Dynatrace HTTP monitor interferes with Identity Portal functionality
search cancel

Dynatrace HTTP monitor interferes with Identity Portal functionality

book

Article ID: 199229

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

A customer installed Dynatrace HTTP monitoring software on the machine where they have Identity Portal installed.

After that some Identity Portal functionality, like forgot password feature, stopped working.

Identity Manager server log contained such error:

10:00:34,924 ERROR [ims.default] (http-/0.0.0.0:8443-1) com.netegrity.llsdk6.imsapi.exception.NoSuchObjectException: [facility=4 severity=2 reason=0 status=38 message=No items found]
    at com.netegrity.llsdk6.imsimpl.provider.AdminTaskProviderImpl.findByTag(AdminTaskProviderImpl.java:316) [imsapi6.jar:]
    ...

Environment

Release : 14.x

Component : IdentityMinder(Identity Manager)

Cause

Dynatrace HTTP monitor made injections into the TEWS SOAP requests sent from Identity Portal server to Identity Manager server.

Modified SOAP request looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
    <s:Header>
        <h:ASFPPreVerifyTaskContext xmlns:h="http://tews6/wsdl" mustUnderstand="0" actor="">
            <admin_id xmlns="http://tews6/wsdl">xxxxxxxxxx</admin_id>
        </h:ASFPPreVerifyTaskContext>
        <X-dynaTrace xmlns="http://ns.dynatrace.com/wcf" mustUnderstand="0" actor="">FW4;-1273248646;7;-167505140;283983;0;-1374428998;763;75b8;2h01;3hf604130c;4h04554f</X-dynaTrace>
    </s:Header>
    <s:Body>
        <ASFPPreVerify xmlns="http://tews6/wsdl">
            <ASFPPreVerifySearch>
                <Organization>
                    <UniqueName>o=external,dc=xxxxxxxxxx,dc=com</UniqueName>
                    <AndLower>false</AndLower>
                </Organization>
                <Filter index="0">
                    <Field>%USER_ID%</Field>
                    <Op>EQUALS</Op>
                    <Value>xxxxxxxxx</Value>
                    <Conj>And</Conj>
                </Filter>
                <Filter index="1">
                    <Field>dob</Field>
                    <Op>EQUALS</Op>
                    <Value>06071985</Value>
                </Filter>
            </ASFPPreVerifySearch>
        </ASFPPreVerify>
    </s:Body>
</s:Envelope>

The above SOAP request fails in IM server with following exception:

com.netegrity.llsdk6.imsapi.exception.NoSuchObjectException: [facility=4 severity=2 reason=0 status=38 message=No items found]

Resolution

This is the correct behavior.

TEWS, which is used in Identity Portal to send requests to Identity Manager, does not allow SOAP injections.

To fix the problem disable Dynatrace monitoring or any other 3rd party software that makes injections into SOAP requests.

Powered by Wolken Software