Error : Password with currency symbols £ or € not working in APS
search cancel

Error : Password with currency symbols £ or € not working in APS

book

Article ID: 138829

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

When a given user tries to change his/her password with combination of
special currency symbols, the new password is not working. However using
$ sign in password is working fine.

Otherwise Advanced Password Services (APS) works fine upon other
functionality.

To illustrate :

  - Character "£", when user tries to change password with the Pound
    Sign, password change request is successfully
    submitted, the form and page shows password is changed, but when
    user tries to access the application with the new password, it's
    stating the wrong password used.

LDAP record can see new password was successful saved, but customer
can not login with new password :

  changetype: modify
  replace: userPassword
  userPassword: {SSHA512}yX9op+3G8Skr6rhve03HdbJpocwr8.....
  -
  replace: pwdChangedTime
  pwdChangedTime: 20190724091919.112Z
  replace: smapsLastPasswordChange
  smapsLastPasswordChange: 20190724091920Z APS Interface

 

Environment

 

Web Agent 12.52SP1CR09 on Apache 2.4.48 on RedHat 6

 

Cause

 

Advanced Password Services (APS) documentation did not specifically
mention if these symbols are allowed or not in password content.

There are several components (Browser, Web Server, Tomcat Application
Server and Advanced Password Services APS code itself) in the flow
that could impact if UTF-8 character is accepted or not.

It is also worth mentioning that neither character (with £ or € in
password) can be directly entered from English keyboard, but $ sign
can.

  | Character | Windows-1252 | UTF-8  |
  |-----------+--------------+--------|
  | £         | %A3          | %C2%A3 |
  | Â         | %C2          | %C3%82 |

Assume this is password: pass123£, in UTF-8 encoding, it will be
pass123%C2%A3.

However if this same string is interpreted by "Windows-1252"
single-byte character encoding, it will become pass123£, which is not
intended true password value.

During debugging, Advanced Password Services (APS) adds or misinterprets
character before £ symbol before saving password data into LDAP, which
is NOT suppose to.

Enable Advanced Password Services (APS) debug by turning on
log4j.properties debug flag within APS.war file. APS.war file may have
to be redeployed after the change.

  # LOG4J configuration

  log4j.rootLogger=DEBUG, Appender1,Appender2
  log4j.appender.Appender1=org.apache.log4j.ConsoleAppender
  log4j.appender.Appender1.layout=org.apache.log4j.PatternLayout
  log4j.appender.Appender1.layout.ConversionPattern=%-7p %d [%t] %c %x - %m%n
  log4j.appender.Appender2=org.apache.log4j.FileAppender
  log4j.appender.Appender2.File=Log4jWebDemo.log
  log4j.appender.Appender2.layout=org.apache.log4j.PatternLayout
  log4j.appender.Appender2.layout.ConversionPattern=%-7p %d [%t] %c %x - %m%n

 

Resolution

 

- Upgrade the Web Agent to 12.52SP1CR11 to fix this issue with
  password change in Advanced Password Services (APS) (1).

 

Additional Information

 

(1)

    Defects Fixed in 12.52 SP1 CR11

      20019520 DE423937 The user password change fails if the password
      contains any currency symbols such as £ or €.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-52-01/release-notes/cumulative-releases/Defects-Fixed-in-12_52-SP1-CR11.html

 

Powered by Wolken Software