search cancel

Webservices not working after downgarding SPS servers from 12.8.0.3 to 12.8.0.1

book

Article ID: 190684

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

After downgraded SPS gateway servers from 12.8.0.3 to 12.8.0.1. Now webservices are not working. We see the authAttempt in smaccess logs on the policy server (which is running 12.8.0.1) but for some reason, we can get the authentication to complete. 
Our federation and openid authentication work fine with no issue. Only webservices fails.

<loginResponse>

   <authenticationResponses>

      <response>

         <name>SM_AUTHREASON</name>

         <value>0</value>

      </response>

      <response>

         <name>SM_REALM</name>

        <value>realm _name</value>

      </response>

      <response>

         <name>SM_TRANSACTIONID</name>

         <value>0000000000000000000000001d66aa0a-4c9a-5ebab703-20a69700-540452b13161</value>

      </response>

      <response>

         <name>SM_REALMOID</name>

         <value>06-00094dcd-c8fb-1e49-ab01-f5160aaa0000</value>

      </response>

      <response>

         <name>SM_AUTHTYPE</name>

         <value>Basic</value>

      </response>

   </authenticationResponses>

   <message>Authentication Failed</message>

   <resultCode>LOGIN_FAILED</resultCode>

</loginResponse>

Environment

Release : 12.8

Component : SITEMINDER SECURE PROXY SERVER

Cause

This is a known defect that impacts 12.8 and 12.8.01.
When soap request was made, usually in the form like this:

Release 12.8 and 12.8.01:
<loginRequest>  
       <username>user1</username>
       <password>user1</password>
       <action>GET</action>         
</loginRequest>


Release 12.8.02 and later:
<loginRequest>  
       <userName>user1</userName>
       <password>user1</password>
       <action>GET</action>         
</loginRequest>

The parameter <username> value is case sensitive.

Example is provided by
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/ca-access-gateway-configuration/configuring-the-authentication-and-authorization-web-services.html

Resolution

Either upgrade or implement the work around mentioned.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/release-notes/service-packs/defects-fixed-in-12-8-02.html
01179289 DE383335 AuthRestService fails to authenticate users in Authentication and Authorization web services.

The defect affecting 12.8sp1 earlier, that version access gateway only accepts lower case .
They are case sensitive.  DE383335 documented that, 12.8 and 12.8.01 should use username and 12.8.02 and later should use userName in soap request.