Symantec Access Management

We are having a problem where we have WLS deployed behind OHS , We have siteminder agent deployed on OHS, now application is facing issues when coming through siteminder. There is no application server agent.

The issue is that JSESSSION is being modified whenever siteminder session cookie changes which is causing an issue on the application.

Now when we increased the SessioNGracePeriod to a higher value we didnt see smsession and Jsession changing the value as the smsession was still the same.

I am trying to understand why JSESSIONID is being modified whenever the SMSESSION is being modified

Has anyone seen this issue any pointers would help ?

Vivek,

it's hard to help without some basics.

what version of the policy server? major/service pack/cr/build

what version of the  web agent? major/service pack/cr/build

and one not so basic  i can see playing a role:

are you using the session linker?

-Josh

Josh,

PS Version : R12sp3 Cr07 on Solaris 10

Agent : R12sp3Cr12 on Aix WebServer is OHS 11.

There is no session linker.

We did some further testing today when session grace period is set to 0 , siteminder session cookie changes but jsessionID remains same, as soon as i put a positive value in sessiongraceperiod the SMSESSION and JSESSIOnID change after sessiongrace period has elapsed.

I am not able to figure out what possibly could link SMSESSION to JSESSION without an app server agent.

Thanks

how many siteminder sessions do you have?

did you have to create code to prevent multiple sessions?

There is only 1 Siteminder session, its just that cookie changes after sessiongraceperiod which is the expected behavior,

  Didn't understand the second part of the question ,we didnt do anything to restrict multiple sessions on SM if you are asking about that

Vivek,

WLS is web logic, right?

in the past, with  other application servers, i've seen the application server create a second smsession.

you end up with sm's smsession in .company.com and the application servers's in server.company.com

this causes issues. when restricting, if  you dont alter the application server's default action of making the second one before it's made, then you end up with issues like what you are describing.

if i were you i would check with those who wrote the application. make sure they arent cleaning something wrong.

if they are cleaning wrong  you get:

sm not reading the smsession and recreating it  -> back end unable to read its cookie now and recreating all cookies it does.

-Josh

Thanks Josh, will be checking on this part and yes WLS is weblogic.

hi Vivek,

we are also facing the same issue, did above solution work for you?

Ravi we left it at with settings for sessiongraceperiod

Ravi RaviSapare

It looks like from the logs your colleague shared the Application is hitching onto SMSESSION VALUE, this should not be allowed. Therefore when SMSESSION value changes after SessionGracePeriod, the application is issuing a relogin. Please see the weblogic_http_log.txt.

BEFORE SESSION GRACE PERIOD:

2015-06-16      10:52:27        10.54.132.24    10.54.132.24:61001      0.102   22259   GET     /nmsloader/control.jsp  200     SMSESSION=nwoV1hkkwTftcVwNlQcpCJvlKEedLBWns6ii7z46NQqsiFZ6jsm8nGh0aFEFFsrJz8LT//mJTwX/5R0D5LH0OI7RQMl7+KtviAPGYyu6MOP2cgZwU/Shjr1hjfh7oa8TE7YGvMX6RQ4u20RBg2cOD2DCAE3H4DMQze6***0KyNUZ86cMRheXP6DfEI+y/GmlZnfJLc3X/DY4q7Kozd4nEU8XUHPmV3ANZCgZBPlUnF9aFETZcW92euYxWomVEbGT4EkOjWzhER+EF1kA7ax6m0rLLZXbcLWvKZYMHmJWAOcxjwb7akuebT5VRTYTPaXpMr9GC+tFM8gTLbbU56URz7ZsuMOH9xJCpe/8irbo3UDK1G3pD2AdhbHM0AfeeAWqG78dlopNYf1UFhBDLNauVjsLomeA7GtIRCEDq1O7keTbZgonxVcUOcxZmSb0YzbaTL4coOaCHZW87KVC8Fcq9zBJ3vmQ4hZTaf1XbriSYrjhexDo76keNwsynHi5Q1x9X+rVkJEk0sGzKfSEuS/KdmBpTnkJB2q/Tz8vZl81OESfFP792TuqDftFgkWu+K9Ksf6uo61UV/+EBu1gwKgUu+u0c66qYDgYuZHTcLYzmPbGlpaigv0g24SobpDJpPh/N3Bosyv1DWj9g+CR1Gr/Ezk1HbxwBRIumTjOAAz+tINAd/fMQ2KQCfTZMaF7G9g6QhNppMyrvUBZOiJ0B7tkh96jZZVqWHuecR+XdPQHoIYB2yCef+kCNW7b8EUstqT7Fs1BvdCIG54LWUWKKbBYvyX0wZxqBHAeVM/XW1oh1TK7HWYzMNqOVPiyklTPqfoEqyzyOu3dbK8DdTk6Ie/WSNcMq/seD/WOFJagbNMY8aP8kfRg2vz8oNJCAdOPH6qNFml7mpMg8yFIV3bQYuqB4wYYjdl+7S9TcLD2NmHeCWSR6DfPX6ojOHhp66q9TwUQsKougu1sOVs4HbpS9+AwYyXS9k7KCWImQjHyQzfWRWzk0m0f5GPu2Hi5j/iQOAvvfo2g2/y8KNBx4qNNS/7zL4QATDi+q6xsQeqXOv19kyTTUhOsegvSHgFNHat64tkActPAviTjczQczJXrBeopEParGi0j7jk24DnqbuxMbxKkSvNM7EsC9qKCFV/ru9tN+J6ibUU/vpIx1qByqL4BNJykxLNFXb7PIAq8oUgF2kvh3Z9lZr/vC8BhjXyt/ZseP543h8TKHyzTycZjI2/gLoy61fXTNlAL; JSESSIONID=TqlqV1xLG9fXq28nc3X1Q2KTyRypBPF1sq13SPG5KnSGYZnql7l2!-524521065

2015-06-16      10:52:27        10.54.132.24    10.54.132.24:61001      0.102   22259   GET     /nmsloader/control.jsp  200     SMSESSION=nwoV1hkkwTftcVwNlQcpCJvlKEedLBWns6ii7z46NQqsiFZ6jsm8nGh0aFEFFsrJz8LT//mJTwX/5R0D5LH0OI7RQMl7+KtviAPGYyu6MOP2cgZwU/Shjr1hjfh7oa8TE7YGvMX6RQ4u20RBg2cOD2DCAE3H4DMQze6***0KyNUZ86cMRheXP6DfEI+y/GmlZnfJLc3X/DY4q7Kozd4nEU8XUHPmV3ANZCgZBPlUnF9aFETZcW92euYxWomVEbGT4EkOjWzhER+EF1kA7ax6m0rLLZXbcLWvKZYMHmJWAOcxjwb7akuebT5VRTYTPaXpMr9GC+tFM8gTLbbU56URz7ZsuMOH9xJCpe/8irbo3UDK1G3pD2AdhbHM0AfeeAWqG78dlopNYf1UFhBDLNauVjsLomeA7GtIRCEDq1O7keTbZgonxVcUOcxZmSb0YzbaTL4coOaCHZW87KVC8Fcq9zBJ3vmQ4hZTaf1XbriSYrjhexDo76keNwsynHi5Q1x9X+rVkJEk0sGzKfSEuS/KdmBpTnkJB2q/Tz8vZl81OESfFP792TuqDftFgkWu+K9Ksf6uo61UV/+EBu1gwKgUu+u0c66qYDgYuZHTcLYzmPbGlpaigv0g24SobpDJpPh/N3Bosyv1DWj9g+CR1Gr/Ezk1HbxwBRIumTjOAAz+tINAd/fMQ2KQCfTZMaF7G9g6QhNppMyrvUBZOiJ0B7tkh96jZZVqWHuecR+XdPQHoIYB2yCef+kCNW7b8EUstqT7Fs1BvdCIG54LWUWKKbBYvyX0wZxqBHAeVM/XW1oh1TK7HWYzMNqOVPiyklTPqfoEqyzyOu3dbK8DdTk6Ie/WSNcMq/seD/WOFJagbNMY8aP8kfRg2vz8oNJCAdOPH6qNFml7mpMg8yFIV3bQYuqB4wYYjdl+7S9TcLD2NmHeCWSR6DfPX6ojOHhp66q9TwUQsKougu1sOVs4HbpS9+AwYyXS9k7KCWImQjHyQzfWRWzk0m0f5GPu2Hi5j/iQOAvvfo2g2/y8KNBx4qNNS/7zL4QATDi+q6xsQeqXOv19kyTTUhOsegvSHgFNHat64tkActPAviTjczQczJXrBeopEParGi0j7jk24DnqbuxMbxKkSvNM7EsC9qKCFV/ru9tN+J6ibUU/vpIx1qByqL4BNJykxLNFXb7PIAq8oUgF2kvh3Z9lZr/vC8BhjXyt/ZseP543h8TKHyzTycZjI2/gLoy61fXTNlAL; JSESSIONID=TqlqV1xLG9fXq28nc3X1Q2KTyRypBPF1sq13SPG5KnSGYZnql7l2!-524521065

AFTER SESSION GRACE PERIOD:

2015-06-16      10:55:03        10.54.132.24    10.54.132.24:61001      0.0030  305     POST    /nmsloader/control.jsp  302

2015-06-16      10:55:04        10.54.132.24    10.54.132.24:61001      0.0040  1313    GET     /nmsloader/relogin.htm  200     SMSESSION=GUI/D+CUoCAyvXD7RehMfjmFKWpRzZzyDiyx2QHYDSzBcGvn2zBNBO1si5e8MJVnAgE2MavYKtTpRrzvwd1tna8szQJ2vpa4srmqeKCEbkRPYu38jd9TamUBT7ZIbisvNjCeZSbg+wB7tBRixTvMZSv9BkLY+ewbpnR1tGwsEn4BP8p29Lj1VPS9QXmSvNTTaLrJRLku4AsKWP3YdhU9/ygmQeesCHa29bujAvfdr2bzWHs/XAinPLZgtR6YpUvkoBqlYELnqaR8P6J/YmSqOqE2c5gT2xu+5mD3fh74I8qlgoE5jtJ+YEgLbNV79UrLq5OLqjmlXpAHUGFQB0VceRl++tpQhQTmu6l4zRK00tOmhZrPxFAytFtDTbHWjTDXPmorOXj84Im8oAa6Mkt7DgGdFO2wH9o1mfJV0TtmUYpgLvlLzMJ7sRkHGoxu/GiayfbgSE9cdunLwmw8xQid+oQJ1RQJy8VP+loIPTrB6D3H7JsyEcivB07/NDol5j0fBpgUoXg/Nay4BIVAAocjm25tQdnLcrBC0dMuVfQ2evT0nZxflIsifOoSgcpECRG2fvgLpljNICOHhfg+oJxyBIr7klnaUiD4o8LBKMmYFAHvnW9lgEgjBv4csSdEqITh42ClQXNydLZX9pKIhL3xYwNbVLAoEpBADEJ5MgSPC4q3wIwPhi1sH99W02cBIYGs1uqsXZ7r633HoRWamaUon8JWjrW9Sv80B7rJUvbOgf71mJS+BXIZVUxleNz4EPij+vepwso9TLBRWHJUJ4bM862c2pWb/DYbb+ulQLcswSY5ucZyZRU1gCfZqwlegeb6/YKu5vpwoRsNwMSm2Q6RV8rk4NdOO9MoHF4HbgpO8kwyNNkKj5W1U7gOo4Zup7d6AW7u6NqwuiwlYAmMZDMQ7fKUEv0EwpM2O00ragE/ONnXOedmB4sDPnpdWww3t+bgyfpOPN+/pWR0qgA3dtVbmRh24Jkfd76hom9opInHhlzLgXTS3+dgUSspinJUmmBFSjLlZS+ANtvk7+FqitncwO7zukPnFr2Isdjf4zqBf8KSwXSRnb8rm0D+0cDoD4hAAawzxGfSOTS9L+Kt4ypC+jzQZxoFRLYhdDKiL4Pi2YF0GR1TcJy6EVFZxns5HRSTLWb+oZFWN8HcIsA2Sfdc8MoQBaNXYF0roKF7VV7Ef91g1EQLVvEa5To4n0XCtcL0Avmn8J3O3wR+gDpyeePoGPVMU4q7XWF+; JSESSIONID=Hk48V1yXQwtX2jgmJc23GpRnHlQZrs16hn17Vp1fy2LnwL8vvhpG!-524521065

2015-06-16      10:55:04        10.54.132.24    10.54.132.24:61001      0.086   375     GET    /nmsloader/loginPage.jsp?reason=expired 200    SMSESSION=GUI/D+CUoCAyvXD7RehMfjmFKWpRzZzyDiyx2QHYDSzBcGvn2zBNBO1si5e8MJVnAgE2MavYKtTpRrzvwd1tna8szQJ2vpa4srmqeKCEbkRPYu38jd9TamUBT7ZIbisvNjCeZSbg+wB7tBRixTvMZSv9BkLY+ewbpnR1tGwsEn4BP8p29Lj1VPS9QXmSvNTTaLrJRLku4AsKWP3YdhU9/ygmQeesCHa29bujAvfdr2bzWHs/XAinPLZgtR6YpUvkoBqlYELnqaR8P6J/YmSqOqE2c5gT2xu+5mD3fh74I8qlgoE5jtJ+YEgLbNV79UrLq5OLqjmlXpAHUGFQB0VceRl++tpQhQTmu6l4zRK00tOmhZrPxFAytFtDTbHWjTDXPmorOXj84Im8oAa6Mkt7DgGdFO2wH9o1mfJV0TtmUYpgLvlLzMJ7sRkHGoxu/GiayfbgSE9cdunLwmw8xQid+oQJ1RQJy8VP+loIPTrB6D3H7JsyEcivB07/NDol5j0fBpgUoXg/Nay4BIVAAocjm25tQdnLcrBC0dMuVfQ2evT0nZxflIsifOoSgcpECRG2fvgLpljNICOHhfg+oJxyBIr7klnaUiD4o8LBKMmYFAHvnW9lgEgjBv4csSdEqITh42ClQXNydLZX9pKIhL3xYwNbVLAoEpBADEJ5MgSPC4q3wIwPhi1sH99W02cBIYGs1uqsXZ7r633HoRWamaUon8JWjrW9Sv80B7rJUvbOgf71mJS+BXIZVUxleNz4EPij+vepwso9TLBRWHJUJ4bM862c2pWb/DYbb+ulQLcswSY5ucZyZRU1gCfZqwlegeb6/YKu5vpwoRsNwMSm2Q6RV8rk4NdOO9MoHF4HbgpO8kwyNNkKj5W1U7gOo4Zup7d6AW7u6NqwuiwlYAmMZDMQ7fKUEv0EwpM2O00ragE/ONnXOedmB4sDPnpdWww3t+bgyfpOPN+/pWR0qgA3dtVbmRh24Jkfd76hom9opInHhlzLgXTS3+dgUSspinJUmmBFSjLlZS+ANtvk7+FqitncwO7zukPnFr2Isdjf4zqBf8KSwXSRnb8rm0D+0cDoD4hAAawzxGfSOTS9L+Kt4ypC+jzQZxoFRLYhdDKiL4Pi2YF0GR1TcJy6EVFZxns5HRSTLWb+oZFWN8HcIsA2Sfdc8MoQBaNXYF0roKF7VV7Ef91g1EQLVvEa5To4n0XCtcL0Avmn8J3O3wR+gDpyeePoGPVMU4q7XWF+; JSESSIONID=Hk48V1yXQwtX2jgmJc23GpRnHlQZrs16hn17Vp1fy2LnwL8vvhpG!-524521065

2015-06-16      10:55:05        10.54.132.24    10.54.132.24:61001      0.027   3690    GET     /nmsloader/warning.jsp  200     SMSESSION=GUI/D+CUoCAyvXD7RehMfjmFKWpRzZzyDiyx2QHYDSzBcGvn2zBNBO1si5e8MJVnAgE2MavYKtTpRrzvwd1tna8szQJ2vpa4srmqeKCEbkRPYu38jd9TamUBT7ZIbisvNjCeZSbg+wB7tBRixTvMZSv9BkLY+ewbpnR1tGwsEn4BP8p29Lj1VPS9QXmSvNTTaLrJRLku4AsKWP3YdhU9/ygmQeesCHa29bujAvfdr2bzWHs/XAinPLZgtR6YpUvkoBqlYELnqaR8P6J/YmSqOqE2c5gT2xu+5mD3fh74I8qlgoE5jtJ+YEgLbNV79UrLq5OLqjmlXpAHUGFQB0VceRl++tpQhQTmu6l4zRK00tOmhZrPxFAytFtDTbHWjTDXPmorOXj84Im8oAa6Mkt7DgGdFO2wH9o1mfJV0TtmUYpgLvlLzMJ7sRkHGoxu/GiayfbgSE9cdunLwmw8xQid+oQJ1RQJy8VP+loIPTrB6D3H7JsyEcivB07/NDol5j0fBpgUoXg/Nay4BIVAAocjm25tQdnLcrBC0dMuVfQ2evT0nZxflIsifOoSgcpECRG2fvgLpljNICOHhfg+oJxyBIr7klnaUiD4o8LBKMmYFAHvnW9lgEgjBv4csSdEqITh42ClQXNydLZX9pKIhL3xYwNbVLAoEpBADEJ5MgSPC4q3wIwPhi1sH99W02cBIYGs1uqsXZ7r633HoRWamaUon8JWjrW9Sv80B7rJUvbOgf71mJS+BXIZVUxleNz4EPij+vepwso9TLBRWHJUJ4bM862c2pWb/DYbb+ulQLcswSY5ucZyZRU1gCfZqwlegeb6/YKu5vpwoRsNwMSm2Q6RV8rk4NdOO9MoHF4HbgpO8kwyNNkKj5W1U7gOo4Zup7d6AW7u6NqwuiwlYAmMZDMQ7fKUEv0EwpM2O00ragE/ONnXOedmB4sDPnpdWww3t+bgyfpOPN+/pWR0qgA3dtVbmRh24Jkfd76hom9opInHhlzLgXTS3+dgUSspinJUmmBFSjLlZS+ANtvk7+FqitncwO7zukPnFr2Isdjf4zqBf8KSwXSRnb8rm0D+0cDoD4hAAawzxGfSOTS9L+Kt4ypC+jzQZxoFRLYhdDKiL4Pi2YF0GR1TcJy6EVFZxns5HRSTLWb+oZFWN8HcIsA2Sfdc8MoQBaNXYF0roKF7VV7Ef91g1EQLVvEa5To4n0XCtcL0Avmn8J3O3wR+gDpyeePoGPVMU4q7XWF+; JSESSIONID=Hk48V1yXQwtX2jgmJc23GpRnHlQZrs16hn17Vp1fy2LnwL8vvhpG!-524521065

Please fix the Application Configuration / Code Logic to look at SiteMinder Headers rather than hitching onto the SMSESSION Value.

Regards

Hubert

Thanks Hubert.

Will contact with the Application team and update you.

Thanks,

Ravi

Hi Vivek_S,

we're having a same problem until recently.

lately we did upgrade the weblogic plugin, and then the problem was solved as your case.

but, customer called us that some interfaces  between OHS and weblogic are not working since having upgraded weblogic plugin.

there is not any issues on your case ?

thanks,

Thanks Vivek and JpJung, Probably the same would be the reason in our case.

HI jpjung

No we haven't encountered any problem that you mentioned,

Thanks