Tuesday Tip by Julien Nitot, Senior Support Engineer, for 11-1-2011

How to run the Java Custom Authentication Scheme provided with the Sample SDK
----------------------------------------------------------------------------------------------------

1. Compile the class

* Create the directory : C:\Program Files\netegrity\sdk\com\netegrity\sdk\javaauthapi
* Copy the AuthApiSample.java and java-build.bat from C:\Program Files\netegrity\sdk\samples\javaauthapi to C:\Program Files\netegrity\sdk\com\netegrity\sdk\javaauthapi
* Go to C:\Program Files\netegrity\sdk\com\netegrity\sdk\javaauthapi and run java-build.bat

the AuthApiSample.class should be present in C:\Program Files\netegrity\sdk\com\netegrity\sdk\javaauthapi

2. Build the jar

* Go to C:\Program Files\netegrity\sdk
* Run the following : "C:\Program Files\Java\jdk1.6.0_21\bin\jar" cvf MyCustomClass.jar com
(The MyCustomClass.jar should be present in C:\Program Files\netegrity\sdk)

3. Add the jar to the JVMOptions.txt of the policy server

* Edit the C:\Program Files\netegrity\siteminder\config\ JVMOptions.txt
* Add ;C:/Program Files/netegrity/sdk/MyCustomClass.jar to the end of the classpath definition
* Restart the Policy Server

4. Create the authentication scheme

* Using the Policy Server AdminUI, create a custom template authentication scheme, enter the following values:

Library : smjavaapi
Secret: leave blank
Confirm Secret: leave blank
Parameter: com.netegrity.sdk.javaauthapi.AuthApiSample

5. Test it

Next, associate this authentication sheme to a protected realm.

Please note: You may need to copy the jvm.dll from C:\Program Files\Java\jre6\bin\client to C:\Program Files\Java\jre6\bin\server

Hi All,

I am looking for siteminder custom authentication scheme implementation. I have implemented jar and created auth scheme as well but while I am trying to hit protected url below error are getting thrown. Please suggest.

Browser:

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, webmaster@ and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

From smtrace log:

[14:41:37][Starting IsProtected processing.][etst.com.au-int][/servicecentre][]
[14:41:37][Resource is protected by realm.][][/servicecentre][]
[14:41:37][** Status: Error. Reject s9/r3 : internal error - failed to obtain scheme credentials for scheme 'CIDSiteminder'][etst.com.au-int][][]
[14:41:37][Leave function CSm_Az_Message::IsProtected, Failed to obtain scheme credentials.][][][]

Hi,

After following the above steps, when I try to access the proctected resource, the Internal Server Error 500, is displayed. Checking the trace Log, this is what i found.  Is there any step missing or need some configuration changes in the environment.

06/17/2014][12:59:17.476][12:59:17][2596][4664][Sm_Az_Message.cpp:793][CSm_Az_Message::FormatAttribute][s3/r7][apache_agent][][][][Headers][][][][][][][][][][][][][][Reject s3/r7 : internal error - failed to obtain scheme credentials for scheme 'MyCustom Authentication'][Send response attribute 158, data size is 104][]

[06/17/2014][12:59:17.476][12:59:17][2596][4664][Sm_Az_Message.cpp:793][CSm_Az_Message::FormatAttribute][s3/r7][apache_agent][][][][Headers][][][][][][][][][][][][][][][Send response attribute 146, data size is 0][]

[06/17/2014][12:59:17.476][12:59:17][2596][4664][Sm_Az_Message.cpp:793][CSm_Az_Message::FormatAttribute][s3/r7][apache_agent][][][][Headers][][][][][][][][][][][][][][][Send response attribute 147, data size is 0][]

[06/17/2014][12:59:17.476][12:59:17][2596][4664][Sm_Az_Message.cpp:563][CSm_Az_Message::ProcessMessage][s3/r7][apache_agent][][][][Headers][][][][][][][][][][][][][][][** Status: Error. Reject s3/r7 : internal error - failed to obtain scheme credentials for scheme 'MyCustom Authentication'][]

[06/17/2014][12:59:17.476][12:59:17][2596][4664][Sm_Az_Message.cpp:567][CSm_Az_Message::SendReply][][][][][][][][][][][][][][][][][][][][][Leave function CSm_Az_Message::SendReply][]

[06/17/2014][12:59:17.476][12:59:17][2596][4664][IsProtected.cpp:212][CSm_Az_Message::IsProtected][s3/r7][][][][][][][][][][][][][Reject s3/r7 : internal error - failed to obtain scheme credentials for scheme 'MyCustom Authentication'][][][][][][][Leave function CSm_Az_Message::IsProtected, Failed to obtain scheme credentials.][]

Hello All,

For those of you who are getting following error "Reject s3/r7 : internal error - failed to obtain scheme credentials for scheme'" I think I know what the problem is.

It is most likely that in step(1) above java-build.bat/java-build.sh didn't execute successfully.

If you view the java-build.bat, all it is doing is compiling AuthApiSample.java as below :

"javac -classpath .;..\..\java\SmJavaApi.jar AuthApiSample.java"

As you could see above it is expecting "SmJavaApi.jar" to be in the classpath. But when you move this batch file from it's default location , it is possible that it will no more be able to locate this SmJavaApi.jar file.

To confirm this try running this batch file from a command prompt then you would see some errors like below :

"C:\Custom Auth\mycustomclass - Copy\com\netegrity\sdk\javaauthapi>javac -classpath .;..\..\java\SmJavaApi.jar" AuthApiSample.java

AuthApiSample.java:25: error: package com.netegrity.policyserver.smapi does not

exist

import com.netegrity.policyserver.smapi.*;

^"

Solution

======

To fix this , you will need to specify the full path to the SmJavaApi.jar file in the batch file.

You can find this jar file in :

$Siteminder SDK Installed Directory$\java\SmJavaApi.jar

$Policy Server Installed Directory$\bin\jars\SmJavaApi.jar

So your batch file should look something like this :

javac -classpath .;C:\Program Files (x86)\CA\sdk\java\SmJavaApi.jar AuthApiSample.java

To confirm, if the batch is executing successfully, you need to check if the "AuthApiSample.class" class file is created or not in the folder.

Hope this helps.

Regards,

Ujwol Shrestha

Hi

1) For : "Reject s3/r7 : internal error - failed to obtain scheme credentials for scheme'

    That I expect is the auth scheme has not loaded correctly, I would expect there is some error in smps.log saying it cannot load the class.

2) Running smpolicysrv from the cmd line is usually the best way to debug java custom auth schemes.

for DOS or Unix, stop the policy server service, via smconsole or other method. Then :

For DOS : 

cd \CA\Program Files\SiteMinder\bin

smpolicysrv

For Unix:

cd /opt/ca/siteminder/

. ./sm_ps_env.sh

cd bin

./smpolicysrv 

3) Also i've attached a sample auth scheme, that just adds a delay to the auth login (and uses a forms login)

     The build scripts in the .zip file (both .bat and .sh) are setup to use the .jar files on the policy server to compile (you need to edit them to set the variable ) 

build.bat

set JAVA_HOME=C:\Program Files\Java\jdk1.5.0_14
set SMJARPATH=C:\ca\netegrity\siteminder\bin\jars

build.sh

LibPath=/opt/ca/siteminder/bin/jars

4) Redirect java stdout - as alternative to 2) if your in production environment

I would recomemend doing 2) first since that is simpler, but when in production this can be used : 

Helping to debug SSO Policy Server java processes - redirecting stdout/stderr to timestamped file. 

Cheers - Mark

----
Mark O'Donohue
Snr Principal Support Engineer - Global Customer Success

Just to cover off what we found (via internal support case) for this issue : For the error :   

"Reject s3/r7 : internal error - failed to obtain scheme credentials for scheme'"

Was the result of a NoSuchFieldError exception being thrown each time the java authenticate() method was being called.

Running from the cmd line so we could see the stdout, it showed the NoSuchFieldError  excpetion and java stack trace.

Adding "-verbose" to the JVMOptions.txt, and still running from the cmd line,  then showed us which .jar file each class is being loaded from.  We find that the class in question is being loaded from another .jar file not the .jar file we expected.

So there were two different implementations of the same <package>.<classname> in the JVMOptions.txt classpath and the wrong one was being isued for the custom authenticte() call.

When we removed the other .jar file form the classpath and this custom auth scheme then loaded and ran as expected. 

So the outcome here is that where multiple .jar files deployed on a policy server, it is probably good/best practice to give each component(cust auth/active expression) their own unique package name and that will avoid any class namespace conflicts.

Cheers - Mark

----
Mark O'Donohue
Snr Principal Support Engineer - Global Customer Success

Mark.ODonohue we have a custom Auth scheme written in C++ which is compiled, configured and working in Windows.

But when we recompiled the code as shared library to run in Linux we are getting below error:

[02/23/2019][22:05:18.320][22:05:18][5658][140162684122880][SmObjCache.cpp:779][CSmObjCache::Lookup][][][][][][][][][][][][][][][][][][][][][Look up a cached object.][][][][0d-000e078d-04a8-1c72-8259-247b0a750000][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/23/2019][22:05:18.320][22:05:18][5658][140162684122880][SmAuthServer.cpp:242][][][][][][][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Server-02910] Failed to load library 'dtauthapi.so'. Error: Unknown Error][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/23/2019][22:05:18.320][22:05:18][5658][140162684122880][Sm_Az_Message.cpp:409][CSm_Az_Message::SendReply][][][][][][][][][][][][][][][][][][][][][Enter function CSm_Az_Message::SendReply][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/23/2019][22:05:18.320][22:05:18][5658][140162684122880][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][s2/r4][devint-sps1-agent][][][][dt20_dtc_realm][dt20_dtc_auth][][][][][][][][][][][][][Reject s2/r4 : internal error - failed to obtain scheme credentials for scheme 'test'][Send response attribute 158, data size is 85][][][][][][][][][][][][][][][][][][][][][][][][][][][][IsProtectedEx][52 65 6a 65 63 74 20 73 32 2f 72 34 20 3a 20 69 6e 74 65 72 6e 61 6c 20 65 72 72 6f 72 20 2d 20 66 61 69 6c 65 64 20 74 6f 20 6f 62 74 61 69 6e 20 73 63 68 65 6d 65 20 63 72 65 64 65 6e 74 69 61 6c 73 20 66 6f 72 20 73 63 68 65 6d 65 20 27 74 65 73 74 27 ][][][][][][][][][]

[02/23/2019][22:05:18.320][22:05:18][5658][140162684122880][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][s2/r4][devint-sps1-agent][][][][dt20_dtc_realm][dt20_dtc_auth][][][][][][][][][][][][][][Send response attribute 146, data size is 0][][][][][][][][][][][][][][][][][][][][][][][][][][][][IsProtectedEx][][][][][][][][][][]

[02/23/2019][22:05:18.320][22:05:18][5658][140162684122880][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][s2/r4][devint-sps1-agent][][][][dt20_dtc_realm][dt20_dtc_auth][][][][][][][][][][][][][][Send response attribute 147, data size is 0][][][][][][][][][][][][][][][][][][][][][][][][][][][][IsProtectedEx][][][][][][][][][][]

[02/23/2019][22:05:18.320][22:05:18][5658][140162684122880][Sm_Az_Message.cpp:598][CSm_Az_Message::SendReply][s2/r4][devint-sps1-agent][][][][dt20_dtc_realm][dt20_dtc_auth][][][][][][][][][][][][][][** Status: Error. Reject s2/r4 : internal error - failed to obtain scheme credentials for scheme 'test'][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[02/23/2019][22:05:18.320][22:05:18][5658][140162684122880][Sm_Az_Message.cpp:602][CSm_Az_Message::SendReply][][][][][][][][][][][][][][][][][][][][][Leave function CSm_Az_Message::SendReply][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][00:00:00.-4294967205][]

[02/23/2019][22:05:18.320][22:05:18][5658][140162684122880][IsProtected.cpp:240][CSm_Az_Message::IsProtected][s2/r4][][][][][][][][][][][][][Reject s2/r4 : internal error - failed to obtain scheme credentials for scheme 'test'][][][][][][][Leave function CSm_Az_Message::IsProtected, Failed to obtain scheme credentials.][][][][][][][][0d-000e078d-04a8-1c72-8259-247b0a750000][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

will it be possible for you to suggest what might be wrong here.

Hi Vikas, 

 Failed to load library 'dtauthapi.so'. Error: Unknown Error][

For C++ custom auth scheme, to fail to load, usually it means it is missing one of it's dependent libraries :

So you can try using :  ldd dtauthapi.so    to get a list of them, and make sure they all will resolve and are accessible via the policy server run-time user. 

Or you can also run strace on the policy server before you run method that loadts the auth scheme, it will should you the open and load of the dtauthapi.so, and then should also show all the child libraries it tries to open, where maybe one of them is missing. 

You may need some compatibility (ie using the compat libraries to compile) so that the stdc lib, and stdc++ lib libraries matched those that are used with the policy server runtime - but first try for the missing/unloadable .so file as the interface was straight C, so was fairly resilient.  

Cheers - Mark