Access Gateway on Linux fails after installing the Ghostcat patch

book

Article ID: 197685

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

We have several Siteminder environments with the Access Gateway running on both Win2016 and Linux Redhat8 and CentOS8.

Installing the Ghostcat patch, with or without the samesite patch, on Win2016 the Access Gateway works fine.
Installing the Ghostcat patch on Linux Redhat8 or CentOS8, the Access Gateway stops working.
Ghostcat patch applied by copying the jar files to./secure-proxy/Tomcat/lib and adding the following to the server.conf file in the general section:
ajp13.secretRequired=true
worker.ajp13.secret=abc123
Applies exactly the same way as on the Access Gateway on Win2016 that is working.


Tested on the following environments/versions:
- Siteminder Access Gateway 12.8 SP2 on Redhat8
- Siteminder Access Gateway 12.8 SP3 on CentOS8

- AG loads without any errors in the logs
- login to ProxyUI works fine
- Accessing a resource through the proxy “Service Unavaliable” in browser

- /secure-proxy/httpd/logs

[Fri Jun 19 10:06:43.809 2020] [30118:140254933567232] [error] ajp_send_request::jk_ajp_common.c (1725): (ajp13) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=111)

[Fri Jun 19 10:06:43.910 2020] [30118:140254933567232] [error] ajp_send_request::jk_ajp_common.c (1725): (ajp13) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=111)

[Fri Jun 19 10:06:43.910 2020] [30118:140254933567232] [error] ajp_service::jk_ajp_common.c (2796): (ajp13) connecting to tomcat failed (rc=-3, errors=1, client_errors=0).


Environment

Release : 12.8.03

Component : SITEMINDER -WEB AGENT FOR APACHE

Resolution

Perform the below steps to fix the issue.

Stop Access Gateway.
In the server.conf, can you change the  below and test : 

From : 
worker.ajp13.host=localhost 

to
toworker.ajp13.host=::1

Save the changes. Start Access Gateway.