca515b70 (LWP 2697)  0x00927430 in __kernel_vsyscall ()

  125 Thread 0xe5d41b70 (LWP 2651)  0x00927430 in __kernel_vsyscall ()

  124 Thread 0xefd51b70 (LWP 2635)  0x00927430 in __kernel_vsyscall ()

  123 Thread 0xd2722b70 (LWP 2684)  0x00927430 in __kernel_vsyscall ()

  122 Thread 0xb3cf1b70 (LWP 2735)  0x00927430 in __kernel_vsyscall ()

  121 Thread 0xb82f8b70 (LWP 2728)  0x00927430 in __kernel_vsyscall ()

  120 Thread 0xe173ab70 (LWP 2658)  0x00927430 in __kernel_vsyscall ()

  119 Thread 0xdc732b70 (LWP 2666)  0x00927430 in __kernel_vsyscall ()

  118 Thread 0xd5927b70 (LWP 2677)  0x00927430 in __kernel_vsyscall ()

  117 Thread 0xcf51db70 (LWP 2689)  0x00927430 in __kernel_vsyscall ()

  116 Thread 0xddb34b70 (LWP 2664)  0x00927430 in __kernel_vsyscall ()

  115 Thread 0xa9ce1b70 (LWP 2752)  0x00927430 in __kernel_vsyscall ()

  114 Thread 0xbdd01b70 (LWP 2719)  0x00927430 in __kernel_vsyscall ()

  113 Thread 0xa74ddb70 (LWP 2756)  0x00927430 in __kernel_vsyscall ()

  112 Thread 0xc8712b70 (LWP 2700)  0x00927430 in __kernel_vsyscall ()

  111 Thread 0xa92e0b70 (LWP 2753)  0x00927430 in __kernel_vsyscall ()

  110 Thread 0xe7b44b70 (LWP 2648)  0x00927430 in __kernel_vsyscall ()

  109 Thread 0xd3123b70 (LWP 2683)  0x00927430 in __kernel_vsyscall ()

  108 Thread 0xbb4fdb70 (LWP 2723)  0x00927430 in __kernel_vsyscall ()

  107 Thread 0xb50f3b70 (LWP 2733)  0x00927430 in __kernel_vsyscall ()

  106 Thread 0xdef36b70 (LWP 2662)  0x00927430 in __kernel_vsyscall ()

  105 Thread 0xbf103b70 (LWP 2717)  0x00927430 in __kernel_vsyscall ()

  104 Thread 0xf2555b70 (LWP 2631)  0x00927430 in __kernel_vsyscall ()

---Type <return> to continue, or q <return> to quit---

  103 Thread 0xbaafcb70 (LWP 2724)  0x00927430 in __kernel_vsyscall ()

  102 Thread 0xec14bb70 (LWP 2641)  0x00927430 in __kernel_vsyscall ()

  101 Thread 0xce11bb70 (LWP 2691)  0x00927430 in __kernel_vsyscall ()

  100 Thread 0xedf4eb70 (LWP 2638)  0x00927430 in __kernel_vsyscall ()

  99 Thread 0xd4f26b70 (LWP 2679)  0x00927430 in __kernel_vsyscall ()

  98 Thread 0xa56dab70 (LWP 2759)  0x00927430 in __kernel_vsyscall ()

  97 Thread 0xdbd31b70 (LWP 2667)  0x00927430 in __kernel_vsyscall ()

  96 Thread 0xe493fb70 (LWP 2653)  0x00927430 in __kernel_vsyscall ()

  95 Thread 0xaa6e2b70 (LWP 2751)  0x00927430 in __kernel_vsyscall ()

  94 Thread 0xe7143b70 (LWP 2649)  0x00927430 in __kernel_vsyscall ()

  93 Thread 0xc4b0cb70 (LWP 2708)  0x00927430 in __kernel_vsyscall ()

  92 Thread 0xe0d39b70 (LWP 2659)  0x00927430 in __kernel_vsyscall ()

  91 Thread 0xc2308b70 (LWP 2712)  0x00927430 in __kernel_vsyscall ()

  90 Thread 0xf0752b70 (LWP 2634)  0x00927430 in __kernel_vsyscall ()

  89 Thread 0xbbefeb70 (LWP 2722)  0x00927430 in __kernel_vsyscall ()

  88 Thread 0xe8545b70 (LWP 2647)  0x00927430 in __kernel_vsyscall ()

  87 Thread 0xb6ef6b70 (LWP 2730)  0x00927430 in __kernel_vsyscall ()

  86 Thread 0xae2e8b70 (LWP 2744)  0x00927430 in __kernel_vsyscall ()

  85 Thread 0xc0505b70 (LWP 2715)  0x00927430 in __kernel_vsyscall ()

  84 Thread 0xa7edeb70 (LWP 2755)  0x00927430 in __kernel_vsyscall ()

  83 Thread 0xbe702b70 (LWP 2718)  0x00927430 in __kernel_vsyscall ()

  82 Thread 0xea348b70 (LWP 2644)  0x00927430 in __kernel_vsyscall ()

  81 Thread 0xb1eeeb70 (LWP 2738)  0x00927430 in __kernel_vsyscall ()

  80 Thread 0xf2f56b70 (LWP 2630)  0x00927430 in __kernel_vsyscall ()

  79 Thread 0xe213bb70 (LWP 2657)  0x00927430 in __kernel_vsyscall ()

  78 Thread 0xf1153b70 (LWP 2633)  0x00927430 in __kernel_vsyscall ()

  77 Thread 0xab0e3b70 (LWP 2750)  0x00927430 in __kernel_vsyscall ()

  76 Thread 0xb14edb70 (LWP 2739)  0x00927430 in __kernel_vsyscall ()

  75 Thread 0xaf6eab70 (LWP 2742)  0x00927430 in __kernel_vsyscall ()

  74 Thread 0xb00ebb70 (LWP 2741)  0x00927430 in __kernel_vsyscall ()

  73 Thread 0xdf937b70 (LWP 2661)  0x00927430 in __kernel_vsyscall ()

  72 Thread 0xeb74ab70 (LWP 2642)  0x00927430 in __kernel_vsyscall ()

  71 Thread 0xd091fb70 (LWP 2687)  0x00927430 in __kernel_vsyscall ()

  70 Thread 0xcc318b70 (LWP 2694)  0x00927430 in __kernel_vsyscall ()

  69 Thread 0xe8f46b70 (LWP 2646)  0x00927430 in __kernel_vsyscall ()

  68 Thread 0xcd71ab70 (LWP 2692)  0x00927430 in __kernel_vsyscall ()

  67 Thread 0xd8b2cb70 (LWP 2672)  0x00927430 in __kernel_vsyscall ()

  66 Thread 0xecb4cb70 (LWP 2640)  0x00927430 in __kernel_vsyscall ()

  65 Thread 0xccd19b70 (LWP 2693)  0x00927430 in __kernel_vsyscall ()

  64 Thread 0xb96fab70 (LWP 2726)  0x00927430 in __kernel_vsyscall ()

  63 Thread 0xaece9b70 (LWP 2743)  0x00927430 in __kernel_vsyscall ()

  62 Thread 0xd3b24b70 (LWP 2682)  0x00927430 in __kernel_vsyscall ()

  61 Thread 0xabae4b70 (LWP 2749)  0x00927430 in __kernel_vsyscall ()

  60 Thread 0xd1d21b70 (LWP 2685)  0x00927430 in __kernel_vsyscall ()

  59 Thread 0xceb1cb70 (LWP 2690)  0x00927430 in __kernel_vsyscall ()

  58 Thread 0xdb330b70 (LWP 2668)  0x00927430 in __kernel_vsyscall ()

  57 Thread 0xbc8ffb70 (LWP 2721)  0x00927430 in __kernel_vsyscall ()

  56 Thread 0xad8e7b70 (LWP 2746)  0x00927430 in __kernel_vsyscall ()

  55 Thread 0xc7310b70 (LWP 2702)  0x00927430 in __kernel_vsyscall ()

  54 Thread 0xa60dbb70 (LWP 2758)  0x00927430 in __kernel_vsyscall ()

  53 Thread 0xb28efb70 (LWP 2737)  0x00927430 in __kernel_vsyscall ()

  52 Thread 0xcb917b70 (LWP 2695)  0x00927430 in __kernel_vsyscall ()

  51 Thread 0xe6742b70 (LWP 2650)  0x00927430 in __kernel_vsyscall ()

  50 Thread 0xdd133b70 (LWP 2665)  0x00927430 in __kernel_vsyscall ()

  49 Thread 0xd1320b70 (LWP 2686)  0x00927430 in __kernel_vsyscall ()

  48 Thread 0xf4358b70 (LWP 2628)  0x00927430 in __kernel_vsyscall ()

  47 Thread 0xd812bb70 (LWP 2673)  0x00927430 in __kernel_vsyscall ()

  46 Thread 0xc5f0eb70 (LWP 2704)  0x00927430 in __kernel_vsyscall ()

  45 Thread 0xf4d59b70 (LWP 2627)  0x00927430 in __kernel_vsyscall ()

---Type <return> to continue, or q <return> to quit---

  44 Thread 0xcaf16b70 (LWP 2696)  0x00927430 in __kernel_vsyscall ()

  43 Thread 0xf615bb70 (LWP 2625)  0x00927430 in __kernel_vsyscall ()

  42 Thread 0xf1b54b70 (LWP 2632)  0x00927430 in __kernel_vsyscall ()

  41 Thread 0xc370ab70 (LWP 2710)  0x00927430 in __kernel_vsyscall ()

  40 Thread 0xf6b5cb70 (LWP 2624)  0x00927430 in __kernel_vsyscall ()

  39 Thread 0xe3f3eb70 (LWP 2654)  0x00927430 in __kernel_vsyscall ()

  38 Thread 0xb8cf9b70 (LWP 2727)  0x00927430 in __kernel_vsyscall ()

  37 Thread 0x5310b70 (LWP 2622)  0x00927430 in __kernel_vsyscall ()

  36 Thread 0xe2b3cb70 (LWP 2656)  0x00927430 in __kernel_vsyscall ()

  35 Thread 0xf775f6e0 (LWP 2615)  0x00927430 in __kernel_vsyscall ()

  34 Thread 0xda92fb70 (LWP 2669)  0x00927430 in __kernel_vsyscall ()

  33 Thread 0x930ecb70 (LWP 2877)  0x00927430 in __kernel_vsyscall ()

  32 Thread 0xd952db70 (LWP 2671)  0x00927430 in __kernel_vsyscall ()

  31 Thread 0xee94fb70 (LWP 2637)  0x00927430 in __kernel_vsyscall ()

  30 Thread 0x93aedb70 (LWP 2876)  0x00927430 in __kernel_vsyscall ()

  29 Thread 0xa6adcb70 (LWP 2757)  0x00927430 in __kernel_vsyscall ()

  28 Thread 0xe9947b70 (LWP 2645)  0x00927430 in __kernel_vsyscall ()

  27 Thread 0x944eeb70 (LWP 2841)  0x00927430 in __kernel_vsyscall ()

  26 Thread 0xed54db70 (LWP 2639)  0x00927430 in __kernel_vsyscall ()

  25 Thread 0x94eefb70 (LWP 2837)  0x00927430 in __kernel_vsyscall ()

  24 Thread 0xc9b14b70 (LWP 2698)  0x00927430 in __kernel_vsyscall ()

  23 Thread 0x962f1b70 (LWP 2833)  0x00927430 in __kernel_vsyscall ()

  22 Thread 0xd6d29b70 (LWP 2675)  0x00927430 in __kernel_vsyscall ()

  21 Thread 0x96cf2b70 (LWP 2832)  0x00927430 in __kernel_vsyscall ()

  20 Thread 0x976f3b70 (LWP 2831)  0x00927430 in __kernel_vsyscall ()

  19 Thread 0x980f4b70 (LWP 2830)  0x00927430 in __kernel_vsyscall ()

  18 Thread 0x98af5b70 (LWP 2829)  0x00927430 in __kernel_vsyscall ()

  17 Thread 0x994f6b70 (LWP 2828)  0x00927430 in __kernel_vsyscall ()

  16 Thread 0x99ef7b70 (LWP 2827)  0x00927430 in __kernel_vsyscall ()

  15 Thread 0x9a8f8b70 (LWP 2826)  0x00927430 in __kernel_vsyscall ()

  14 Thread 0x9caccb70 (LWP 2824)  0x00927430 in __kernel_vsyscall ()

  13 Thread 0x9d4cdb70 (LWP 2808)  0x00927430 in __kernel_vsyscall ()

  12 Thread 0x9f2d0b70 (LWP 2805)  0x00927430 in __kernel_vsyscall ()

  11 Thread 0xa06d2b70 (LWP 2799)  0x00927430 in __kernel_vsyscall ()

  10 Thread 0xa10d3b70 (LWP 2798)  0x00927430 in __kernel_vsyscall ()

  9 Thread 0xa24d5b70 (LWP 2764)  0x00927430 in __kernel_vsyscall ()

  8 Thread 0x9b2f9b70 (LWP 2825)  0x00927430 in __kernel_vsyscall ()

  7 Thread 0x9deceb70 (LWP 2807)  0x00927430 in __kernel_vsyscall ()

  6 Thread 0x9e8cfb70 (LWP 2806)  0x00927430 in __kernel_vsyscall ()

  5 Thread 0xa2ed6b70 (LWP 2763)  0x00927430 in __kernel_vsyscall ()

  4 Thread 0x9fcd1b70 (LWP 2804)  0x00927430 in __kernel_vsyscall ()

  3 Thread 0xc7d11b70 (LWP 2701)  0x00927430 in __kernel_vsyscall ()

  2 Thread 0xa1ad4b70 (LWP 2765)  0x00927430 in __kernel_vsyscall ()

* 1 Thread 0xc9113b70 (LWP 2699)  0x03654b06 in __strlen_sse2_bsf () from /lib/libc.so.6

 

If you have smtracedefault.log, then you can track the LWP 2699 which has hexadecimal Thread ID 0xc9113b70 and see what it was doing, if it logged sufficient message before the crash.

 

Load calculator in "Programmer" mode.

Select "Hex" button then enter the hexadecimal ThreadID value c9113b70

Then select "Dec" button to convert it to numeric value.

ThreadID 3373349744 in your smtracedefault.log need to be compared with this stack trace to get to the root cause of crash.

 

Sometimes(eg, stack overflow), the dump file do not capture all information(actually it can get overwritten(aka stomping) with garbage data) and makes itself useless. (At least it is very common when gdb reports corrupt stack, and it will tell you if it is)

 

So, it is always safer to collect as many (packaged) core files if at all possible.

And core dump analysis may not always give all information to find the root cause.

Having smtracedefault.log with sufficient component and data always fills the gap.

 

pkgapp and gdb are not developed by CA. Please contact the people who developed them if you need more information.

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

This environment is continuation from the "Creating an ALL-IN-ONE VM Image" series. (links below)

Decided to put a complete list of the articles.

========================================

Creating an ALL-IN-ONE VM Image - Part 1

Creating an ALL-IN-ONE VM Image - Part 2

Creating an ALL-IN-ONE VM Image - Part 3

Creating an ALL-IN-ONE VM Image - Part 4

Creating an ALL-IN-ONE VM Image - Part 5

Creating an ALL-IN-ONE VM Image - Part 6

Creating an ALL-IN-ONE VM Image - Part 7

Creating an ALL-IN-ONE VM Image - Part 8

Creating an ALL-IN-ONE VM Image - Part 9

Creating an ALL-IN-ONE VM Image - Part 10-1

Creating an ALL-IN-ONE VM Image - Part 10-2

========================================

Configuring an ALL-IN-ONE VM Image - Part 1

Configuring an ALL-IN-ONE VM Image - Part 2

Configuring an ALL-IN-ONE VM Image - Part 3

Configuring an ALL-IN-ONE VM Image - Part 4

Configuring an ALL-IN-ONE VM Image - Part 5

Configuring an ALL-IN-ONE VM Image - Part 6

Configuring an ALL-IN-ONE VM Image - Part 7

========================================

 

Following configuration will be setup.

 

01. Basic setup - Create application and protect using Forms Authentication.

    - Service configuration

    - Startup/Shutdown scripts

    - Logging

    - Basic Concepts

02. Standard Authentication Schemes

    - Basic Concepts

    - Basic

    - HTML Forms

    - HTML using UID and EMAIL

    - Basic over SSL

03. Certificate Authentication Schemes

    - X.509 Certificate Only

    - X.509 Certificate or Basic

    - X.509 Certificate and Basic

    - X.509 Certificate or Form

    - X.509 Certificate and Form

04. Windows Authentication Scheme

05. OAuth Authentication Scheme

06. Cookie Provider

07. Directory Mapping

08. Password Services

09. Impersonation

10. Session Assurance

11. SAML 2.0 Partnership Federation - SSO

12. SAML 2.0 Partnership Federation - SLO

13. SAML 2.0 Partnership Federation - RelayState

14. SAML 2.0 Partnership Federation - Negative Assertion

15. SAML 1.x Partnership Federation

16. Audit Log import

17. Generating Reports

18. SiteMinder Test Tool

19. Global Delivery Modules

20. Troubleshooting

 

Continued from Part 7.

 

04. Windows Authentication Scheme

 

Windows Authentication Scheme is popular as there is no password being transmitted and is seamless login.

There are several things that you need to check before Windows Authentication would work.

  • Does your browser support windows authentication?
  • Is DNS FQHN resolves to different FQHN than the physical hostname?
  • Can IIS authenticate user using Windows Authentication without Web Agent involved?
  • Are the IIS and client machine are joined to AD domain?
  • Are you going to use Negotiate or NTLM?

 

 

Does your browser support windows authentication?

 

If you are using Internet Explorer, then you just need to check if the site is registered as "Local intranet" zone.

If you are using chrome, it will take configurations from IE and do not need any configuration.

If you are using firefox, you will need to change following configuration.

At the address bar, enter "about:config" and enter.

 

For NTLM, add ".sso.lab" to "network.automatic-ntlm-auth.trusted-uris"

 

For Negotiate, add ".sso.lab" to "network.negotiate-auth.delegation-uris" and "network.negotiate-auth.trusted-uris"

Is DNS FQHN resolves to different FQHN than the physical hostname?

 

In many cases, your hostname(testmc1.sso.lab) may not be the FQHN you access your IIS.

In this sample, it is actually "www.sso.lab" and not "testmc1.sso.lab".

When the FQHN is different from the physical hostname, windows authentication may fail and you get reprompted for challenge.

And even when you submit the correct userID and PWD, you will get rechallenged.

 

In those cases, you need to add a registry to skip checking the loopback checks for hostname.

 

Registry Key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

Right click MSV1_0, point to "New" and then click "Multi-String" value.

Type "BackConnectionHostNames" and press Enter.

Add the value with the FQHN that you want to use (in this case "www.sso.lab").

 

More info here https://support.microsoft.com/en-au/kb/896861

 

 

 

Can IIS authenticate user using Windows Authentication without Web Agent involved?

 

This is important part of troubleshooting Windows Authentication.

You can try with /ntlm/ virtual directory by disabling the anonymous authentication and enable windows authentication.

Select /ntlm/ virtual directory(you need to create this directory under wwwroot folder) and at the right pane click on "Authentication".

 

Change the configuration below.

Change the "Anonymous Authentication" to "Disabled" and "Windows Authentication" to Enabled.

If you have not created the registry above, you would be challenged when you access http://www.sso.lab/ntlm/

 

 

With the registry, you should get access to the resource and you can see the following headers.

AUTH_USER: SSO\Administrator

AUTH_TYPE: NTLM

HTTP_AUTHORIZATION: TIRMxxxxx

 

So, it is a proof the NTLM is working.

 

Revert the changes above back to "Anonymous Authentication: Enabled" and "Windows Authentication: Disabled".

 

 

Are the IIS and client machine are joined to AD domain?

 

Yes, it is the same machine in this case so they are joining SSO domain.

 

 

Are you going to use Negotiate or NTLM?

 

Let's stick to NTLM. Negotiate would also work with the registry key above.

 

 

As all the above requirements are satisfied, we can now go ahead with Windows Authentication Scheme.

Following need to be configured.

 

  • Make sure you have the content on your web server for /ntlm/ virtual directory.
  • Create "Windows Authentication" Scheme.
  • Create Component and Resource from AdminUI to protect this resource.
  • Configure "Authentication" for "/siteminderagent/ntlm" virtual directory.

 

 

Create "Windows Authentication" Scheme.

 

Create the Windows Authentication Scheme as below.

Name: Windows Authentication

Authentication Scheme Type: Windows Authentication Template

Protection Level: 5

Password Policies enabled for this Authentication Scheme: true

Scheme support: Active Directory / LDAP

Use Relative Target: False

Server Name: www.sso.lab

Port:

Use SSL Connection: True (In case if the client did not support NTLM handshake and get basic popup, it is safer to be on https)

Target: /siteminderagent/ntlm/creds.ntc

User DN Lookup: (sAMAccountName=%{UID})

Library: smauthntlm

Windows Authentication Scheme is created. And you can notice it is now in the second page.

 

Create Component and Resource from AdminUI to protect this resource.

 

Logon to AdminUI and create the Component as below.

Component Name: Windows Authentication

Agent Type: Web Agent

Agent: agent.iis

Resource Filter: /ntlm/

Default Resource Protection: Protected

Authentication Scheme: Windows Authentication

 

Navigate to Resource tab, select context root "/ntlm/".

Create Resource as below.

Name: Access Windows Authentication

Resource: *

Allow Access: True

Action: Web Agent Actions: GET, POST

 

Assign "Basic Role" to "Access Windows Authentication" resource and "Submit".

 

 

Configure "Authentication" for "/siteminderagent/ntlm" virtual directory.

 

 

 

Now to test the use case.

Open IE and access http://www.sso.lab/ntlm/

The SMUSER header is set as "SSO\administrator".

Some customers want the SMUSER value to be "administrator" only without the domain.

It is possible with Global Develiry Module called "SmOverrideAuth".

You can reach out to CA Account Manager if you are interested in trying this module.

 

So, now you have Windows Authentication working.

But we have a new feature to not redirect to /siteminderagent/ntlm/ virtual directory.

Refer to Documentation regarding "InlineCredentials" IIS Web Server Settings

 

Do not create separate Windows Authentication scheme but create separate Component and Resource for /inlinecredentials/ virtual directory.

 

  • Make sure you have the content on your web server for /inlinecredentials/ virtual directory.
  • Add "InlineCredentials=Yes" in ACO.
  • Create "Windows Authentication" Scheme. (skip this as it is already created)
  • Create Component and Resource from AdminUI to protect this resource.
  • Configure "Authentication" for "/inlinecredentials/" virtual directory.

 

Add "InlineCredentials=Yes" in ACO.

 

Logon to AdminUI, navigate to "Infrastructure ==> Agent ==> Agent Configuration Objects" and modify the "aco.www.sso.lab".

Click "Add" button to create new parameter.

Create "InlineCredentials" parameter and set "Yes" as the value.

Click "OK" and "Submit".

 

 

Create Component and Resource from AdminUI to protect this resource.

 

I will skip the part for creating Components and Resource and assigning "Basic Role" to "Access InlineCredentials" resource.

Please create the above mentioned.

 

 

Configure "Authentication" for "/inlinecredentials/" virtual directory.

 

 

 

Now, if you did not have "inlinecredentials=yes" in the ACO, you would get basic prompt when accessing the http://www.sso.lab/inlinecredentials/.

But with this parameter enabled, you will have access to the resource without being redirected to the /siteminderagent/ntlm/creds.ntc

webagenttrace.log

[02/16/2016][18:26:04][5840][7008][CSmHighLevelAgent.cpp:321][ProcessRequest][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][][][][][][Start new request.]

[02/16/2016][18:26:04][5840][7008][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:490][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][][][][][][Resolved hostname: 'www.sso.lab'.]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:509][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][][][][][][Resolved agentname: 'agent.iis'.]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][][][agent.iis][][][Resolved Client IP address '192.168.201.101'.]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:657][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][][][Resolved URL: '/inlinecredentials/'.]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:781][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][][Resolved METHOD: 'GET'.]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:834][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][][Resolved cookie domain: '.sso.lab'.]

[02/16/2016][18:26:04][5840][7008][CSmResourceManager.cpp:112][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmSuccess.]

[02/16/2016][18:26:04][5840][7008][CSmSessionManager.cpp:82][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][][Calling SM_WAF_HTTP_PLUGIN->EstablishSession.]

[02/16/2016][18:26:04][5840][7008][CSmSessionManager.cpp:126][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmNoAction.]

[02/16/2016][18:26:04][5840][7008][CSmLowLevelAgent.cpp:503][IsResourceProtected][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][][Resource is protected from Policy Server.]

[02/16/2016][18:26:04][5840][7008][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][][Processing IsProtected responses.]

[02/16/2016][18:26:04][5840][7008][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/16/2016][18:26:04][5840][7008][CSmCredentialManager.cpp:132][CSmCredentialManager::GatherCredentials][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][][Calling SM_WAF_HTTP_PLUGIN->ProcessCredentials.]

[02/16/2016][18:26:04][5840][7008][CSmCredentialManager.cpp:169][CSmCredentialManager::GatherCredentials][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][][SM_WAF_HTTP_PLUGIN->ProcessCredentials returned SmSuccess.]

[02/16/2016][18:26:04][5840][7008][CSmLowLevelAgent.cpp:1200][AuthenticateUser][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][][User 'SSO\administrator' is authenticated by Policy Server.]

[02/16/2016][18:26:04][5840][7008][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][Processing Authentication responses.]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:8077][CSmHttpPlugin::GenerateNTCChallengeDoneCookie][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][Generating SMCHALLENGE=NTC_CHALLENGE_DONE set-cookie response header.]

[02/16/2016][18:26:04][5840][7008][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/16/2016][18:26:04][5840][7008][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][Generated SMSESSION cookie.]

[02/16/2016][18:26:04][5840][7008][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[02/16/2016][18:26:04][5840][7008][CSmLowLevelAgent.cpp:2768][AuthorizeUser][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][User 'CN=Administrator,CN=Users,DC=sso,DC=lab' is authorized by Policy Server.]

[02/16/2016][18:26:04][5840][7008][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:3270][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][Processing Authorization responses.]

[02/16/2016][18:26:04][5840][7008][CSmHttpPlugin.cpp:3277][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][Removing HTTP cache request headers.]

[02/16/2016][18:26:04][5840][7008][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/16/2016][18:26:04][5840][7008][CSmHighLevelAgent.cpp:801][ProcessRequest][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][AuthorizationManager returned SmYes, end new request.]

[02/16/2016][18:26:04][5840][7008][CSmHighLevelAgent.cpp:921][ProcessRequest][000080fe0000000097e114e8f8b90736-16d0-56c2cf0c-1b60-00784a80][*192.168.201.101][][agent.iis][/inlinecredentials/][SSO\administrator][End new request.]

 

When the browser accessed http://www.sso.lab/inlinecredentials/ it did not have existing SMSESSION so you do not find any trace in the above webagenttrace.log mentioning about it.

And without redirect, Credential Manager was able to "Gather Credentials" and authenticates the user.

The same can be witnessed from fiddler trace.

 

So, if you want to use seamless windows authentication but do not want to redirect, this is going to be the solution.

Some customers want to login without involving redirects and the only authentication scheme that does not redirect was the "Basic" authentication which was not secure. But with inlinecredentials, we have one more that does not require a redirect.

 

Downside is that you will need to manually enable "Windows Authentication" and disable "Anonymous Authentication" on each virtual directory that you want to protect using inlinecredentials.

 

Also, this "InlineCredentials" parameter is Agent Wide configuration.

Meaning, you cannot have "Redirect to Windows Authentication Scheme" and "InlineCredentials" mode together.

Once you enable "InlineCredentials", your "http://www.sso.lab/ntlm/" will no longer redirect to "https://www.sso.lab/siteminderagent/ntlm/creds.ntc".

 

Screenshot below explains what is happening. (Frame #3 ~ #6 was non-related requests made by IE so I removed them).

When the browser visited "http://www.sso.lab/ntlm/", it no longer redirects due to InlineCredentials feature and protected resource does not require Windows Authentication(to initiate the NTLM handshake) so it does not ask client for it.

As a result, the browser gets HTTP 403.

 

ACO Parameter "InlineCredentials" did not appear immediately but it did appear later in the wa.log.

 

That concludes the Windows Authentication Scheme.

Next article will be OAuth.

I did not have intention to write this but it became necessary as part of writing "ALL-IN-ONE" VM image.

webagenttrace.log shows there was "SAVEDSESSION" cookie being set and wanted  to find out what that might be for and when it is being set and cleared.

 

If you want more information about fiddler and its use, please visit "www.telerik.com/fiddler".

 

Visit "Fiddler free web debugging proxy"(http://www.telerik.com/fiddler) and download.

There is option for .NET2 and .NET4.

 

 

After you install, starting up the fiddler will tell you there is a port conflict which is expected.

Click "Yes" to continue, then manually update the port to 9999 so it will not conflict in the future.

 

 

Once it starts up, it will check to see if there is any update. We don't need to see this each time we startup fiddler so it should be disabled.

Click on "Tools ==> Fiddler Options" then uncheck the "Check for updates on startup".

Then click on "HTTPS" tab and click on "Decrypt HTTPS traffic". This must be enabled so we can look at the encrypted contents.

Then you will be asked to "Trust the Fiddler Root certificate". Click "Yes" to import it.

Click "Yes" again to complete the import. Note the CA certificate name is called "DO_NOT_TRUST_FiddlerRoot".

You can find this in your Certificate store as below.

 

As the fiddler is a web proxy, working as the Man in the Middle, it will generate certificates for every site you access via https.

So, it can get messy later on but you can remove all the Fiddler generated certificates including the RootCA if you uncheck the "Decrypt HTTPS traffic" button and select "Remove All Certificates" from the "Actions" button.

But we will not do this at this moment.

Exit the fiddler completely and start it up again.

You will get the port conflict message again, this time select "No".

At the "Fiddler Options", update the listening port from 8888 to 9999 then click "OK".

 

As this acts as "System Proxy", you can now capture traffic from IE or Chrome.

As there was port conflict during startup, shutdown fiddler and start again. This time it will show it is capturing the traffic.

Fiddler has its limitation so it cannot submit the client for the browser. You need to give it access to the certificate.

 

Goto your IE's certificate store and select the user1's certificate and click "Export".

 

You do not need to export the private key.

 

And the certificate format does not matter, you can select "DER" format or Base-64.

 

Save it to correct filepath as instructed by fiddler.

 

Clear the fiddler screen, click on the "X" icon and select "Remove all" anytime you want to clear the captured traffic.

 

Fiddler also captures all traffic so it would be good to skip some of the traffic.

 

From the above screenshot, I do not want fiddler to capture clients4.google.com, translate.googleapis.com, ssl.gstatic.com and safebrowsing.google.com

Goto "Fiddler Options ==> Connections ==> Bypass Fiddler for URLs that start with:"

Then enter "*.google.com;" and "*.googleapis.com;" and "*.gstatic.com;" in separate lines and click "OK".

 

After restarting fiddler and chrome, you will notice you are not getting those unwanted sites anymore.

However, you will still see 3 weird looking requests as shown below.

Those are okay, refer to Issue 47262 - chromium - Chromes startup random DNS queries tracked in, and polluting users Google Web History -    *…

 

Now back to the Certificate and Form.

Fiddler is submitting the client certificate when the web server requests it.

Unfortunately, it will not prompt you for the client certificate as the fiddler will simply submit the certificate.

Also, you would have noticed that it supports only 1 client certificate(as you would have noticed when it asked you to save with specific file name).

 

To view the traffic, click on the request from the left pane.

Then on the upper right pane click on "Inspectors" and it will show the request(upper right) and response(lower right) panes.

Note the protocol at the left pane shows it is HTTPS and at the right pane you are seeing the encrypted content.

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

This environment is continuation from the "Creating an ALL-IN-ONE VM Image" series. (links below)

Decided to put a complete list of the articles.

========================================

Creating an ALL-IN-ONE VM Image - Part 1

Creating an ALL-IN-ONE VM Image - Part 2

Creating an ALL-IN-ONE VM Image - Part 3

Creating an ALL-IN-ONE VM Image - Part 4

Creating an ALL-IN-ONE VM Image - Part 5

Creating an ALL-IN-ONE VM Image - Part 6

Creating an ALL-IN-ONE VM Image - Part 7

Creating an ALL-IN-ONE VM Image - Part 8

Creating an ALL-IN-ONE VM Image - Part 9

Creating an ALL-IN-ONE VM Image - Part 10-1

Creating an ALL-IN-ONE VM Image - Part 10-2

========================================

Configuring an ALL-IN-ONE VM Image - Part 1

Configuring an ALL-IN-ONE VM Image - Part 2

Configuring an ALL-IN-ONE VM Image - Part 3

Configuring an ALL-IN-ONE VM Image - Part 4

Configuring an ALL-IN-ONE VM Image - Part 5

Configuring an ALL-IN-ONE VM Image - Part 6

========================================

 

Following configuration will be setup.

 

Following configuration will be setup.

 

01. Basic setup - Create application and protect using Forms Authentication.

     - Service configuration

     - Startup/Shutdown scripts

     - Logging

     - Basic Concepts

02. Standard Authentication Schemes

     - Basic Concepts

     - Basic

     - HTML Forms

     - HTML using UID and EMAIL

     - Basic over SSL

03. Certificate Authentication Schemes

     - X.509 Certificate Only

     - X.509 Certificate or Basic

     - X.509 Certificate and Basic

     - X.509 Certificate or Form

     - X.509 Certificate and Form

04. Windows Authentication Scheme

05. OAuth Authentication Scheme

06. Cookie Provider

07. Directory Mapping

08. Password Services

09. Impersonation

10. Session Assurance

11. SAML 2.0 Partnership Federation - SSO

12. SAML 2.0 Partnership Federation - SLO

13. SAML 2.0 Partnership Federation - RelayState

14. SAML 2.0 Partnership Federation - Negative Assertion

15. SAML 1.x Partnership Federation

16. Audit Log import

17. Generating Reports

18. SiteMinder Test Tool

19. Global Delivery Modules

20. Troubleshooting

 

Continued from Part 6.

 

X.509 Certificate and Basic

 

We need the following to setup the use case.

 

* Make sure you have the content on your web server for /certandbasic/ virtual directory.

* Create "X.509 Certificate and Basic Authentication" Scheme.

* Create Component and Resource from AdminUI to protect this resource.

* Create Certificate Mapping (skip this step as it is already configured)

* Configure "SSL Setting" for "/siteminderagent/cert" (skip this step as it is already configured)

 

 

 

Create "X.509 Certificate and Basic Authentication" Scheme.

 

As usual, previously demonstrated steps will be skipped.

This is our first "Two Factor Authentication" aka 2FA, 1) Certificate plus the 2) User Credentials.

Create "Certificate and Basic" Authentication Scheme as below.

Fill in -

Name: Certificate and Basic

Authentication Scheme Type: X509 Client Cert and Basic Template

Protection Level: 15

     Note: As this is a 2FA, its default security protection level is higher than the previous authentication schemes.

Password Policies enabled for this Authentication Scheme: true

     Note: The basic authentication part involves password so the password policy can be applied here.

Server Name: www.sso.lab

Target: /siteminderagent/cert/smgetcred.scc

Library: smauthcert

     Note: The Parameter will show "smgetcred.scc?cert+basic" to recognize it is a cert plus the basic authentication scheme.

You can see from below,

 

Create Component and Resource from AdminUI to protect this resource.

 

Create Component as below and click "OK".

Component Name: Certificate and Basic

Agent Type: Web Agent

Agent: agent.iis

Resource Filter: /certandbasic/

Default Resource Protection: Protected

Authentication Scheme: Certificate and Basic

 

Click on "Resources" and select "/certandbasic/" context root and click "Create".

Fill in the below and click "OK".

Name: Access Cert and Basic

Resource: *

Allow/Deny: Allow Access, Enabled

Action: GET, POST

Click on "Policies" tab and select "/certandbasic/" from context root.

Assign "Basic Role" to "Access Cert and Basic" resource. Click on "SUBMIT".

 

 

Now test by visiting http://www.sso.lab/certandbasic/

 

You MUST submit the certificate AND submit the correct credential.

 

You will find the SMUSER value is "user1" and not the userDN.

 

Now, you will get to find interesting thing in this transaction.

From user perspective, you submitted Certificate first followed by the user credentials.

 

When you submitted the certificate, agent finds the user credentials are missing.

 

webagenttrace.log

[02/12/2016][18:18:07][6940][6572][CSmHighLevelAgent.cpp:970][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][][][][][][Start new request.]

[02/12/2016][18:18:07][6940][6572][CSmResourceManager.cpp:187][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource.]

[02/12/2016][18:18:07][6940][6572][CSmHttpPlugin.cpp:8683][CSmHttpPlugin::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/12/2016][18:18:07][6940][6572][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/12/2016][18:18:07][6940][6572][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][][][][][][Resolved Client IP address '192.168.201.101'.]

[02/12/2016][18:18:07][6940][6572][SmAdvancedAuthCore.cpp:632][SmAdvancedAuthCore::parseTargetUrl][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][][/certandbasic/][][Resolved cookie domain '.sso.lab'.]

[02/12/2016][18:18:07][6940][6572][CSmResourceManager.cpp:225][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][agent.iis][/certandbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource returned SmSuccess.]

[02/12/2016][18:18:07][6940][6572][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][agent.iis][/certandbasic/][][Resource is protected from cache.]

[02/12/2016][18:18:07][6940][6572][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][agent.iis][/certandbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/12/2016][18:18:07][6940][6572][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][agent.iis][/certandbasic/][][Processing IsProtected responses.]

[02/12/2016][18:18:07][6940][6572][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][agent.iis][/certandbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/12/2016][18:18:07][6940][6572][CSmCredentialManager.cpp:222][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][agent.iis][/certandbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]

[02/12/2016][18:18:07][6940][6572][SmSCC.cpp:247][SmScc::getCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][agent.iis][/certandbasic/][][Certificate present]

[02/12/2016][18:18:07][6940][6572][SmSCC.cpp:390][SmScc::getCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][agent.iis][/certandbasic/][][Failed to get Basic credentials.]

[02/12/2016][18:18:07][6940][6572][CSmCredentialManager.cpp:267][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][agent.iis][/certandbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmNoAction.]

[02/12/2016][18:18:07][6940][6572][CSmHighLevelAgent.cpp:1072][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][agent.iis][/certandbasic/][][CredentialManager returned SmNo or SmNoAction, calling ChallengeManager.]

[02/12/2016][18:18:07][6940][6572][CSmChallengeManager.cpp:194][CSmChallengeManager::DoAdvancedAuthChallenge][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][agent.iis][/certandbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthChallenge.]

[02/12/2016][18:18:07][6940][6572][CSmChallengeManager.cpp:214][CSmChallengeManager::DoAdvancedAuthChallenge][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][agent.iis][/certandbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthChallenge returned SmExit.]

[02/12/2016][18:18:07][6940][6572][CSmHighLevelAgent.cpp:1096][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1b1c-56bd872f-19ac-03274823][*192.168.201.101][][agent.iis][/certandbasic/][][Challenge Manager returned SmExit, Time to challenge.]

 

 

You can see from above, WA is actually expecting Certificate AND BASIC credentials at the same time.

Obviously it will not find the basic credentials(Authorization BASIC xxxx header in the request) so it challenges the user.

So, you saw the basic popup and submitted your credentials.

 

 

webagenttrace.log

[02/12/2016][18:19:24][6940][6572][CSmHighLevelAgent.cpp:970][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][][][][][][Start new request.]

[02/12/2016][18:19:24][6940][6572][CSmResourceManager.cpp:187][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource.]

[02/12/2016][18:19:24][6940][6572][CSmHttpPlugin.cpp:8683][CSmHttpPlugin::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/12/2016][18:19:24][6940][6572][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/12/2016][18:19:24][6940][6572][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][][][][][][Resolved Client IP address '192.168.201.101'.]

[02/12/2016][18:19:24][6940][6572][SmAdvancedAuthCore.cpp:632][SmAdvancedAuthCore::parseTargetUrl][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][][/certandbasic/][][Resolved cookie domain '.sso.lab'.]

[02/12/2016][18:19:24][6940][6572][CSmResourceManager.cpp:225][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource returned SmSuccess.]

[02/12/2016][18:19:24][6940][6572][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][Resource is protected from cache.]

[02/12/2016][18:19:24][6940][6572][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/12/2016][18:19:24][6940][6572][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][Processing IsProtected responses.]

[02/12/2016][18:19:24][6940][6572][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/12/2016][18:19:24][6940][6572][CSmCredentialManager.cpp:222][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]

[02/12/2016][18:19:24][6940][6572][SmSCC.cpp:247][SmScc::getCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][Certificate present]

[02/12/2016][18:19:24][6940][6572][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][Deleted cookie 'SMCHALLENGE'.]

[02/12/2016][18:19:24][6940][6572][SmSCC.cpp:309][SmScc::getCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][Decoded BASIC Context - User 'user1']

[02/12/2016][18:19:24][6940][6572][SmSCC.cpp:418][SmScc::getCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][Success in collecting credentials.]

[02/12/2016][18:19:24][6940][6572][SmPluginUtilities.cpp:481][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][POST preservation, handling return from credential collector.]

[02/12/2016][18:19:24][6940][6572][SmPluginUtilities.cpp:618][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][http response https://www.sso.lab/certandbasic/]

[02/12/2016][18:19:24][6940][6572][CSmCredentialManager.cpp:260][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmSuccess.]

[02/12/2016][18:19:26][6940][6572][CSmLowLevelAgent.cpp:1200][AuthenticateUser][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][][User 'user1' is authenticated by Policy Server.]

[02/12/2016][18:19:26][6940][6572][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][user1][Processing Authentication responses.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:8040][CSmHttpPlugin::GenerateSSLChallengeDoneCookie][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][user1][Generating SMCHALLENGE=SSL_CHALLENGE_DONE set-cookie response header.]

[02/12/2016][18:19:26][6940][6572][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/12/2016][18:19:26][6940][6572][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][user1][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][user1][Generated SMSESSION cookie.]

[02/12/2016][18:19:26][6940][6572][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][user1][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[02/12/2016][18:19:26][6940][6572][CSmHighLevelAgent.cpp:1282][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1b1c-56bd877c-19ac-02c24ae1][*192.168.201.101][][agent.iis][/certandbasic/][user1][End new request.]

 

[02/12/2016][18:19:26][6940][6572][CSmHighLevelAgent.cpp:321][ProcessRequest][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][][][][][][Start new request.]

[02/12/2016][18:19:26][6940][6572][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:490][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][][][][][][Resolved hostname: 'www.sso.lab'.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:509][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][][][][][][Resolved agentname: 'agent.iis'.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][][][agent.iis][][][Resolved Client IP address '192.168.201.101'.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:657][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][][][Resolved URL: '/certandbasic/'.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:781][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][][Resolved METHOD: 'GET'.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:834][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][][Resolved cookie domain: '.sso.lab'.]

[02/12/2016][18:19:26][6940][6572][CSmResourceManager.cpp:112][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmSuccess.]

[02/12/2016][18:19:26][6940][6572][CSmSessionManager.cpp:82][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][][Calling SM_WAF_HTTP_PLUGIN->EstablishSession.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:6609][CSmHttpPlugin::ProcessSessionCookie][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Decoded SMSESSION cookie - User = 'CN=user1,OU=People,DC=sso,DC=lab', IP address = '192.168.201.101'.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:2216][CSmHttpPlugin::EstablishSession][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Processed SMSESSION cookie.]

[02/12/2016][18:19:26][6940][6572][CSmSessionManager.cpp:119][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmSuccess.]

[02/12/2016][18:19:26][6940][6572][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Resource is protected from cache.]

[02/12/2016][18:19:26][6940][6572][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Processing IsProtected responses.]

[02/12/2016][18:19:26][6940][6572][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/12/2016][18:19:26][6940][6572][CSmCredentialManager.cpp:103][CSmCredentialManager::GatherCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Found session, no credentials required.]

[02/12/2016][18:19:26][6940][6572][CSmLowLevelAgent.cpp:999][AuthenticateUser][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Validating session 'K0TJSsFO24ywObE2mmcIt7uxTvc=' for user 'CN=user1,OU=People,DC=sso,DC=lab' in zone 'SM'.]

[02/12/2016][18:19:26][6940][6572][CSmLowLevelAgent.cpp:1195][AuthenticateUser][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][User 'CN=user1,OU=People,DC=sso,DC=lab' is authenticated from cache.]

[02/12/2016][18:19:26][6940][6572][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Processing Authentication responses.]

[02/12/2016][18:19:26][6940][6572][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/12/2016][18:19:26][6940][6572][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Generated SMSESSION cookie.]

[02/12/2016][18:19:26][6940][6572][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[02/12/2016][18:19:26][6940][6572][CSmLowLevelAgent.cpp:2768][AuthorizeUser][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][User 'CN=user1,OU=People,DC=sso,DC=lab' is authorized by Policy Server.]

[02/12/2016][18:19:26][6940][6572][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:3270][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Processing Authorization responses.]

[02/12/2016][18:19:26][6940][6572][CSmHttpPlugin.cpp:3277][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Removing HTTP cache request headers.]

[02/12/2016][18:19:26][6940][6572][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][Deleted cookie 'SMCHALLENGE'.]

[02/12/2016][18:19:26][6940][6572][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/12/2016][18:19:26][6940][6572][CSmHighLevelAgent.cpp:801][ProcessRequest][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][AuthorizationManager returned SmYes, end new request.]

[02/12/2016][18:19:26][6940][6572][CSmHighLevelAgent.cpp:921][ProcessRequest][000080fe0000000097e114e8f8b90736-1b1c-56bd877e-19ac-00ed440d][*192.168.201.101][][agent.iis][/certandbasic/][user1][End new request.]

 

 

You are seeing the user being authenticated then redirected to the target resource and get validated/authorized.

It is always good to follow through to see the SMCHALLENGE cookie being deleted at the first authorization although the Authentication was successful at the "/siteminderagent/cert/xxxxx/smgetcred.scc".

 

Note: the Certificate CN value and the userID value must match or the user will not be authenticated.

You cannot use "user1" certificate and login with "user2" basic credentials.

As the Authentication Template Name suggests, both certificate and basic authentication must succeed as same user.

For example, if you submit "user1" certificate and then enter smuser credentials, you will not be prompted for certificate but only the Basic popup.

 

 

webagenttrace.log - user1 certificate and smuser basic credentials.

[02/12/2016][18:40:26][6940][5940][CSmHighLevelAgent.cpp:970][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][][][][][][Start new request.]

[02/12/2016][18:40:26][6940][5940][CSmResourceManager.cpp:187][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource.]

[02/12/2016][18:40:26][6940][5940][CSmHttpPlugin.cpp:8683][CSmHttpPlugin::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/12/2016][18:40:26][6940][5940][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/12/2016][18:40:26][6940][5940][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][][][][][][Resolved Client IP address '192.168.201.101'.]

[02/12/2016][18:40:26][6940][5940][SmAdvancedAuthCore.cpp:632][SmAdvancedAuthCore::parseTargetUrl][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][][/certandbasic/][][Resolved cookie domain '.sso.lab'.]

[02/12/2016][18:40:26][6940][5940][CSmResourceManager.cpp:225][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource returned SmSuccess.]

[02/12/2016][18:40:26][6940][5940][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][Resource is protected from cache.]

[02/12/2016][18:40:26][6940][5940][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/12/2016][18:40:26][6940][5940][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][Processing IsProtected responses.]

[02/12/2016][18:40:26][6940][5940][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/12/2016][18:40:26][6940][5940][CSmCredentialManager.cpp:222][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]

[02/12/2016][18:40:26][6940][5940][SmSCC.cpp:247][SmScc::getCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][Certificate present]

[02/12/2016][18:40:26][6940][5940][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][Deleted cookie 'SMSESSION'.]

[02/12/2016][18:40:26][6940][5940][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][Deleted cookie 'SMCHALLENGE'.]

[02/12/2016][18:40:26][6940][5940][SmSCC.cpp:309][SmScc::getCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][Decoded BASIC Context - User 'smuser']

[02/12/2016][18:40:26][6940][5940][SmSCC.cpp:418][SmScc::getCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][Success in collecting credentials.]

[02/12/2016][18:40:26][6940][5940][SmPluginUtilities.cpp:481][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][POST preservation, handling return from credential collector.]

[02/12/2016][18:40:26][6940][5940][SmPluginUtilities.cpp:618][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][http response https://www.sso.lab/certandbasic/]

[02/12/2016][18:40:26][6940][5940][CSmCredentialManager.cpp:260][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmSuccess.]

[02/12/2016][18:40:26][6940][5940][CSmLowLevelAgent.cpp:1332][AuthenticateUser][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][User 'smuser' is not authenticated by Policy Server.]

[02/12/2016][18:40:26][6940][5940][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/12/2016][18:40:26][6940][5940][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][Processing Authentication responses.]

[02/12/2016][18:40:26][6940][5940][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/12/2016][18:40:26][6940][5940][CSmHighLevelAgent.cpp:1203][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][AuthenticationManager returned SmNo or SmNoAction, calling ChallengeManager.]

[02/12/2016][18:40:26][6940][5940][CSmChallengeManager.cpp:194][CSmChallengeManager::DoAdvancedAuthChallenge][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthChallenge.]

[02/12/2016][18:40:26][6940][5940][CSmChallengeManager.cpp:214][CSmChallengeManager::DoAdvancedAuthChallenge][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthChallenge returned SmExit.]

[02/12/2016][18:40:26][6940][5940][CSmHighLevelAgent.cpp:1230][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1b1c-56bd8c6a-1734-036b3d6c][*192.168.201.101][][agent.iis][/certandbasic/][][Challenge Manager returned SmExit, Time to challenge.]

 

 

If you look at smtracedefault.log it will give some more information why it made that decision.

 

smtracedefault.log

[02/12/2016][18:40:26][4372][][SmDsLdapConnMgr.cpp:1201][CSmDsLdapConn::SearchExts][][][][][][][][][][][][][][LDAP search of (&(samaccountname=smuser)(objectclass=*)) took 0 seconds and 1000 microseconds][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmDsLdapProvider.cpp:2244][CSmDsLdapProvider::Search][][][][][][][][][][][][][][Ldap Search callout succeeds.][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][(Search) Base: 'DC=SSO,DC=LAB', Filter: '(samaccountname=smuser)'. Status: 1 entries][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmDsDir.cpp:446][CSmDsDir::Search][][][][][][][][][][][][][][Return from call Search.][620][18:40:26.897][true][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmDsObj.cpp:75][CSmDsObj::CSmDsObj][][][][][][][][][][][][][][Start of call LookupProvider.][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][LDAP:][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmDsProviderMap.cpp:109][CSmDsProviderMap::LookupProvider][][][][][][][][][][][][][][Enter function CSmDsProviderMap::LookupProvider][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmDsProviderMap.cpp:204][CSmDsProviderMap::LookupProvider][][][][][][][][][][][][][][Leave function CSmDsProviderMap::LookupProvider][620][18:40:26.897][Ok][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][00:00:00.000000][]

[02/12/2016][18:40:26][4372][][SmDsObj.cpp:77][CSmDsObj::CSmDsObj][][][][][][][][][][][][][][Return from call LookupProvider.][620][18:40:26.897][Ok][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmDsUser.cpp:95][CSmDsUser::CSmDsUser][][][][][][][][][][][][][][Start of call InitUser.][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][About to initialize User 'CN=smuser,CN=Users,DC=sso,DC=lab' in dir 'SSO LAB Domain Users'][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmDsUser.cpp:106][CSmDsUser::CSmDsUser][][][][][][][][][][][][][][Return from call InitUser.][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmDsObj.cpp:94][CSmDsObj::IsValid][][][][][][][][][][][][][][Start of call IsValid.][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmDsObj.cpp:96][CSmDsObj::IsValid][][][][][][][][][][][][][][Return from call IsValid.][620][18:40:26.897][true][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmPasswordCheck.cpp:2730][CSmPasswordCheck::PreProcessPassword][][][][][][][][][][][][][][Enter function CSmPasswordCheck::PreProcessPassword][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmPasswordCheck.cpp:2737][CSmPasswordCheck::PreProcessPassword][][][][][][][][][][][][][][Pre processing the new password...][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmPasswordCheck.cpp:397][CSmPasswordCheck::FindApplicablePasswordPolicies][][][][][][][][][][][][][][Enter function CSmPasswordCheck::FindApplicablePasswordPolicies][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmObjCache.cpp:824][CSmObjCache::Fetch][][][][][][][][][][][][][][Retrieve an object from the object cache.][620][18:40:26.897][][][][][][][][0a-00000000-0000-0000-0000-000000000000][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmPasswordCheck.cpp:448][CSmPasswordCheck::FindApplicablePasswordPolicies][][][][][][][][][][][][][][Leave function CSmPasswordCheck::FindApplicablePasswordPolicies][620][18:40:26.897][true][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][00:00:00.000000][]

[02/12/2016][18:40:26][4372][][SmPasswordCheck.cpp:2768][CSmPasswordCheck::PreProcessPassword][][][][][][][][][][][][][][Leave function CSmPasswordCheck::PreProcessPassword][620][18:40:26.897][true][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][00:00:00.000000][]

[02/12/2016][18:40:26][4372][][SmAuthUser.cpp:5108][CSmAuthUser::Authenticate][][][][][][][][][][][][][][Enter function CSmAuthUser::Authenticate][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthUser.cpp:5259][CSmAuthUser::Authenticate][smuser][CN=smuser,CN=Users,DC=sso,DC=lab][SSO LAB Domain Users][MhzVSejYJWIEOSqX42numCra1ZY=][][][][][][][][][][Authenticating user by the auth scheme][620][18:40:26.897][][][][][][][][][][][][][][Certificate and Basic][][][][][][][][][][][][][][][][][LDAP://192.168.201.101 192.168.201.102/CN=smuser,CN=Users,DC=sso,DC=lab][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmObjCache.cpp:773][CSmObjCache::Lookup][][][][][][][][][][][][][][Look up a cached object.][620][18:40:26.897][][][][][][][][06-c4ebbaaa-cf13-4337-bded-0734edc5b369][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:5497][SmAuthenticate][][][][][][][][][][][][][][Enter function SmAuthenticate][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3893][getSpecificScheme][][][][][][][][][][][][][][Enter function getSpecificScheme][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3918][getSpecificScheme][][][][][][][][][][][][][][Auth Scheme used: Cert+Basic][620][18:40:26.897][][][][][][][][][][][][][][Cert+Basic][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3962][getSpecificScheme][][][][][][][][][][][][][][Leave function getSpecificScheme][620][18:40:26.897][2][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][00:00:00.000000][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:5748][SmAuthenticate][CN=smuser,CN=Users,DC=sso,DC=lab][][][][][][][][][][][][][Verifying user's basic credentials][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:4157][parseCert][][][][][][][][][][][][][][Enter function parseCert][620][18:40:26.897][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:2692][dump_hex][][][][][][][][][][][][][][length of serial is: 10][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:2709][dump_hex][][][][][][][][][][][][][][Printing serial: 61][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:2717][dump_hex][][][][][][][][][][][][][][Printing serial:  35][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:2717][dump_hex][][][][][][][][][][][][][][Printing serial:  DB][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:2717][dump_hex][][][][][][][][][][][][][][Printing serial:  32][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:2717][dump_hex][][][][][][][][][][][][][][Printing serial:  00][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:2717][dump_hex][][][][][][][][][][][][][][Printing serial:  00][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:2717][dump_hex][][][][][][][][][][][][][][Printing serial:  00][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:2717][dump_hex][][][][][][][][][][][][][][Printing serial:  00][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:2717][dump_hex][][][][][][][][][][][][][][Printing serial:  00][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:2717][dump_hex][][][][][][][][][][][][][][Printing serial:  07][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][certcHelper.cpp:795][RSA_GetCRLDistributionPoint][][][][][][][][][][][][][][Enter function RSA_GetCRLDistributionPoint][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][certcHelper.cpp:905][RSA_GetCRLDistributionPoint][][][][][][][][][][][][][][CRL DPName = ldap:///CN=TESTLABCA,CN=TESTMC1,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=sso,DC=lab?certificateRevocationList?base?objectClass=cRLDistributionPoint][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][certcHelper.cpp:918][RSA_GetCRLDistributionPoint][][][][][][][][][][][][][][Leave function RSA_GetCRLDistributionPoint][620][18:40:26.898][CDP's found in Cert][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][00:00:00.000000][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:4364][parseCert][][][][][][][][][][][][][][Parsed certificate for SubjectDN DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab][620][18:40:26.898][][][][][][][][][][][][][][][61 35 DB 32 00 00 00 00 00 07][DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab][DC=lab,DC=sso,CN=TESTLABCA][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:4367][parseCert][][][][][][][][][][][][][][Leave function parseCert][620][18:40:26.898][0][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][00:00:00.001000][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:5969][SmAuthenticate][][][][][][][][][][][][][][Print currentCert.certBinLen: 1348][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:5977][SmAuthenticate][][][][][][][][][][][][][][Print currentCert's subjectDN, issuerDN, CertSerial and CertDistPt][620][18:40:26.898][][][][][][][][][][][][][][][61 35 DB 32 00 00 00 00 00 07][DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab][DC=lab,DC=sso,CN=TESTLABCA][ldap:///CN=TESTLABCA,CN=TESTMC1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sso,DC=lab?certificateRevocationList?base?objectClass=cRLDistributionPoint][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmObjCache.cpp:824][CSmObjCache::Fetch][][][][][][][][][][][][][][Retrieve an object from the object cache.][620][18:40:26.898][][][][][][][][0a-00000000-0000-0000-0000-000000000000][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmObjCache.cpp:824][CSmObjCache::Fetch][][][][][][][][][][][][][][Retrieve an object from the object cache.][620][18:40:26.898][][][][][][][][16-8fd4a1a4-6eea-414e-9952-e3d8a301e9fc][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:539][GetCertMapObject][][][][][][][][][][][][][][Comparing to IssuerDN.][620][18:40:26.898][][][][][][][][][][][][][][][][][DC=lab,DC=sso,CN=TESTLABCA][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:5999][SmAuthenticate][][][][][][][][][][][][][][Certificate's Issuer DN found in mapping rules][620][18:40:26.898][][][][][][][][][][][][][][][][][DC=lab,DC=sso,CN=TESTLABCA][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:2906][ApplyMapToLDAPRules][][][][][][][][][][][][][][Enter function ApplyMapToLDAPRules][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:2920][ApplyMapToLDAPRules][][][][][][][][][][][][][][map subjectDN (DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab)  using string: '(%{CN})'][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3179][ApplyMapToLDAPRules][][][][][][][][][][][][][][aname is (certSerialNumber)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3185][ApplyMapToLDAPRules][][][][][][][][][][][][][][category.aname is (certSerialNumber).(certSerialNumber)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3249][ApplyMapToLDAPRules][][][][][][][][][][][][][][Name is (certSerialNumber.certSerialNumber) Value is (61 35 DB 32 00 00 00 00 00 07)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3179][ApplyMapToLDAPRules][][][][][][][][][][][][][][aname is (IssuerDN)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3185][ApplyMapToLDAPRules][][][][][][][][][][][][][][category.aname is (IssuerDN).(IssuerDN)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3249][ApplyMapToLDAPRules][][][][][][][][][][][][][][Name is (IssuerDN.IssuerDN) Value is (DC=lab,DC=sso,CN=TESTLABCA)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3179][ApplyMapToLDAPRules][][][][][][][][][][][][][][aname is (DC)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3185][ApplyMapToLDAPRules][][][][][][][][][][][][][][category.aname is (DC).(DC)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3249][ApplyMapToLDAPRules][][][][][][][][][][][][][][Name is (DC.DC) Value is (lab)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3179][ApplyMapToLDAPRules][][][][][][][][][][][][][][aname is (DC)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3185][ApplyMapToLDAPRules][][][][][][][][][][][][][][category.aname is (DC2).(DC)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3249][ApplyMapToLDAPRules][][][][][][][][][][][][][][Name is (DC2.DC) Value is (sso)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3179][ApplyMapToLDAPRules][][][][][][][][][][][][][][aname is (OU)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3185][ApplyMapToLDAPRules][][][][][][][][][][][][][][category.aname is (OU).(OU)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3249][ApplyMapToLDAPRules][][][][][][][][][][][][][][Name is (OU.OU) Value is (People)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3179][ApplyMapToLDAPRules][][][][][][][][][][][][][][aname is (CN)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3185][ApplyMapToLDAPRules][][][][][][][][][][][][][][category.aname is (CN).(CN)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3249][ApplyMapToLDAPRules][][][][][][][][][][][][][][Name is (CN.CN) Value is (user1)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3179][ApplyMapToLDAPRules][][][][][][][][][][][][][][aname is (E)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3185][ApplyMapToLDAPRules][][][][][][][][][][][][][][category.aname is (E).(E)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3249][ApplyMapToLDAPRules][][][][][][][][][][][][][][Name is (E.E) Value is (user1@sso.lab)][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3529][MapOneRuleString][][][][][][][][][][][][][][Enter function MapOneRuleString][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3590][ApplyMapToLDAPRules][][][][][][][][][][][][][][Final option 0 is 'CN'][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3615][ApplyMapToLDAPRules][][][][][][][][][][][][][][Parameter is CN][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3691][ApplyMapToLDAPRules][][][][][][][][][][][][][][Compared 'certSerialNumber' to 'CN' : No Match][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3691][ApplyMapToLDAPRules][][][][][][][][][][][][][][Compared 'certSerialNumber.certSerialNumber' to 'CN' : No Match][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3691][ApplyMapToLDAPRules][][][][][][][][][][][][][][Compared 'IssuerDN' to 'CN' : No Match][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3691][ApplyMapToLDAPRules][][][][][][][][][][][][][][Compared 'IssuerDN.IssuerDN' to 'CN' : No Match][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3691][ApplyMapToLDAPRules][][][][][][][][][][][][][][Compared 'DC' to 'CN' : No Match][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3691][ApplyMapToLDAPRules][][][][][][][][][][][][][][Compared 'DC.DC' to 'CN' : No Match][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3691][ApplyMapToLDAPRules][][][][][][][][][][][][][][Compared 'DC2' to 'CN' : No Match][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3691][ApplyMapToLDAPRules][][][][][][][][][][][][][][Compared 'DC2.DC' to 'CN' : No Match][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3691][ApplyMapToLDAPRules][][][][][][][][][][][][][][Compared 'OU' to 'CN' : No Match][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3691][ApplyMapToLDAPRules][][][][][][][][][][][][][][Compared 'OU.OU' to 'CN' : No Match][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3699][ApplyMapToLDAPRules][][][][][][][][][][][][][][Compared 'CN' to 'CN' : Match][620][18:40:26.898][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3833][MapOneRuleString][][][][][][][][][][][][][][returning success.][620][18:40:26.899][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:3836][MapOneRuleString][][][][][][][][][][][][][][Leave function MapOneRuleString][620][18:40:26.899][user1][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][00:00:00.001000][]

[02/12/2016][18:40:26][4372][][SmAuthUser.cpp:841][AuthenticateDsUser][][][][][][][][][][][][][][Enter function AuthenticateDsUser][620][18:40:26.899][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmDsObj.cpp:94][CSmDsObj::IsValid][][][][][][][][][][][][][][Start of call IsValid.][620][18:40:26.899][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmDsObj.cpp:96][CSmDsObj::IsValid][][][][][][][][][][][][][][Return from call IsValid.][620][18:40:26.899][true][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmDsUser.cpp:229][CSmDsUser::Authenticate][][][][][][][][][][][][][][Start of call AuthenticateUser.][620][18:40:26.899][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][User ='CN=smuser,CN=Users,DC=sso,DC=lab'][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmObjCache.cpp:824][CSmObjCache::Fetch][][][][][][][][][][][][][][Retrieve an object from the object cache.][620][18:40:26.899][][][][][][][][1c-67b3c2b0-9e28-11d3-95e7-00c04f7468ef][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmObjStore.cpp:3339][IsADEnhanced][][][][][][][][][][][][][][Global Preferences:][620][18:40:26.899][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmDsUser.cpp:238][CSmDsUser::Authenticate][][][][][][][][][][][][][][Return from call AuthenticateUser.][620][18:40:26.899][true][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/12/2016][18:40:26][4372][][SmAuthUser.cpp:875][AuthenticateDsUser][][][][][][][][][][][][][][Leave function AuthenticateDsUser][620][18:40:26.899][0][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][00:00:00.000000][]

[02/12/2016][18:40:26][4372][][SmAuthCert.cpp:6182][SmAuthenticate][smuser][][][][][][][][][][][][][Cert+Basic/Cert+Form credentials does not match certificate credentials][620][18:40:26.933][][][][][][][][][][][][][][][][user1][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

 

 

You can see from above snippet the certificate extracted username is "user1" but the user searched was "smuser".

So, when they do not match, the user is not authenticated.

Interesting to see the Basic credential was processed first although it was provided after the certificate.

 

 

X.509 Certificate or Form

 

This is similar to "Certificate or Basic", only difference is that it will display Login Form if you do not submit certificate.

 

* Make sure you have the content on your web server for /certorform/ virtual directory.

* Create "X.509 Certificate or Form Authentication" Scheme.

* Create Component and Resource from AdminUI to protect this resource.

* Create Certificate Mapping (skip this step as it is already configured)

* Configure "SSL Setting" for "/siteminderagent/certoptional" (skip this step as it is already configured)

 

Create "X.509 Certificate or Form Authentication" Scheme.

 

As usual, previously demonstrated steps will be skipped.

Create "Certificate or Form" Authentication Scheme as below.

Fill in the following and submit

Name: Certificate or Form

Authentication Scheme Type: X509 Client Cert or Form Template

Protection Level: 5

     Note: As this is a single factor authentication, its default security protection level is again 5.

Password Policies enabled for this Authentication Scheme: true

     Note: The Form authentication part involves password so the password policy can be applied here.

Server Name: www.sso.lab

Target: /siteminderagent/certoptional/forms/login.sfcc

     Note: This would be your first time seeing ".sfcc" extension. When you login via regular Form Authentication Scheme, you still use ".fcc" extension even when you specify https secure connection. ".sfcc" is used for Certificate involved Form Authentication Scheme.

Library: smauthcertorform

     Note: The Parameter will show "login.sfcc?certorform" to recognize it is a cert or form authentication scheme.

 

 

 

 

Create Component and Resource from AdminUI to protect this resource.

 

Create Component as below and click "OK".

Component Name: Certificate or Form

Agent Type: Web Agent

Agent: agent.iis

Resource Filter: /certorform/

Default Resource Protection: Protected

Authentication Scheme: Certificate or Form

 

Click on "Resources" tab and select "/certorform/" context root and click "Create".

Fill in the below and click "OK".

Name: Access Cert and Form

Resource: *

Allow/Deny: Allow Access, Enabled

Action: GET, POST

 

Click on "Policies" tab and select "/certorform/" from context root.

Assign "Basic Role" to "Access Cert or Form" resource. Click on "SUBMIT".

 

 

Test use case #1 (Submit Certificate)

 

Now visit http://www.sso.lab/certorform/ to test.

Submit user1 client certificate.

 

webagenttrace.log

[02/15/2016][10:05:03][6460][6504][CSmHighLevelAgent.cpp:970][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][][][][][][Start new request.]

[02/15/2016][10:05:03][6460][6504][CSmResourceManager.cpp:187][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource.]

[02/15/2016][10:05:03][6460][6504][CSmHttpPlugin.cpp:8683][CSmHttpPlugin::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/15/2016][10:05:03][6460][6504][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/15/2016][10:05:03][6460][6504][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][][][][][][Resolved Client IP address '192.168.201.101'.]

[02/15/2016][10:05:03][6460][6504][SmFCC.cpp:2917][SmFcc::getLocalePath][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][][][][Localized Path = C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc, working locale = en-US]

[02/15/2016][10:05:03][6460][6504][CSmFormTemplateCache.cpp:209][CSmFormTemplateCache::GetForm][][][][][][][Form template 'C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc' not found in cache.]

[02/15/2016][10:05:04][6460][6504][CSmFormTemplateCache.cpp:226][CSmFormTemplateCache::GetForm][][][][][][][Serving form template 'C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc' from disk.]

[02/15/2016][10:05:04][6460][6504][CSmFormTemplateCache.cpp:269][CSmFormTemplateCache::GetForm][][][][][][][Form template 'C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc' stored in cache.]

[02/15/2016][10:05:04][6460][6504][SmAdvancedAuthCore.cpp:632][SmAdvancedAuthCore::parseTargetUrl][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][][/certorform/][][Resolved cookie domain '.sso.lab'.]

[02/15/2016][10:05:04][6460][6504][CSmResourceManager.cpp:225][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource returned SmSuccess.]

[02/15/2016][10:05:04][6460][6504][CSmLowLevelAgent.cpp:503][IsResourceProtected][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][Resource is protected from Policy Server.]

[02/15/2016][10:05:04][6460][6504][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][Processing IsProtected responses.]

[02/15/2016][10:05:04][6460][6504][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][10:05:04][6460][6504][CSmCredentialManager.cpp:222][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]

[02/15/2016][10:05:04][6460][6504][SmFCC.cpp:703][SmFcc::getCredentials][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][Success in collecting credentials.]

[02/15/2016][10:05:04][6460][6504][SmPluginUtilities.cpp:481][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][POST preservation, handling return from credential collector.]

[02/15/2016][10:05:04][6460][6504][SmPluginUtilities.cpp:618][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][http response https://www.sso.lab/certorform/]

[02/15/2016][10:05:04][6460][6504][CSmCredentialManager.cpp:260][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmSuccess.]

[02/15/2016][10:05:04][6460][6504][CSmLowLevelAgent.cpp:1200][AuthenticateUser][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][User 'unknown' is authenticated by Policy Server.]

[02/15/2016][10:05:04][6460][6504][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][Processing Authentication responses.]

[02/15/2016][10:05:04][6460][6504][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][Deleted cookie 'SMTRYNO'.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:8040][CSmHttpPlugin::GenerateSSLChallengeDoneCookie][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][Generating SMCHALLENGE=SSL_CHALLENGE_DONE set-cookie response header.]

[02/15/2016][10:05:04][6460][6504][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][10:05:04][6460][6504][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][Generated SMSESSION cookie.]

[02/15/2016][10:05:04][6460][6504][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[02/15/2016][10:05:04][6460][6504][CSmHighLevelAgent.cpp:1282][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-193c-56c1081f-1968-02e64823][*192.168.201.101][][agent.iis][/certorform/][][End new request.]

 

As you can see from above, with Certificate authentication you will not find "User 'user1' is authenticated by Policy Server." message.

It is "unknown" user.

 

webagenttrace.log

[02/15/2016][10:05:04][6460][6504][CSmHighLevelAgent.cpp:321][ProcessRequest][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][][][][][][Start new request.]

[02/15/2016][10:05:04][6460][6504][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:490][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][][][][][][Resolved hostname: 'www.sso.lab'.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:509][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][][][][][][Resolved agentname: 'agent.iis'.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][][][agent.iis][][][Resolved Client IP address '192.168.201.101'.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:657][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][][][Resolved URL: '/certorform/'.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:781][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Resolved METHOD: 'GET'.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:834][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Resolved cookie domain: '.sso.lab'.]

[02/15/2016][10:05:04][6460][6504][CSmResourceManager.cpp:112][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmSuccess.]

[02/15/2016][10:05:04][6460][6504][CSmSessionManager.cpp:82][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Calling SM_WAF_HTTP_PLUGIN->EstablishSession.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:6609][CSmHttpPlugin::ProcessSessionCookie][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Decoded SMSESSION cookie - User = 'CN=user1,OU=People,DC=sso,DC=lab', IP address = '192.168.201.101'.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:2216][CSmHttpPlugin::EstablishSession][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Processed SMSESSION cookie.]

[02/15/2016][10:05:04][6460][6504][CSmSessionManager.cpp:119][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmSuccess.]

[02/15/2016][10:05:04][6460][6504][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Resource is protected from cache.]

[02/15/2016][10:05:04][6460][6504][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Processing IsProtected responses.]

[02/15/2016][10:05:04][6460][6504][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][10:05:04][6460][6504][CSmCredentialManager.cpp:103][CSmCredentialManager::GatherCredentials][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Found session, no credentials required.]

[02/15/2016][10:05:04][6460][6504][CSmLowLevelAgent.cpp:999][AuthenticateUser][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Validating session 's+PHowZSx8rCMp7i8K9dYhw4YaI=' for user 'CN=user1,OU=People,DC=sso,DC=lab' in zone 'SM'.]

[02/15/2016][10:05:04][6460][6504][CSmLowLevelAgent.cpp:1195][AuthenticateUser][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][User 'CN=user1,OU=People,DC=sso,DC=lab' is authenticated from cache.]

[02/15/2016][10:05:04][6460][6504][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Processing Authentication responses.]

[02/15/2016][10:05:04][6460][6504][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][10:05:04][6460][6504][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Generated SMSESSION cookie.]

[02/15/2016][10:05:04][6460][6504][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[02/15/2016][10:05:04][6460][6504][CSmLowLevelAgent.cpp:2768][AuthorizeUser][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][User 'CN=user1,OU=People,DC=sso,DC=lab' is authorized by Policy Server.]

[02/15/2016][10:05:04][6460][6504][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:3270][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Processing Authorization responses.]

[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:3277][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Removing HTTP cache request headers.]

[02/15/2016][10:05:04][6460][6504][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Deleted cookie 'SMCHALLENGE'.]

[02/15/2016][10:05:04][6460][6504][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][10:05:04][6460][6504][CSmHighLevelAgent.cpp:801][ProcessRequest][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][AuthorizationManager returned SmYes, end new request.]

[02/15/2016][10:05:04][6460][6504][CSmHighLevelAgent.cpp:921][ProcessRequest][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][End new request.]

 

 

Test use case #2 (Do not submit Certificate)

 

Now visit http://www.sso.lab/certorform/ to test.

Cancel user1 client certificate and submit form credentials.

 

 

Again, you will notice the SMUSER value is not the userDN but the userID.

webagenttrace.log

[02/15/2016][10:24:24][6460][6504][CSmHighLevelAgent.cpp:970][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][][][][][][Start new request.]

[02/15/2016][10:24:24][6460][6504][CSmResourceManager.cpp:187][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:8683][CSmHttpPlugin::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][][][][][][Resolved Client IP address '192.168.201.101'.]

[02/15/2016][10:24:24][6460][6504][SmFCC.cpp:2917][SmFcc::getLocalePath][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][][][][Localized Path = C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc, working locale = en-US]

[02/15/2016][10:24:24][6460][6504][CSmFormTemplateCache.cpp:196][CSmFormTemplateCache::GetForm][][][][][][][Serving form template 'C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc' from cache.]

[02/15/2016][10:24:24][6460][6504][SmAdvancedAuthCore.cpp:632][SmAdvancedAuthCore::parseTargetUrl][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][][/certorform/][][Resolved cookie domain '.sso.lab'.]

[02/15/2016][10:24:24][6460][6504][CSmResourceManager.cpp:225][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource returned SmSuccess.]

[02/15/2016][10:24:24][6460][6504][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][][Resource is protected from cache.]

[02/15/2016][10:24:24][6460][6504][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][][Processing IsProtected responses.]

[02/15/2016][10:24:24][6460][6504][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][10:24:24][6460][6504][CSmCredentialManager.cpp:222][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]

[02/15/2016][10:24:24][6460][6504][SmFCC.cpp:703][SmFcc::getCredentials][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][][Success in collecting credentials.]

[02/15/2016][10:24:24][6460][6504][SmPluginUtilities.cpp:481][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][][POST preservation, handling return from credential collector.]

[02/15/2016][10:24:24][6460][6504][SmPluginUtilities.cpp:618][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][][http response https://www.sso.lab/certorform/]

[02/15/2016][10:24:24][6460][6504][CSmCredentialManager.cpp:260][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmSuccess.]

[02/15/2016][10:24:24][6460][6504][CSmLowLevelAgent.cpp:1200][AuthenticateUser][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][][User 'user1' is authenticated by Policy Server.]

[02/15/2016][10:24:24][6460][6504][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][user1][Processing Authentication responses.]

[02/15/2016][10:24:24][6460][6504][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][user1][Deleted cookie 'SMTRYNO'.]

[02/15/2016][10:24:24][6460][6504][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][10:24:24][6460][6504][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][user1][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][user1][Generated SMSESSION cookie.]

[02/15/2016][10:24:24][6460][6504][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][user1][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[02/15/2016][10:24:24][6460][6504][CSmHighLevelAgent.cpp:1282][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-01576bfc][*192.168.201.101][][agent.iis][/certorform/][user1][End new request.]

 

webagenttrace.log

[02/15/2016][10:24:24][6460][6504][CSmHighLevelAgent.cpp:321][ProcessRequest][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][][][][][][Start new request.]

[02/15/2016][10:24:24][6460][6504][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:490][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][][][][][][Resolved hostname: 'www.sso.lab'.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:509][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][][][][][][Resolved agentname: 'agent.iis'.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][][][agent.iis][][][Resolved Client IP address '192.168.201.101'.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:657][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][][][Resolved URL: '/certorform/'.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:781][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][][Resolved METHOD: 'GET'.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:834][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][][Resolved cookie domain: '.sso.lab'.]

[02/15/2016][10:24:24][6460][6504][CSmResourceManager.cpp:112][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmSuccess.]

[02/15/2016][10:24:24][6460][6504][CSmSessionManager.cpp:82][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][][Calling SM_WAF_HTTP_PLUGIN->EstablishSession.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:6609][CSmHttpPlugin::ProcessSessionCookie][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Decoded SMSESSION cookie - User = 'CN=user1,OU=People,DC=sso,DC=lab', IP address = '192.168.201.101'.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:2216][CSmHttpPlugin::EstablishSession][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Processed SMSESSION cookie.]

[02/15/2016][10:24:24][6460][6504][CSmSessionManager.cpp:119][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmSuccess.]

[02/15/2016][10:24:24][6460][6504][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Resource is protected from cache.]

[02/15/2016][10:24:24][6460][6504][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Processing IsProtected responses.]

[02/15/2016][10:24:24][6460][6504][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][10:24:24][6460][6504][CSmCredentialManager.cpp:103][CSmCredentialManager::GatherCredentials][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Found session, no credentials required.]

[02/15/2016][10:24:24][6460][6504][CSmLowLevelAgent.cpp:999][AuthenticateUser][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Validating session 'aQAinAqI0X39jGj3FxaTvv8uc+k=' for user 'CN=user1,OU=People,DC=sso,DC=lab' in zone 'SM'.]

[02/15/2016][10:24:24][6460][6504][CSmLowLevelAgent.cpp:1195][AuthenticateUser][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][User 'CN=user1,OU=People,DC=sso,DC=lab' is authenticated from cache.]

[02/15/2016][10:24:24][6460][6504][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Processing Authentication responses.]

[02/15/2016][10:24:24][6460][6504][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][10:24:24][6460][6504][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Generated SMSESSION cookie.]

[02/15/2016][10:24:24][6460][6504][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[02/15/2016][10:24:24][6460][6504][CSmLowLevelAgent.cpp:2768][AuthorizeUser][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][User 'CN=user1,OU=People,DC=sso,DC=lab' is authorized by Policy Server.]

[02/15/2016][10:24:24][6460][6504][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:3270][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Processing Authorization responses.]

[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:3277][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Removing HTTP cache request headers.]

[02/15/2016][10:24:24][6460][6504][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Deleted cookie 'SMCHALLENGE'.]

[02/15/2016][10:24:24][6460][6504][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][10:24:24][6460][6504][CSmHighLevelAgent.cpp:801][ProcessRequest][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][AuthorizationManager returned SmYes, end new request.]

[02/15/2016][10:24:24][6460][6504][CSmHighLevelAgent.cpp:921][ProcessRequest][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][End new request.]

 

Another interesting thing to note is that, when the user is authenticated by certificate, the "User" field is empty.

Certificate or Form Authentication

[Date][Time][Pid][Tid][SrcFile][Function][TransactionID][IPAddr][IPPort][AgentName][Resource][User][Message]

Authenticated by Certificate[02/15/2016][10:05:04][6460][6504][CSmHttpPlugin.cpp:6609][CSmHttpPlugin::ProcessSessionCookie][000080fe0000000097e114e8f8b90736-193c-56c10820-1968-02c30099][*192.168.201.101][][agent.iis][/certorform/][][Decoded SMSESSION cookie - User = 'CN=user1,OU=People,DC=sso,DC=lab', IP address = '192.168.201.101'.]
Authenticated by Form[02/15/2016][10:24:24][6460][6504][CSmHttpPlugin.cpp:6609][CSmHttpPlugin::ProcessSessionCookie][000080fe0000000097e114e8f8b90736-193c-56c10ca8-1968-016f1a49][*192.168.201.101][][agent.iis][/certorform/][user1][Decoded SMSESSION cookie - User = 'CN=user1,OU=People,DC=sso,DC=lab', IP address = '192.168.201.101'.]

 

 

Create "X.509 Certificate and Form Authentication" Scheme.

 

As usual, previously demonstrated steps will be skipped.

Create "Certificate and Form" Authentication Scheme as below.

Fill in the following and submit

Name: Certificate and Form

Authentication Scheme Type: X509 Client Cert or Form Template

Protection Level: 15

     Note: As this is another 2FA, its default security protection level is again 15.

Password Policies enabled for this Authentication Scheme: true

     Note: The Form authentication part involves password so the password policy can be applied here.

Server Name: www.sso.lab

Target: /siteminderagent/certoptional/forms/login.sfcc

     Note: Although this authentication scheme require client certificate, both the "Certificate or Form" and "Certificate and Form" redirects to this "certoptional" directory.

Library: smauthcert

     Note: The library is different from the "Certificate or Form" and the Parameter will show "login.sfcc?cert+forms" to recognize it requires both certificate and form credential.

 

 

Create Component and Resource from AdminUI to protect this resource.

 

Create Component as below and click "OK".

Component Name: Certificate and Form

Agent Type: Web Agent

Agent: agent.iis

Resource Filter: /certandform/

Default Resource Protection: Protected

Authentication Scheme: Certificate and Form

 

Click on "Resources" tab and select "/certandform/" context root and click "Create".

Fill in the below and click "OK".

Name: Access Cert and Form

Resource: *

Allow/Deny: Allow Access, Enabled

Action: GET, POST

 

Click on "Policies" tab and select "/certandform/" from context root.

Assign "Basic Role" to "Access Cert or Form" resource. Click on "SUBMIT".

 

 

Test use case #1 (Submit Certificate and correct Form credential)

 

Now visit http://www.sso.lab/certandform/ to test.

Submit user1 client certificate and user1 form credentials.

 

 

webagenttrace.log

[02/15/2016][11:50:00][6576][2116][CSmHighLevelAgent.cpp:970][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][][][][][][Start new request.]

[02/15/2016][11:50:00][6576][2116][CSmResourceManager.cpp:187][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:8683][CSmHttpPlugin::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][][][][][][Resolved Client IP address '192.168.201.101'.]

[02/15/2016][11:50:00][6576][2116][SmFCC.cpp:2917][SmFcc::getLocalePath][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][][][][Localized Path = C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc, working locale = en-US]

[02/15/2016][11:50:00][6576][2116][CSmFormTemplateCache.cpp:196][CSmFormTemplateCache::GetForm][][][][][][][Serving form template 'C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc' from cache.]

[02/15/2016][11:50:00][6576][2116][SmAdvancedAuthCore.cpp:632][SmAdvancedAuthCore::parseTargetUrl][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][][/certandform/][][Resolved cookie domain '.sso.lab'.]

[02/15/2016][11:50:00][6576][2116][CSmResourceManager.cpp:225][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource returned SmSuccess.]

[02/15/2016][11:50:00][6576][2116][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][][Resource is protected from cache.]

[02/15/2016][11:50:00][6576][2116][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][][Processing IsProtected responses.]

[02/15/2016][11:50:00][6576][2116][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][11:50:00][6576][2116][CSmCredentialManager.cpp:222][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]

[02/15/2016][11:50:00][6576][2116][SmFCC.cpp:703][SmFcc::getCredentials][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][][Success in collecting credentials.]

[02/15/2016][11:50:00][6576][2116][SmPluginUtilities.cpp:481][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][][POST preservation, handling return from credential collector.]

[02/15/2016][11:50:00][6576][2116][SmPluginUtilities.cpp:618][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][][http response https://www.sso.lab/certandform/]

[02/15/2016][11:50:00][6576][2116][CSmCredentialManager.cpp:260][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmSuccess.]

[02/15/2016][11:50:00][6576][2116][CSmLowLevelAgent.cpp:1200][AuthenticateUser][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][][User 'user1' is authenticated by Policy Server.]

[02/15/2016][11:50:00][6576][2116][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][user1][Processing Authentication responses.]

[02/15/2016][11:50:00][6576][2116][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][user1][Deleted cookie 'SMTRYNO'.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:8040][CSmHttpPlugin::GenerateSSLChallengeDoneCookie][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][user1][Generating SMCHALLENGE=SSL_CHALLENGE_DONE set-cookie response header.]

[02/15/2016][11:50:00][6576][2116][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][11:50:00][6576][2116][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][user1][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:1415][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][user1][SAVEDSESSION Cookie Created.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][user1][Generated SMSESSION cookie.]

[02/15/2016][11:50:00][6576][2116][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][user1][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[02/15/2016][11:50:00][6576][2116][CSmHighLevelAgent.cpp:1282][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-00276784][*192.168.201.101][][agent.iis][/certandform/][user1][End new request.]

I find that there is "SAVEDSESSION" cookie after the user1 was authenticated.

This cookie did not get generated for "Certificate and Basic" authentication scheme so this appears to be unique to "Certificate and Form" authentication.

webagenttrace.log

[02/15/2016][11:50:00][6576][2116][CSmHighLevelAgent.cpp:321][ProcessRequest][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][][][][][][Start new request.]

[02/15/2016][11:50:00][6576][2116][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:490][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][][][][][][Resolved hostname: 'www.sso.lab'.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:509][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][][][][][][Resolved agentname: 'agent.iis'.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][][][agent.iis][][][Resolved Client IP address '192.168.201.101'.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:657][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][][][Resolved URL: '/certandform/'.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:781][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][][Resolved METHOD: 'GET'.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:834][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][][Resolved cookie domain: '.sso.lab'.]

[02/15/2016][11:50:00][6576][2116][CSmResourceManager.cpp:112][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmSuccess.]

[02/15/2016][11:50:00][6576][2116][CSmSessionManager.cpp:82][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][][Calling SM_WAF_HTTP_PLUGIN->EstablishSession.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:6609][CSmHttpPlugin::ProcessSessionCookie][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Decoded SMSESSION cookie - User = 'CN=user1,OU=People,DC=sso,DC=lab', IP address = '192.168.201.101'.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:2216][CSmHttpPlugin::EstablishSession][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Processed SMSESSION cookie.]

[02/15/2016][11:50:00][6576][2116][CSmSessionManager.cpp:119][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmSuccess.]

[02/15/2016][11:50:00][6576][2116][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Resource is protected from cache.]

[02/15/2016][11:50:00][6576][2116][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Processing IsProtected responses.]

[02/15/2016][11:50:00][6576][2116][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][11:50:00][6576][2116][CSmCredentialManager.cpp:103][CSmCredentialManager::GatherCredentials][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Found session, no credentials required.]

[02/15/2016][11:50:00][6576][2116][CSmLowLevelAgent.cpp:999][AuthenticateUser][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Validating session 'I0n2BM4qml4/uGHk2AzGJbZlRzk=' for user 'CN=user1,OU=People,DC=sso,DC=lab' in zone 'SM'.]

[02/15/2016][11:50:00][6576][2116][CSmLowLevelAgent.cpp:1195][AuthenticateUser][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][User 'CN=user1,OU=People,DC=sso,DC=lab' is authenticated from cache.]

[02/15/2016][11:50:00][6576][2116][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Processing Authentication responses.]

[02/15/2016][11:50:00][6576][2116][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][11:50:00][6576][2116][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Generated SMSESSION cookie.]

[02/15/2016][11:50:00][6576][2116][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[02/15/2016][11:50:00][6576][2116][CSmLowLevelAgent.cpp:2768][AuthorizeUser][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][User 'CN=user1,OU=People,DC=sso,DC=lab' is authorized by Policy Server.]

[02/15/2016][11:50:00][6576][2116][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:3270][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Processing Authorization responses.]

[02/15/2016][11:50:00][6576][2116][CSmHttpPlugin.cpp:3277][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Removing HTTP cache request headers.]

[02/15/2016][11:50:00][6576][2116][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][Deleted cookie 'SMCHALLENGE'.]

[02/15/2016][11:50:00][6576][2116][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/15/2016][11:50:00][6576][2116][CSmHighLevelAgent.cpp:801][ProcessRequest][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][AuthorizationManager returned SmYes, end new request.]

[02/15/2016][11:50:00][6576][2116][CSmHighLevelAgent.cpp:921][ProcessRequest][000080fe0000000097e114e8f8b90736-19b0-56c120b8-0844-005e305e][*192.168.201.101][][agent.iis][/certandform/][user1][End new request.]

There is no sign of deleting SAVEDSESSION cookie but the header dump page shows no sign of this cookie, so it is deleted.

 

Due to the above "SAVEDSESSION" cookie, I wrote instructions on how to install/configure fiddler to capture https traffic below.

 

How to install fiddler and capture https traffic

 

 

 

As you can see from above captured traffic, there is no "set-cookie: SAVEDSESSION=xxxx" in the response.

So, it never was actually set. It only appears in the webagenttrace.log and nowhere else.

This SAVEDSESSION cookie is for impersonation and what I setup is Certificate and Form.

 

From looking back at the "Certificate and Forms" authentication scheme, the TARGET should have been login.sfcc but it actually sets login.fcc. (note the extension difference).

So, once I changed the target to point to login.sfcc, this SAVEDSESSION is not logged anymore.

It is a defect in the code(why it logs SAVEDSESSION when login.fcc is used) and is cosmetic issue.

It is another defect that the base objects for "Certificate and Forms" template is pointing to login.fcc.

Please ensure that you specify the target to login.sfcc for "Certificate or Form" and "Certificate and Form" authentication.

 

This concludes all the certificate authentication schemes.

 

In the next article, we will explore the Windows Authentication.

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

This environment is continuation from the "Creating an ALL-IN-ONE VM Image" series. (links below)

 

Creating an ALL-IN-ONE VM Image - Part 1

Creating an ALL-IN-ONE VM Image - Part 2

Creating an ALL-IN-ONE VM Image - Part 3

Creating an ALL-IN-ONE VM Image - Part 4

Creating an ALL-IN-ONE VM Image - Part 5

Creating an ALL-IN-ONE VM Image - Part 6

Creating an ALL-IN-ONE VM Image - Part 7

Creating an ALL-IN-ONE VM Image - Part 8

Creating an ALL-IN-ONE VM Image - Part 9

Creating an ALL-IN-ONE VM Image - Part 10-1

Creating an ALL-IN-ONE VM Image - Part 10-2

 

 

Following configuration will be setup.

 

01. Basic setup - Create application and protect using Forms Authentication.

     - Service configuration

     - Startup/Shutdown scripts

     - Logging

     - Basic Concepts

02. Standard Authentication Schemes

     - Basic Concepts

     - Basic

     - HTML Forms

     - HTML using UID and EMAIL

     - Basic over SSL

03. Certificate Authentication Schemes

     - X.509 Certificate Only

     - X.509 Certificate or Basic

     - X.509 Certificate and Basic

     - X.509 Certificate or Form

     - X.509 Certificate and Form

04. Windows Authentication Scheme

05. OAuth Authentication Scheme

06. Cookie Provider

07. Directory Mapping

08. Password Services

09. Impersonation

10. Session Assurance

11. SAML 2.0 Partnership Federation - SSO

12. SAML 2.0 Partnership Federation - SLO

13. SAML 2.0 Partnership Federation - RelayState

14. SAML 2.0 Partnership Federation - Negative Assertion

15. SAML 1.x Partnership Federation

16. Audit Log import

17. Generating Reports

18. SiteMinder Test Tool

19. Global Delivery Modules

20. Troubleshooting

 

Continued from Part 5.

 

We have all the prerequisites (except for one configuration at the Web Server side) so we can now proceed to configure the "X.509 Certificate Only".

 

X.509 Certificate Only

 

We need the following to setup the use case.

 

* Make sure you have the content on your web server for /cert/ virtual directory.

* Create X.509 Certificate Authentication Scheme.

* Create Component and Resource from AdminUI to protect this resource.

* Create Certificate Mapping

* Configure "SSL Setting" for "/siteminderagent/cert".

 

Create X.509 Certificate Authentication Scheme

Previously demonstrated steps will be skipped.

 

Enter the following and submit.

 

Name: Certificate Only

Authentication Scheme Type: X509 Client Cert Template

Protection Level: 5

Server Name: www.sso.lab

Target: /siteminderagent/cert/smgetcred.scc

Library: smauthcert

 

Create Component and Resource from AdminUI to protect this resource.

 

Click on "Create Component".

Click "OK"

Click "Resources" tab.

 

Select "/cert/" from "Select a context root" and click "Create".

Enter the following and click "OK".

 

Name: Access Cert Only

Resource: *

Allow/Deny: Allow Access, Enabled

Action: Web Agent actions, GET, POST

 

Click on "OK"

 

Click on "Policies" tab and select "/cert/" from "Select a context root".

Then assign "Basic Role" to "Access Cert Only" resource.

 

Click "Submit".

 

Create Certificate Mapping

Certificate Mapping is registering the IssuerDN of the trusted Certificate Authority.

In order to create Certificate Mapping, you first need to know how SiteMinder reads the certificate.

It can be completely different from what you might expect, so we will enable the Policy Server trace profiler to get this information.

 

I am using the following profiler template.

<PS>/config/smtracedefault.txt

components: AgentFunc/IsProtected, AgentFunc/Login, AgentFunc/ChangePassword, AgentFunc/Validate, AgentFunc/Logout, AgentFunc/Authorize, AgentFunc/GetConfig, AgentFunc/DoManagement, AgentFunc/GetSingleUseCookie, AgentFunc/SetSingleUseCookie, AgentFunc/DelSingleUseCookie, IsProtected, Login_Logout/Authentication, Login_Logout/Policy_Evaluation, Login_Logout/Active_Expression, Login_Logout/Password_Service, Login_Logout/Certificates, Login_Logout/Session_Management, IsAuthorized/Policy_Evaluation, LDAP/Connection_Management, LDAP/Performance_Measurement, LDAP/Ldap_Error_Messages, Fed_Server/Assertion_Generator, Fed_Server/Auth_Scheme, Fed_Server/Configuration, Fed_Server/Single_Logout, Fed_Server/Saml_Requester

data: Date, Time, User, Message, Data, AgentName, Resource, AuthStatus, AuthReason, CertDistPt, Query, CallDetail, Pid, Tid, IssuerDN, SubjectDN

version: 1.1

 

So, above has 4 lines. "components", "data", "version" and one empty line.

It is not the minimal required so it will log much more data.

It is a template that I regularly use in general.

 

Now, if you visit http://www.sso.lab/cert/ your browser will redirect to https://www.sso.lab/siteminderagent/cert/1454918713/smgetcred.scc?TYPE=16777244&REALM=-SM-Certificate%20Only%20[19%3a05%…  and you will get "Access Forbidden HTML".

 

 

This is currently an expected behaviour.

This is where we need to configure the last prerequisite, the configuration at the Web Server side.

Load IIS Management Console and navigate to "/siteminderagent/cert" virtual directory.

 

 

At the right pane, click on "SSL Settings".

Set the following and click "Apply".

 

Require SSL: true

Client certificates: Require

 

Now, visit http://www.sso.lab/cert/ and this time you will get a certificate popup as below.

 

 

Depending on the browser, some browsers will automatically submit if there is only one client certificate.

In case of chrome, it will prompt.

Click "OK" to submit the certificate.

 

It is expected to fail at this stage because we do not have the certificate mapping configured yet.

What we are trying here is to submit a client certificate and capture from smtracedefault.log how the SiteMinder parses the IssuerDN of this certificate.

 

smtracedefault.log

[02/08/2016][19:38:10][][** Received request from agent][][agent.iis][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Authenticating user.][][agent.iis][/cert/][5][0][][][][3684][4420][][]

[02/08/2016][19:38:10][][Using LDAP server bank #1][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Enter function getSpecificScheme][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Auth Scheme used: Cert][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Enter function parseCert][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][length of serial is: 10][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Printing serial: 61][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Printing serial:  35][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Printing serial:  DB][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Printing serial:  32][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Printing serial:  07][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][CRL DPName = ldap:///CN=TESTLABCA,CN=TESTMC1,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=sso,DC=lab?certificateRevocationList?base?objectClass=cRLDistributionPoint][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Parsed certificate for SubjectDN DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab][][][][][][][][][3684][4420][DC=lab,DC=sso,CN=TESTLABCA][DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab]

[02/08/2016][19:38:10][][currentCert.certBinLen: 1348][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Print currentCert's subjectDN, issuerDN, serialNumber and CertDIstPt.][][][][][][ldap:///CN=TESTLABCA,CN=TESTMC1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sso,DC=lab?certificateRevocationList?base?objectClass=cRLDistributionPoint][][][3684][4420][DC=lab,DC=sso,CN=TESTLABCA][DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab]

[02/08/2016][19:38:10][][Mapping issuerDN thing][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Unable to find issuer DN in certificate mapping rules][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][Authentication failed][][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][SmSamlDataContext::~SmSamlDataContext: Cleaning up][Cleaning up][][][][][][][][3684][4420][][]

[02/08/2016][19:38:10][][** Status: Authentication Attempt Failed. ][][agent.iis][][][][][][][3684][4420][][]

 

Look for the "Parsed certificate" and you will find [IssuerDN] and [SubjectDN] at the end of the line.

It was parsed as below.

IssuerDN: DC=lab,DC=sso,CN=TESTLABCA

SubjectDN: DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab

 

You can see it is in reverse. But there are certificates that will be parsed to have a space after a comma which in this case did not.

There can also be some escaped characters so getting the IssuerDN from smtracedefault.log is the best way.

 

Another way is to import the certificate in to Certificate Data Store and use smkeytool to list the certificates, which will also give the same parsed IssuerDN.

 

Logon to AdminUI and enter the Certificate Mapping as above.

Navigate to "Infrastructure ==> Directory ==> Certificate Mappings" and click "Create Certificate Mapping".

 

 

Enter the following and click "Submit".

 

IssuerDN: DC=lab,DC=sso,CN=TESTLABCA

     copy and pasting from smtracedefault.log

Directory Type: LDAP/AD

     This is where the sample user is stored.

Mapping: Single Attribute

Attribute Name: CN

     This tells the CN value from the certificate matches the username in the user store.

 

 

Open a new chrome instance and access http://www.sso.lab/cert/ and see the smtracedefault.log again.

smtracedefault.log

[02/08/2016][19:51:25][][** Received request from agent][][agent.iis][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Authenticating user.][][agent.iis][/cert/][5][0][][][][3684][4420][][]

[02/08/2016][19:51:25][][Using LDAP server bank #1][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Enter function getSpecificScheme][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Auth Scheme used: Cert][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Enter function parseCert][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][length of serial is: 10][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial: 61][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  35][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  DB][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  32][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  07][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][CRL DPName = ldap:///CN=TESTLABCA,CN=TESTMC1,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=sso,DC=lab?certificateRevocationList?base?objectClass=cRLDistributionPoint][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Parsed certificate for SubjectDN DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab][][][][][][][][][3684][4420][DC=lab,DC=sso,CN=TESTLABCA][DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab]

[02/08/2016][19:51:25][][currentCert.certBinLen: 1348][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Print currentCert's subjectDN, issuerDN, serialNumber and CertDIstPt.][][][][][][ldap:///CN=TESTLABCA,CN=TESTMC1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sso,DC=lab?certificateRevocationList?base?objectClass=cRLDistributionPoint][][][3684][4420][DC=lab,DC=sso,CN=TESTLABCA][DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab]

[02/08/2016][19:51:25][][Mapping issuerDN thing][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Comparing to IssuerDN.][][][][][][][][][3684][4420][DC=lab,DC=sso,CN=TESTLABCA][]

[02/08/2016][19:51:25][][Apply Mapping(MapCertToName)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Enter function ApplyMapToLDAPRules][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][map subjectDN (DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab)  using string: '(%{CN})'][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (certSerialNumber)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (certSerialNumber).(certSerialNumber)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (certSerialNumber.certSerialNumber) Value is (61 35 DB 32 00 00 00 00 00 07)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (IssuerDN)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (IssuerDN).(IssuerDN)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (IssuerDN.IssuerDN) Value is (DC=lab,DC=sso,CN=TESTLABCA)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (DC)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (DC).(DC)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (DC.DC) Value is (lab)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (DC)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (DC2).(DC)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (DC2.DC) Value is (sso)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (OU)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (OU).(OU)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (OU.OU) Value is (People)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (CN)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (CN).(CN)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (CN.CN) Value is (user1)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (E)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (E).(E)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (E.E) Value is (user1@sso.lab)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Final option 0 is 'CN'][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Parameter is CN][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'certSerialNumber' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'certSerialNumber.certSerialNumber' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'IssuerDN' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'IssuerDN.IssuerDN' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'DC' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'DC.DC' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'DC2' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'DC2.DC' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'OU' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'OU.OU' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'CN' to 'CN' : Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][returning success.][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][user1][Will be authenticating user.][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][LDAP search of (samaccountname=user1) took 0 seconds and 1000 microseconds][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][LDAP search of (&(samaccountname=user1)(objectclass=*)) took 0 seconds and 0 microseconds][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][LDAP search of (&(samaccountname=user1)(objectclass=*)) took 0 seconds and 0 microseconds][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][LDAP search of (&(samaccountname=user1)(objectclass=*)) took 0 seconds and 1000 microseconds][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Authenticating user by the auth scheme][LDAP://192.168.201.101 192.168.201.102/CN=user1,OU=People,DC=sso,DC=lab][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Enter function getSpecificScheme][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Auth Scheme used: Cert][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Enter function parseCert][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][length of serial is: 10][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial: 61][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  35][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  DB][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  32][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  00][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Printing serial:  07][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][CRL DPName = ldap:///CN=TESTLABCA,CN=TESTMC1,CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=sso,DC=lab?certificateRevocationList?base?objectClass=cRLDistributionPoint][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Parsed certificate for SubjectDN DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab][][][][][][][][][3684][4420][DC=lab,DC=sso,CN=TESTLABCA][DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab]

[02/08/2016][19:51:25][][Print currentCert.certBinLen: 1348][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Print currentCert's subjectDN, issuerDN, CertSerial and CertDistPt][][][][][][ldap:///CN=TESTLABCA,CN=TESTMC1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sso,DC=lab?certificateRevocationList?base?objectClass=cRLDistributionPoint][][][3684][4420][DC=lab,DC=sso,CN=TESTLABCA][DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab]

[02/08/2016][19:51:25][][Comparing to IssuerDN.][][][][][][][][][3684][4420][DC=lab,DC=sso,CN=TESTLABCA][]

[02/08/2016][19:51:25][][Certificate's Issuer DN found in mapping rules][][][][][][][][][3684][4420][DC=lab,DC=sso,CN=TESTLABCA][]

[02/08/2016][19:51:25][][Enter function ApplyMapToLDAPRules][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][map subjectDN (DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab)  using string: '(%{CN})'][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (certSerialNumber)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (certSerialNumber).(certSerialNumber)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (certSerialNumber.certSerialNumber) Value is (61 35 DB 32 00 00 00 00 00 07)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (IssuerDN)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (IssuerDN).(IssuerDN)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (IssuerDN.IssuerDN) Value is (DC=lab,DC=sso,CN=TESTLABCA)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (DC)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (DC).(DC)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (DC.DC) Value is (lab)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (DC)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (DC2).(DC)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (DC2.DC) Value is (sso)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (OU)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (OU).(OU)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (OU.OU) Value is (People)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (CN)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (CN).(CN)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (CN.CN) Value is (user1)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][aname is (E)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][category.aname is (E).(E)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Name is (E.E) Value is (user1@sso.lab)][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Final option 0 is 'CN'][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Parameter is CN][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'certSerialNumber' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'certSerialNumber.certSerialNumber' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'IssuerDN' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'IssuerDN.IssuerDN' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'DC' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'DC.DC' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'DC2' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'DC2.DC' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'OU' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'OU.OU' to 'CN' : No Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Compared 'CN' to 'CN' : Match][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][returning success.][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][Failover is not enabled.][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][SessionAssurance is not enabled.][][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][SmSamlDataContext::~SmSamlDataContext: Cleaning up][Cleaning up][][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][** Status: Authenticated. ][][agent.iis][][][][][][][3684][4420][][]

[02/08/2016][19:51:25][][** Received agent request.][trust_testmc1][agent.iis][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][Validate session and session type for the user.][2][][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][Realm Authorization Mapping optimized][][][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][Failed to find any valid user using Identity Mapping][][][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][Using LDAP server bank #1][][][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][Authorizing user...][][agent.iis][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][Start of user policy analysis for realm.][][][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][Check the Policy.][][][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][Check the Rule][][][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][Evaluating policy...][][][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][EPMRoleEvaluator: Evaluating Role "Basic Role"][Evaluating Role "Basic Role"][][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][Processing Attribute [Property = SM_USERDN] [Trim Property = SM_USERDN] [Separator = ^]][][][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][Policy is not applicable. Skipped.][][][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][IsOk? No.][][][][][][][][][3684][4424][][]

[02/08/2016][19:51:25][][** Status: Not Authorized. ][][agent.iis][][][][][][][3684][4424][][]

 

I have highlighted the important part in red and blue.

You can see the parsed IssuerDN(red) and the Certificate Mapping IssuerDN(blue) and that they matched.

 

The user1 was found and is authenticated.

The user was not authorized because the Role "Basic Role" did not match the user.

 

That is because the "Basic Role" has the following expression which only matches users in "CN=Users,DC=sso,DC=lab".

user1 is in "OU=People,DC=sso,DC=lab" so it is an expected behaviour.

 

 

Lets modify the "Basic Role" to include "OU=People,DC=sso,DC=lab".

 

Above will authorize users from "CN=Users,DC=sso,DC=lab" container as well as "OU=People,DC=sso,DC=lab" container.

Submit the changes and test again.

 

 

This time, the user is authenticated and authorized.

You can also see from above that the CERT_ISSUER value does not match with the IssuerDN parsed by Policy Server.

That is why the best way is to copy from the smtracedefault.log or from "smkeytool -listcerts".

 

Note:

    * SMUSER header will be UserDN, not SubjectDN of the certificate.

    * Password Services are not involved as Certificate does not require user password.

 

Now, going back to why I created OU=People and not just use sample users in CN=Users?

Our Certificate Mapping was looking up a user by "CN".

In this case, PS will try to match the first CN found in the Certificate DN.

[DC=lab,DC=sso,OU=People,CN=user1,E=user1@sso.lab]

From the above CertificateDN, the first CN is "CN=user1" so it will lookup the "user1" in the user directory.

 

[DC=lab,DC=sso,CN=Users,CN=user1,E=user1@sso.lab]

From the above CertificateDN, the first CN is "CN=Users" so PS will try to lookup "Users" in the user directory and it will not find a user.

So, AuthAttempt will be the result.

 

If you must use the 2nd sample above, you can set the CertificateMapping to lookup "CN2".

This means PS will match the 2nd CN so it will find "user1".

"CN2" will not appear in the dropdown list so you will need to select "Customer" and enter "CN2".

 

X.509 Certificate or Basic

 

Once the "Certificate Only" authentication scheme works, the rest is easy.

There are only minor differences.

 

We need the following to setup the use case.

 

* Make sure you have the content on your web server for /certorbasic/ virtual directory.

* Create X.509 Certificate or Basic Authentication Scheme.

* Create Component and Resource from AdminUI to protect this resource.

* Create Certificate Mapping (skip this step as it is already configured)

* Configure "SSL Setting" for "/siteminderagent/certoptional".

 

Create X.509 Certificate or Basic Authentication Scheme.

Previously demonstrated steps will be skipped.

As we tried with Chrome for "Certificate Only", this time I will demonstrate using IE.

 

 

Firstly, you can check the existing certificate from "Internet Options ==> Content ==> Certificates".

user1 certificate will expire in 7th February 2017 as you can see above.

They are usually valid for 1 year.

 

Create "Certificate or Basic" Authentication Scheme.

Enter the following and click "Submit".

 

Name: Certificate or Basic

Authentication Scheme: X509 Client Cert or Basic Template

Protection Level: 5

Password Policies enabled: true

Server Name: www.sso.lab

Target: /siteminderagent/certoptional/smgetcred.scc

Library: smauthcert

 

It is assumed that the Certificate Challenge and Basic Challenge will be from the same server.

If that is not the case, you can select "Basic Credentials Over SSL" and enter the "Basic Server Name".

You also need to set the target for basic auth (Basic Target: /siteminderagent/nocert/smgetcred.scc)

 

 

Note that the target is "/siteminderagent/certoptional/***" for "Certificate or Basic" and it was "/siteminderagent/cert/***" for Certificate Only.

 

Create Component and Resource from AdminUI to protect this resource.

Previously demonstrated steps will be skipped.

 

Create a Component and Resource matching /certorbasic/ and assign the "Certificate or Basic" authentication scheme and "Basic Role" to this resource.

 

 

 

 

 

Load IIS Management Console and navigate to "/siteminderagent/certoptional" virtual directory.

Click on "SSL Settings" in the mid-pane.

Perform the configuration as below and click "Apply".

 

Require SSL: true

Client Certificates: Accept

 

 

 

 

Perform the Test.

 

Test1: visit http://www.sso.lab/certorbasic/ and submit client certificate.

Yay, the user is authenticated... what went wrong?

IE did not prompt me whether I want to submit the certificate or not.

It made its decision to submit the certificate.

 

Whether you agree with this or not, this is the default behavior for IE when there is only 1 client certificate.

If you chose "Enable strong private key protection", you would have a certificate popup regardless of whether you have only 1 certificate or not.

It would also ask you to enter the passphrase to access the private key.

You need to open "Internet Options ==> Security ==> Local intranet(or Internet if it is internet zone) ==> Custom level ==> Don't prompt for client certificate selection when only one certificate exists" and set it to "Disable"

 

Close and open a new IE session.

Visit http://www.sso.lab/certorbasic/ and submit client certificate.

webagenttrace.log

[02/10/2016][18:13:40][5240][2932][CSmHighLevelAgent.cpp:970][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][][][][][][Start new request.]

[02/10/2016][18:13:40][5240][2932][CSmResourceManager.cpp:187][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:8683][CSmHttpPlugin::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][][][][][][Resolved Client IP address '192.168.201.101'.]

[02/10/2016][18:13:40][5240][2932][SmAdvancedAuthCore.cpp:632][SmAdvancedAuthCore::parseTargetUrl][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][][/certorbasic/][][Resolved cookie domain '.sso.lab'.]

[02/10/2016][18:13:40][5240][2932][CSmResourceManager.cpp:225][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource returned SmSuccess.]

[02/10/2016][18:13:40][5240][2932][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][Resource is protected from cache.]

[02/10/2016][18:13:40][5240][2932][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][Processing IsProtected responses.]

[02/10/2016][18:13:40][5240][2932][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/10/2016][18:13:40][5240][2932][CSmCredentialManager.cpp:222][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]

[02/10/2016][18:13:40][5240][2932][SmSCC.cpp:247][SmScc::getCredentials][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][Certificate present]

[02/10/2016][18:13:40][5240][2932][SmSCC.cpp:418][SmScc::getCredentials][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][Success in collecting credentials.]

[02/10/2016][18:13:40][5240][2932][SmPluginUtilities.cpp:481][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][POST preservation, handling return from credential collector.]

[02/10/2016][18:13:40][5240][2932][SmPluginUtilities.cpp:618][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][http response https://www.sso.lab/certorbasic/]

[02/10/2016][18:13:40][5240][2932][CSmCredentialManager.cpp:260][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmSuccess.]

[02/10/2016][18:13:40][5240][2932][CSmLowLevelAgent.cpp:1200][AuthenticateUser][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][User 'unknown' is authenticated by Policy Server.]

[02/10/2016][18:13:40][5240][2932][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][Processing Authentication responses.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:8040][CSmHttpPlugin::GenerateSSLChallengeDoneCookie][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][Generating SMCHALLENGE=SSL_CHALLENGE_DONE set-cookie response header.]

[02/10/2016][18:13:40][5240][2932][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/10/2016][18:13:40][5240][2932][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][Generated SMSESSION cookie.]

[02/10/2016][18:13:40][5240][2932][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[02/10/2016][18:13:40][5240][2932][CSmHighLevelAgent.cpp:1282][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae4ae1][*192.168.201.101][][agent.iis][/certorbasic/][][End new request.]

 

You can see from above, the "Certificate present" meaning the user has submitted client certificate.

So, Web Agent reports "Success in collecting credentials.".

Do not be alarmed by "User 'unknown' is authenticated by Policy Server.".

And "SMCHALLENGE=SSL_CHALLENGE_DONE" cookie is set so it will not cause a redirect loop if the user is not authenticated.

Lastly, "Generated SMSESSION cookie" confirms the user is authenticated successfully.

 

continued webagenttrace.log

[02/10/2016][18:13:40][5240][2932][CSmHighLevelAgent.cpp:321][ProcessRequest][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][][][][][][Start new request.]

[02/10/2016][18:13:40][5240][2932][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:490][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][][][][][][Resolved hostname: 'www.sso.lab'.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:509][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][][][][][][Resolved agentname: 'agent.iis'.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][][][agent.iis][][][Resolved Client IP address '192.168.201.101'.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:657][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][][][Resolved URL: '/certorbasic/'.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:781][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Resolved METHOD: 'GET'.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:834][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Resolved cookie domain: '.sso.lab'.]

[02/10/2016][18:13:40][5240][2932][CSmResourceManager.cpp:112][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmSuccess.]

[02/10/2016][18:13:40][5240][2932][CSmSessionManager.cpp:82][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->EstablishSession.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:6609][CSmHttpPlugin::ProcessSessionCookie][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Decoded SMSESSION cookie - User = 'CN=user1,OU=People,DC=sso,DC=lab', IP address = '192.168.201.101'.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:2216][CSmHttpPlugin::EstablishSession][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Processed SMSESSION cookie.]

[02/10/2016][18:13:40][5240][2932][CSmSessionManager.cpp:119][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmSuccess.]

[02/10/2016][18:13:40][5240][2932][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Resource is protected from cache.]

[02/10/2016][18:13:40][5240][2932][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Processing IsProtected responses.]

[02/10/2016][18:13:40][5240][2932][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/10/2016][18:13:40][5240][2932][CSmCredentialManager.cpp:103][CSmCredentialManager::GatherCredentials][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Found session, no credentials required.]

[02/10/2016][18:13:40][5240][2932][CSmLowLevelAgent.cpp:999][AuthenticateUser][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Validating session 'tDnKBQINpvxWKHrYZ5VT3zVZhWo=' for user 'CN=user1,OU=People,DC=sso,DC=lab' in zone 'SM'.]

[02/10/2016][18:13:40][5240][2932][CSmLowLevelAgent.cpp:1195][AuthenticateUser][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][User 'CN=user1,OU=People,DC=sso,DC=lab' is authenticated from cache.]

[02/10/2016][18:13:40][5240][2932][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Processing Authentication responses.]

[02/10/2016][18:13:40][5240][2932][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/10/2016][18:13:40][5240][2932][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Generated SMSESSION cookie.]

[02/10/2016][18:13:40][5240][2932][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[02/10/2016][18:13:40][5240][2932][CSmLowLevelAgent.cpp:2768][AuthorizeUser][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][User 'CN=user1,OU=People,DC=sso,DC=lab' is authorized by Policy Server.]

[02/10/2016][18:13:40][5240][2932][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:3270][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Processing Authorization responses.]

[02/10/2016][18:13:40][5240][2932][CSmHttpPlugin.cpp:3277][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Removing HTTP cache request headers.]

[02/10/2016][18:13:40][5240][2932][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][Deleted cookie 'SMCHALLENGE'.]

[02/10/2016][18:13:40][5240][2932][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/10/2016][18:13:40][5240][2932][CSmHighLevelAgent.cpp:801][ProcessRequest][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][AuthorizationManager returned SmYes, end new request.]

[02/10/2016][18:13:40][5240][2932][CSmHighLevelAgent.cpp:921][ProcessRequest][000080fe0000000097e114e8f8b90736-1478-56bae324-0b74-03ae440d][*192.168.201.101][][agent.iis][/certorbasic/][][End new request.]

 

You can see from above the user is recognized as "CN=user1,OU=People,DC=sso,DC=lab".

And after the user is authorized, SMCHALLENGE cookie gets deleted.

This completes the Certificate authentication.

 

Test2: visit http://www.sso.lab/certorbasic/ and cancel client certificate, enter basic credential.

Now, click on "Cancel" button so the certificate will not be submitted.

If you did not have a certificate, then you will immediately see the basic challenge.

Because you do have a certificate, you are given a choice to either submit or not.

 

You can see the basic challenge.

 

webagenttrace.log

[02/10/2016][18:56:51][8188][8076][CSmHighLevelAgent.cpp:970][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][][][][][][Start new request.]

[02/10/2016][18:56:51][8188][8076][CSmResourceManager.cpp:187][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource.]

[02/10/2016][18:56:51][8188][8076][CSmHttpPlugin.cpp:8683][CSmHttpPlugin::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/10/2016][18:56:51][8188][8076][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/10/2016][18:56:51][8188][8076][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][][][][][][Resolved Client IP address '192.168.201.101'.]

[02/10/2016][18:56:51][8188][8076][SmAdvancedAuthCore.cpp:632][SmAdvancedAuthCore::parseTargetUrl][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][*192.168.201.101][][][/certorbasic/][][Resolved cookie domain '.sso.lab'.]

[02/10/2016][18:56:51][8188][8076][CSmResourceManager.cpp:225][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource returned SmSuccess.]

[02/10/2016][18:56:51][8188][8076][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][*192.168.201.101][][agent.iis][/certorbasic/][][Resource is protected from cache.]

[02/10/2016][18:56:51][8188][8076][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/10/2016][18:56:51][8188][8076][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][*192.168.201.101][][agent.iis][/certorbasic/][][Processing IsProtected responses.]

[02/10/2016][18:56:51][8188][8076][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/10/2016][18:56:51][8188][8076][CSmCredentialManager.cpp:222][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]

[02/10/2016][18:56:51][8188][8076][SmSCC.cpp:345][SmScc::getCredentials][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][*192.168.201.101][][agent.iis][/certorbasic/][][Failed to get either Certificate or Basic credentials.]

[02/10/2016][18:56:51][8188][8076][CSmCredentialManager.cpp:267][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmNoAction.]

[02/10/2016][18:56:51][8188][8076][CSmHighLevelAgent.cpp:1072][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][*192.168.201.101][][agent.iis][/certorbasic/][][CredentialManager returned SmNo or SmNoAction, calling ChallengeManager.]

[02/10/2016][18:56:51][8188][8076][CSmChallengeManager.cpp:194][CSmChallengeManager::DoAdvancedAuthChallenge][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthChallenge.]

[02/10/2016][18:56:51][8188][8076][CSmChallengeManager.cpp:214][CSmChallengeManager::DoAdvancedAuthChallenge][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthChallenge returned SmExit.]

[02/10/2016][18:56:51][8188][8076][CSmHighLevelAgent.cpp:1096][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1ffc-56baed43-1f8c-01990029][*192.168.201.101][][agent.iis][/certorbasic/][][Challenge Manager returned SmExit, Time to challenge.]

[02/10/2016][18:56:51][8188][8076][CSmLowLevelAgent.cpp:3567][ReportHealthData][][][][][][][Accumulating HealthMonitorCtxt.]

[02/10/2016][18:56:56][8188][8076][CSmHighLevelAgent.cpp:321][ProcessRequest][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][][][][][][Start new request.]

[02/10/2016][18:56:56][8188][8076][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:490][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][][][][][][Resolved hostname: 'www.sso.lab'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:509][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][][][][][][Resolved agentname: 'agent.iis'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][][][agent.iis][][][Resolved Client IP address '192.168.201.101'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:657][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][][][Resolved URL: '/siteminderagent/certoptional/1455091009/smgetcred.scc?TYPE=16777248&REALM=-SM-Certificate%20or%20Basic%20[18%3a56%3a49%3a6500]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-WO8xvFyi%2bqJqAacEXn7ORDOqfJeP9uaQyN9hFwER2htI0CbW%2fuYsc7%2fsBVpafN%2bZ&TARGET=-SM-https%3a%2f%2fwww%2esso%2elab%2fcertorbasic%2f'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:5681][CSmHttpPlugin::AutoAuthorizedUrl][][][][][][][Auto-authorizing resource, matches IgnoreExt filter.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:698][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/siteminderagent/certoptional/1455091009/smgetcred.scc?TYPE=16777248&REALM=-SM-Certificate%20or%20Basic%20[18%3a56%3a49%3a6500]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-WO8xvFyi%2bqJqAacEXn7ORDOqfJeP9uaQyN9hFwER2htI0CbW%2fuYsc7%2fsBVpafN%2bZ&TARGET=-SM-https%3a%2f%2fwww%2esso%2elab%2fcertorbasic%2f][][Autoauthorizing URL : 'https://www.sso.lab/siteminderagent/certoptional/1455091009/smgetcred.scc?TYPE=16777248&REALM=-SM-Certificate%20or%20Basic%20[18%3a56%3a49%3a6500]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-WO8xvFyi%2bqJqAacEXn7ORDOqfJeP9uaQyN9hFwER2htI0CbW%2fuYsc7%2fsBVpafN%2bZ&TARGET=-SM-https%3a%2f%2fwww%2esso%2elab%2fcertorbasic%2f' , Method: 'GET' ]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:781][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/siteminderagent/certoptional/1455091009/smgetcred.scc?TYPE=16777248&REALM=-SM-Certificate%20or%20Basic%20[18%3a56%3a49%3a6500]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-WO8xvFyi%2bqJqAacEXn7ORDOqfJeP9uaQyN9hFwER2htI0CbW%2fuYsc7%2fsBVpafN%2bZ&TARGET=-SM-https%3a%2f%2fwww%2esso%2elab%2fcertorbasic%2f][][Resolved METHOD: 'GET'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:834][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/siteminderagent/certoptional/1455091009/smgetcred.scc?TYPE=16777248&REALM=-SM-Certificate%20or%20Basic%20[18%3a56%3a49%3a6500]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-WO8xvFyi%2bqJqAacEXn7ORDOqfJeP9uaQyN9hFwER2htI0CbW%2fuYsc7%2fsBVpafN%2bZ&TARGET=-SM-https%3a%2f%2fwww%2esso%2elab%2fcertorbasic%2f][][Resolved cookie domain: '.sso.lab'.]

[02/10/2016][18:56:56][8188][8076][CSmResourceManager.cpp:112][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/siteminderagent/certoptional/1455091009/smgetcred.scc?TYPE=16777248&REALM=-SM-Certificate%20or%20Basic%20[18%3a56%3a49%3a6500]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-WO8xvFyi%2bqJqAacEXn7ORDOqfJeP9uaQyN9hFwER2htI0CbW%2fuYsc7%2fsBVpafN%2bZ&TARGET=-SM-https%3a%2f%2fwww%2esso%2elab%2fcertorbasic%2f][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmSuccess.]

[02/10/2016][18:56:56][8188][8076][CSmSessionManager.cpp:82][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/siteminderagent/certoptional/1455091009/smgetcred.scc?TYPE=16777248&REALM=-SM-Certificate%20or%20Basic%20[18%3a56%3a49%3a6500]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-WO8xvFyi%2bqJqAacEXn7ORDOqfJeP9uaQyN9hFwER2htI0CbW%2fuYsc7%2fsBVpafN%2bZ&TARGET=-SM-https%3a%2f%2fwww%2esso%2elab%2fcertorbasic%2f][][Calling SM_WAF_HTTP_PLUGIN->EstablishSession.]

[02/10/2016][18:56:56][8188][8076][CSmSessionManager.cpp:126][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/siteminderagent/certoptional/1455091009/smgetcred.scc?TYPE=16777248&REALM=-SM-Certificate%20or%20Basic%20[18%3a56%3a49%3a6500]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-WO8xvFyi%2bqJqAacEXn7ORDOqfJeP9uaQyN9hFwER2htI0CbW%2fuYsc7%2fsBVpafN%2bZ&TARGET=-SM-https%3a%2f%2fwww%2esso%2elab%2fcertorbasic%2f][][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmNoAction.]

[02/10/2016][18:56:56][8188][8076][CSmHighLevelAgent.cpp:405][ProcessRequest][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/siteminderagent/certoptional/1455091009/smgetcred.scc?TYPE=16777248&REALM=-SM-Certificate%20or%20Basic%20[18%3a56%3a49%3a6500]&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-WO8xvFyi%2bqJqAacEXn7ORDOqfJeP9uaQyN9hFwER2htI0CbW%2fuYsc7%2fsBVpafN%2bZ&TARGET=-SM-https%3a%2f%2fwww%2esso%2elab%2fcertorbasic%2f][][ProtectionManager returned SmNo, end new request.]

[02/10/2016][18:56:56][8188][8076][CSmLowLevelAgent.cpp:3567][ReportHealthData][][][][][][][Accumulating HealthMonitorCtxt.]

[02/10/2016][18:56:56][8188][8076][CSmHighLevelAgent.cpp:970][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][][][][][][Start new request.]

[02/10/2016][18:56:56][8188][8076][CSmResourceManager.cpp:187][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:8683][CSmHttpPlugin::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][][][][][][Resolved Client IP address '192.168.201.101'.]

[02/10/2016][18:56:56][8188][8076][SmAdvancedAuthCore.cpp:632][SmAdvancedAuthCore::parseTargetUrl][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][][/certorbasic/][][Resolved cookie domain '.sso.lab'.]

[02/10/2016][18:56:56][8188][8076][CSmResourceManager.cpp:225][CSmResourceManager::ProcessAdvancedAuthResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthResource returned SmSuccess.]

[02/10/2016][18:56:56][8188][8076][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][][Resource is protected from cache.]

[02/10/2016][18:56:56][8188][8076][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][][Processing IsProtected responses.]

[02/10/2016][18:56:56][8188][8076][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/10/2016][18:56:56][8188][8076][CSmCredentialManager.cpp:222][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]

[02/10/2016][18:56:56][8188][8076][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][][Deleted cookie 'SMCHALLENGE'.]

[02/10/2016][18:56:56][8188][8076][SmSCC.cpp:309][SmScc::getCredentials][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][][Decoded BASIC Context - User 'user1']

[02/10/2016][18:56:56][8188][8076][SmSCC.cpp:418][SmScc::getCredentials][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][][Success in collecting credentials.]

[02/10/2016][18:56:56][8188][8076][SmPluginUtilities.cpp:481][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][][POST preservation, handling return from credential collector.]

[02/10/2016][18:56:56][8188][8076][SmPluginUtilities.cpp:618][HandleCredCollectorReturn][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][][http response https://www.sso.lab/certorbasic/]

[02/10/2016][18:56:56][8188][8076][CSmCredentialManager.cpp:260][CSmCredentialManager::GatherAdvancedAuthCredentials][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmSuccess.]

[02/10/2016][18:56:56][8188][8076][CSmLowLevelAgent.cpp:1200][AuthenticateUser][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][][User 'user1' is authenticated by Policy Server.]

[02/10/2016][18:56:56][8188][8076][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][user1][Processing Authentication responses.]

[02/10/2016][18:56:56][8188][8076][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/10/2016][18:56:56][8188][8076][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][user1][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][user1][Generated SMSESSION cookie.]

[02/10/2016][18:56:56][8188][8076][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][user1][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[02/10/2016][18:56:56][8188][8076][CSmHighLevelAgent.cpp:1282][ProcessAdvancedAuthentication][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03b36784][*192.168.201.101][][agent.iis][/certorbasic/][user1][End new request.]

[02/10/2016][18:56:56][8188][8076][CSmLowLevelAgent.cpp:3567][ReportHealthData][][][][][][][Accumulating HealthMonitorCtxt.]

[02/10/2016][18:56:56][8188][8076][CSmHighLevelAgent.cpp:321][ProcessRequest][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][][][][][][Start new request.]

[02/10/2016][18:56:56][8188][8076][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][][][][][][Resolved HTTP_HOST: 'www.sso.lab'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:5249][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][www.sso.lab]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:490][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][][][][][][Resolved hostname: 'www.sso.lab'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:509][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][][][][][][Resolved agentname: 'agent.iis'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:5602][CSmHttpPlugin::ResolveClientIp][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][][][agent.iis][][][Resolved Client IP address '192.168.201.101'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:657][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][][][Resolved URL: '/certorbasic/'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:781][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][][Resolved METHOD: 'GET'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:834][CSmHttpPlugin::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][][Resolved cookie domain: '.sso.lab'.]

[02/10/2016][18:56:56][8188][8076][CSmResourceManager.cpp:112][CSmResourceManager::ProcessResource][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmSuccess.]

[02/10/2016][18:56:56][8188][8076][CSmSessionManager.cpp:82][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][][Calling SM_WAF_HTTP_PLUGIN->EstablishSession.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:6609][CSmHttpPlugin::ProcessSessionCookie][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Decoded SMSESSION cookie - User = 'CN=user1,OU=People,DC=sso,DC=lab', IP address = '192.168.201.101'.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:2216][CSmHttpPlugin::EstablishSession][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Processed SMSESSION cookie.]

[02/10/2016][18:56:56][8188][8076][CSmSessionManager.cpp:119][CSmSessionManager::EstablishSession][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][SM_WAF_HTTP_PLUGIN->EstablishSession returned SmSuccess.]

[02/10/2016][18:56:56][8188][8076][CSmLowLevelAgent.cpp:499][IsResourceProtected][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Resource is protected from cache.]

[02/10/2016][18:56:56][8188][8076][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:2824][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Processing IsProtected responses.]

[02/10/2016][18:56:56][8188][8076][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/10/2016][18:56:56][8188][8076][CSmCredentialManager.cpp:103][CSmCredentialManager::GatherCredentials][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Found session, no credentials required.]

[02/10/2016][18:56:56][8188][8076][CSmLowLevelAgent.cpp:999][AuthenticateUser][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Validating session 'yqt9Pi0lr7VK2sezhRRIOYLaOOs=' for user 'CN=user1,OU=People,DC=sso,DC=lab' in zone 'SM'.]

[02/10/2016][18:56:56][8188][8076][CSmLowLevelAgent.cpp:1195][AuthenticateUser][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][User 'CN=user1,OU=People,DC=sso,DC=lab' is authenticated from cache.]

[02/10/2016][18:56:56][8188][8076][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:2992][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Processing Authentication responses.]

[02/10/2016][18:56:56][8188][8076][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/10/2016][18:56:56][8188][8076][CSmSessionManager.cpp:209][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Calling SM_WAF_HTTP_PLUGIN->CreateSession.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:1605][CSmHttpPlugin::CreateSession][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Generated SMSESSION cookie.]

[02/10/2016][18:56:56][8188][8076][CSmSessionManager.cpp:247][CSmSessionManager::CreateSession][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][SM_WAF_HTTP_PLUGIN->CreateSession returned SmSuccess.]

[02/10/2016][18:56:56][8188][8076][CSmLowLevelAgent.cpp:2768][AuthorizeUser][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][User 'CN=user1,OU=People,DC=sso,DC=lab' is authorized by Policy Server.]

[02/10/2016][18:56:56][8188][8076][CSmResponseManager.cpp:193][ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Calling SM_WAF_HTTP_PLUGIN->ProcessResponses.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:3270][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Processing Authorization responses.]

[02/10/2016][18:56:56][8188][8076][CSmHttpPlugin.cpp:3277][CSmHttpPlugin::ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Removing HTTP cache request headers.]

[02/10/2016][18:56:56][8188][8076][SmPluginUtilities.cpp:166][DeleteCookie][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][Deleted cookie 'SMCHALLENGE'.]

[02/10/2016][18:56:56][8188][8076][CSmResponseManager.cpp:231][ProcessResponses][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][SM_WAF_HTTP_PLUGIN->ProcessResponses returned SmSuccess.]

[02/10/2016][18:56:56][8188][8076][CSmHighLevelAgent.cpp:801][ProcessRequest][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][AuthorizationManager returned SmYes, end new request.]

[02/10/2016][18:56:56][8188][8076][CSmHighLevelAgent.cpp:921][ProcessRequest][000080fe0000000097e114e8f8b90736-1ffc-56baed48-1f8c-03c3305e][*192.168.201.101][][agent.iis][/certorbasic/][user1][End new request.]

 

Certificate was not submitted and the user credentials are not submitted yet so WA reports "Failed to get either Certificate or Basic credentials."

Then it prompts for basic challenge and you enter the credentials.

This will set "Authorization" header with the encoded user credentials.

As this is a basic challenge, SMCHALLENGE cookie is set to ensure the session cookie can be set as well.

You can see it is deleting the SMCHALLENGE cookie and reads the Authorization header.

Decoded BASIC Context - User 'user1'

 

Now, with this credential, user is authenticated.

"User 'user1' is authenticated by Policy Server."

 

And after the user is authorized, the SMCHALLENGE cookie is deleted.

 

In the next article, we will continue setting up "Certificate and Basic" authentication and continue the journey into Certificate and/or Forms Authentication.

 

It is not much different from what is done here.

Following is a screenshot from my Chrome when accessing AdminUI.

You will get this if you access the AdminUI, chrome has been updated and it does not like SSLv3 anymore.

 

Good thing is, we already have a KB article for this.

It needed some update so I just updated the article just now.

If the article is dated 2015 then it means the published content is not pushed out yet.

http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1346659.aspx

Diffie-Hellman key error with Firefox and Chrome browsers connecting to CA SSO Administrative UI

 

Diffie-Hellman key error with Firefox and Chrome browsers connecting to CA SSO Administrative UI

Document ID:  TEC1346659
Last Modified Date:  01/2/2016
Show Technical Document Details

 

 

Summary:

When using the Chrome or Firefox web browsers to connect to the CA SSO Administrative UI (WAMUI) the connection fails and the browsers return Diffie-Hellman key errors.

Examples:

---------------------------------------------------------------------------------------------------------------------------------------------

CHROME:

 

Error:

Server has a weak ephemeral Diffie-Hellman public key
ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY

Hide details

This error can occur when connecting to a secure (HTTPS) server. It means that the server is trying to set up a secure connection but, due to a disastrous misconfiguration, the connection wouldn't be secure at all!
In this case the server needs to be fixed. Google Chrome won't use insecure connections in order to protect your privacy.
Learn more about this problem.

---------------------------------------------------------------------------------------------------------------------------------------------

FIREFOX:

An error occurred during a connection to <hostName.domain.com>:8443. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

---------------------------------------------------------------------------------------------------------------------------------------------

These Diffie-Hellman errors do not occur with Internet Explorer.


This issue is occurring in the default configuration of the underlying JBOSS application server,
which is bundled with the WAMUI as the 'WAMUI-Prereq".


SOLUTION

To resolve this JBOSS 'server.xml' will need to be manually modified.

1) Logon to the host running the Administrative UI.

2) Stop the CA SSO Administrative UI

 

    Stop the embedded JBOSS Server

 

    1. Logon to the host running the WAMUI

 

    Unix:

 

    2. Navigate to:

 

        <WAMUI Home>/CA/siteminder/adminui/bin/administrative_ui_install

 

    3. Run the following command:

 

        shutdown.sh

 

    Windows:

 

    2. Load services.msc

 

    3. Stop the "SiteMinder AdminUI" Service

 


3) Browse to the 'server.xml' file.

Default Path: siteminder/adminui/server/default/deploy/jbossweb.sar/server.xml

4) Copy the 'server.xml' and name the copy 'server.xml.<date>.BAK

5) Open the 'server.xml' file with a text editor.

6) Modify the "SSL Connector" section.


 

OLD VALUE:

<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" address="${jboss.bind.address}" ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA" connectionTimeout="20000" emptySessionPath="true" enableLookups="true" keyAlias="tomcat" keystoreFile="jsse.keystore" keystorePass="changeit" keystoreType="jks" maxHttpHeaderSize="10240" maxPostSize="0" maxSpareThreads="75" minSpareThreads="5" port="8443" protocol="HTTP/1.1" scheme="https" secure="true"/>


NEW VALUE:

<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" address="${jboss.bind.address}" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA" connectionTimeout="20000" emptySessionPath="true" enableLookups="true" keyAlias="tomcat" keystoreFile="jsse.keystore" keystorePass="changeit" keystoreType="jks" maxHttpHeaderSize="10240" maxPostSize="0" maxSpareThreads="75" minSpareThreads="5" port="8443" protocol="HTTP/1.1" scheme="https" secure="true"/>

 

NOTE: It is suggested to manually modify the file, and check for any typographical errors.  Copy/Paste could include hidden chars which might impact performance.

7) Save the changes

8) Start the CA SSO Admin UI

9) Connect the Admin UI using either the Firefox or Chrome web browsers.

 

Stopped AdminUI Service.

Updated the server.xml file as below. (sslProtocols and the ciphers order)

Startup the AdminUI Service.

Access using chrome.

Now it does not show that error anymore. Above error is because the RootCA is not trusted.

If you click on "Advanced" link, you can proceed to the site.

 

Or, you can import the RootCA certificate to trust it and not get this warning ("Your connection is not private.").

 

If you click on the PADLOCK icon in the Address Bar(where the https is crossed out) then you will get information which protocol is currently in use.

Here you can see that this connection uses TLS 1.0.

 

More Info: Tech Tip - CA Single Sign-On:Administrative UI: Does the standalone Admin UI installation support TLSv1.2 ?

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

This environment is continuation from the "Creating an ALL-IN-ONE VM Image" series. (links below)

 

Creating an ALL-IN-ONE VM Image - Part 1

Creating an ALL-IN-ONE VM Image - Part 2

Creating an ALL-IN-ONE VM Image - Part 3

Creating an ALL-IN-ONE VM Image - Part 4

Creating an ALL-IN-ONE VM Image - Part 5

Creating an ALL-IN-ONE VM Image - Part 6

Creating an ALL-IN-ONE VM Image - Part 7

Creating an ALL-IN-ONE VM Image - Part 8

Creating an ALL-IN-ONE VM Image - Part 9

Creating an ALL-IN-ONE VM Image - Part 10-1

Creating an ALL-IN-ONE VM Image - Part 10-2

 

 

Following configuration will be setup.

 

01. Basic setup - Create application and protect using Forms Authentication.

     - Service configuration

     - Startup/Shutdown scripts

     - Logging

     - Basic Concepts

02. Standard Authentication Schemes

     - Basic Concepts

     - Basic

     - HTML Forms

     - HTML using UID and EMAIL

     - Basic over SSL

03. Certificate Authentication Schemes

     - X.509 Certificate Only

     - X.509 Certificate or Basic

     - X.509 Certificate and Basic

     - X.509 Certificate or Form

     - X.509 Certificate and Form

04. Windows Authentication Scheme

05. OAuth Authentication Scheme

06. Cookie Provider

07. Directory Mapping

08. Password Services

09. Impersonation

10. Session Assurance

11. SAML 2.0 Partnership Federation - SSO

12. SAML 2.0 Partnership Federation - SLO

13. SAML 2.0 Partnership Federation - RelayState

14. SAML 2.0 Partnership Federation - Negative Assertion

15. SAML 1.x Partnership Federation

16. Audit Log import

17. Generating Reports

18. SiteMinder Test Tool

19. Global Delivery Modules

20. Troubleshooting

 

Continued from Part 4.

 

Before we goto Certificate Authentication, I installed Chrome browser and when accessing AdminUI it is giving me an error message and would like to address that.

 

Server has a weak, ephemeral Diffie-Hellman public key

 

Follow the instruction above if you prefer to use chrome to administer instead of IE.

 

Now back to Certificate Authentication.

 

There are prerequisites to configure certificate authentication.

This is also called 2 way authentication.

When you visit https://www.test.lab and if you get the contents without any certificate or ssl related warnings, then that is because you(your browser) are trusting this web server(web server is authenticated).

 

How this is done is by the client trusting the ROOT Certificate Authority.

Any certificates issued by this ROOT CA is going to be authenticated as long as the CN value of the server certificate matches the address the browser is accessing.

Let's say the server certificate was "CN=www.test.lab,O=TrustMe" and you access it via https://www.test.lab then the CN value matches.

 

The browser trusts this ROOT Certificate Authority by storing this CA's certificate in its certificate data store as a Trusted Authority.

 

So, if you are able to access https://www.test.lab without any certificate related warnings, then the server is authenticated(server certificate is issued by a Certificate Authority which the browser trusts).

The client knows this server is genuinely the server it wanted to access.

 

This is 1 way authentication (server authentication).

Now the next authentication is the other way, the client authenticating itself to the web server.

Browser submits a certificate which the server trusts. Server must verify this client certificate is issued by its trusted CA.

 

This makes 2 way authentication (server then client authentication).

 

SiteMinder involves in this authentication and finds a matching user in the user store and issues SMSESSION cookie.

SiteMinder takes part of the client certificate's subjectDN value and use it to find a matching user.

If a user is found, the user is authenticated.

 

In this sample, same Microsoft Certificate System CA issues both the web server and client certificate so there is no trust problem.

 

As the server already has server certificate and can be accessed via https, we need to issue a certificate for a test user account.

 

But before we go and create a user, there are few things that need to be performed.

• Configure correct CRL path
• Disable IE ESC
• Register www.sso.lab to local intranet zone

 

Load "Certificate Authority" management console.

 

Select "TESTLABCA"
Right click and select "Properties".

 

Click on "Extensions" tab and you will find "CRL Distribution Point" selected.
Click on "Add" and enter the following.

 

Copy the URL in the "Example location" in the text window and paste it into "Location" input field.
Then replace the <ServerDNSName> to www.sso.lab as above.
Then click OK.

 

Then select all three below and click "OK".
"Include in CRLs."
"Include in the CDP"
"Include in the IDP"

 

Click "Yes" to restart the Certificate Services".

 

 

Then you need to disable IE "Enhanced Security Configuration".
Load your Service Manager Console.
At the "Security Information" section on the right pane, you will find "Configure IE ESC".

 

 

 

 

 

 

 

 

Then you need to register http://www.sso.lab and https://www.sso.lab to Local Intranet Zone.
Load Internet Options from IE.
Select Security tab and select "Local intranet" icon then click on "Sites" button.

 

 

 

 

Click on "Advanced" button at the bottom.

 

Enter "https://www.sso.lab" and "https://www.sso.lab" and click "Add" then "Close"

 

 

If these are not performed, you will get an error when issuing user certificates as below.

 

I am going to create a container to store test users as below.
OU=People,DC=SSO,DC=LAB

Then I moved the "user1" to above OU.
Now the user's DN will be "CN=user1,OU=People,DC=SSO,DC=LAB".
I will explain why I am doing this later (after configuring a successful Certificate Authentication).

 

Easiest way to make certificate generation/issue request is to logon to the desktop as that user and access https://www.sso.lab/certsrv and submit the user certificate request.

But as this ALL-IN-ONE image itself is a Domain Controller, normal users are not allowed to logon.
Let's promote this user to a domain admin.

 

Run "gpupdate"

 

Sometimes, when you add a user to an administrators group it does not get recognized immediately but after running gpupdate it usually works immediately.

So, you can logon as "user1" on this All-In-One image without delay.

 

 

Switch User or Logon to this machine as "user1".
Open IE and goto Options.
At the Security tab, select "Local intranet" and lower the security level.
Then click on "Sites" button and register https://www.sso.lab to local intranet zone.

 

 

 

Now visit https://www.sso/lab/certsrv
You will not be challenged as this site is now registered as Local intranet zone.

 

 

Click on "Request a certificate"

 

 

 

Click on "More Options" link if you want to change some parameters but this should be sufficient to just submit and get a certificate.
For exploration, click on "More Options".

 

Request format can be changed to PKCS10 if you plan on saving this Certificate Sign Request and send it out to external CA. But the "Save" option is in the "use the Advanced Certificate Request form".

 

If you want a prompt each time you are accessing your private key(to submit your certificate, or have options to cancel submitting your certificate) then you can select "Enable strong private key protection".

 

Not much here.
Click on "use the Advanced Certificate Request form" button to explore further.

 

 

Now you can see there is an option to change the Key Size.
But this does not allow you to get SHA2 certificates. Probably MS will release an update for this if not already available.

 

If you click on "Save request", you can save it as mentioned earlier.
That will change the "Submit" button to "Save" button.
The screen will appear as below, you can copy the CSR content to user1.csr in case if you plan to submit to different CA.

 

 

Continuing from "Advanced Certificate Request" screen, click on "Submit" button.

 

 

Click on "Install this certificate"

 

 

Load Internet Options from IE.
Click on "Content" tab and click "Certificates" button.

 

You will find the issued certificate in the "Personal" tab.

Export this certificate, click on "Export" button.

 

You must select "Yes, export the private key".

 

You don't have to select anything here.

 

Enter a passphrase to protect private key export.

 

Export it to Desktop.

 

Click "Finish" to complete the export.

 

 

 

Copy this user1.pfx file to C:\ so Administrator can import it to its IE.

 

Switch user to Administrator.
Open IE, open Internet Options window, Contents tab and "Certificates" button.

At the "Personal" tab, click on "Import".

 

Click Next

 

 

Enter the passphrase that you entered for export.
Select "Mark this key as exportable." so you can export this if needed.

 

Select the default, "Personal" store is good.

 

Click on "Finish" to complete this import.

 

 

Now, you can see "user1" certificate in Administrator's IE.

 

There is just one more configuration required on the Web Server side.
But I will demonstrate the configuration requirement while setting up the Authentication Scheme so it will make better sense.

 

In the next article, we will be setting up X509 Client Cert Template.