In Privileged Infrastructure Management (PIM), Shared Access Management (SAM) accounts as well as endpoints are managed from a central GUI running under jboss/wildfly. Sometimes, even though connectivity to the user store is fine and all services are up and running, access to the GUI is not possible: either the initial screen comes back just after trying to log in or, in a variant of this problem, accessing any functionality once inside the PIM GUI results in the user being kicked out to the initial screen

At the same time, checking jboss/wildfly's server.log, the following lines can be observed

2019-08-28 12:49:50,260 INFO  [com.ca.ppm.event.impl.LoginEvent] User superadmin attempted to login. Status=succeeded, Client IP=x.x.x.x, Client Hostname=x.x.x.x

2019-08-28 12:49:50,264 INFO  [STDOUT] [Wed Aug 28 12:49:50 AST 2019] [Info] CsrfGuard analyzing request /iam/ac

2019-08-28 12:49:50,305 INFO  [STDOUT] [Wed Aug 28 12:49:50 AST 2019] [Info] CsrfGuard analyzing request /iam/ac/index.jsp

2019-08-28 12:49:50,314 INFO  [STDOUT] [Wed Aug 28 12:49:50 AST 2019] [Info] CsrfGuard analyzing request /iam/ac/ca12/index.jsp

2019-08-28 12:49:52,571 INFO  [com.netegrity.taglib.skin.TagUtilLocal] Including view: /app/page/worklist_body.jsp

2019-08-28 12:50:01,599 INFO  [STDOUT] [Wed Aug 28 12:50:01 AST 2019] [Info] CsrfGuard analyzing request /iam/CSRFGuard/JavaScriptServlet

2019-08-28 12:50:01,600 ERROR [STDERR] [Wed Aug 28 12:50:01 AST 2019] [Error] Referer domain https://mytest.ca.com/iam/ac/ca12/index.jsp does not match request domain: http://mytest.ca.com/iam/CSRFGuard/JavaScriptServlet

2019-08-28 12:50:01,660 INFO  [STDOUT] [Wed Aug 28 12:50:01 AST 2019] [Info] CsrfGuard analyzing request /iam/ac/ca12/image/unsorted.png

2019-08-28 12:50:01,665 INFO  [STDOUT] [Wed Aug 28 12:50:01 AST 2019] [Info] CsrfGuard analyzing request /iam/ac/ca12/image/ascending.png

This is the error that blocks access to the GUI, and so a workaround needs to be devised to allow correct access to the resources

CA PIM 19.X/14.X and CA PAM SC 14.X

CSFR is a known attack which is described in the following atrticle

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Most application servers contain filters which are aimed at preventing any malicious intruder from using CSFR to gain access to the system.

In particular jboss/wildfly shipped with the latest PIM and PAM SC versions contain anti-csfr prevention mechanisms. 

There is a configuration file, csrfguard.properties located under

  /opt/boss-4.2.3.GA/server/default/deploy/IdentityMinder.ear/user_console.war/WEB-INF 

which contains the options for csfr prevention. It is possible to modify this file to allow requests which would otherwise be blocked.

The csrfguard properties need to be updated to allow connection so that it does not believe it is a cross site forgery attempt.  This can be done by changing in csrfguard.properties  

org.owasp.csrfguard.JavascriptServlet.refererPattern = .* 

and/or

org.owasp.csrfguard.JavascriptServlet.refererMatchDomain=false

and restarting jboss. Please note that changing these settings may as well make the whole environment less secure, so a possible alternative is to understand why this filter considers the requests as coming from another domain even if client and servers are in the same one.