search cancel

SMTOKEN is not having encoded value during the account lock scenario

book

Article ID: 199676

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a Web Agent and when this one handle the following URL,
it doesn't urlencode the SMTOKEN value :


    https://myserver.mydomain.com/changepassword.do?method=changepassword&status=reset&SMENC=UTF-8&USERNAME=myusername&SMENC=UTF-8&SMTOKEN={RC2}451v5sINtfZ9NqThbVcBwAntT5iHEjLU6kkNPnmBr66Z6JXHdfSvqtuFvuABJ+i&USERNAME=myusername&SMAUTHREASON=24&SMAGENTNAME=ds5dsfssdc9jGVoxl9cCk4YsWXdgLtaJWt4dtcV7Vcl6dpTI4YK2P9JqIftcC09&TARGET=$SM$https%3A%2F%2Fmyserver.mydomain.com%2Flogin.do

  Value : SMTOKEN={RC2}451v5sINtfZ9NqThbVcBwAntT5iHEjLU6kkNPnmBr66Z6JXHdfSvqtuFvuABJ+i

This happens on old Web Agent 12SP3CR12 as per more recent Web Agent
12.52SP1CR05, the value is correctly urlencoded :

    https://myotherserver.mydomain.com/changepassword.do?method=changepassword&status=reset&SMENC=UTF-8&USERNAME=myuser&SMENC=UTF-8&SMTOKEN=$SM$%7bRC2%7dcdZWTT%3dsaadmuZITZTh4VJy4bFjDczVwPykGwo8sc5dsDsdsR688OYCo6mLxtMKhsMj&USERNAME=myuser&SMAUTHREASON=24&SMAGENTNAME=$SM$dsadasd44ds2XSooudm2z3f4t3L6vAOEBLYsRhJX%2bGVC%2ftX9rTaimeJqFGiI33B&TARGET=$SM$https%3A%2F%2Fmyotherserver.mydomain.com%2Flogin.do

    Value : SMTOKEN=$SM$%7bRC2%7dcdZWTT%3dsaadmuZITZTh4VJy4bFjDczVwPykGwo8sc5dsDsdsR688OYCo6mLxtMKhsMj

Why the 12.52SP1CR05 version doesn't show the problem ?

 

Environment

 

  Policy Server 12.8SP3 on OEL 6;
  Web Agent 12SP3CR12 on Apache 2.2;

 

Cause

 

At first glance, we note that the value causing problem doesn't have
the -SM- tag, which will be responsible to handle the {} characters as
per the following KD and needed to respect RFC 3986 :

According to the following KD, the tag is added from Web Agent
12.52SP1CR05 only :

  Issue with force change password feature

    We've seen that the -SM- tag in the SMTOKEN value causes the IM server
    not to be able to handle the request.
    The addition of the -SM- part it the SMTOKEN in Web Agent 12.52SP1 is
    about to be compliant on the security aspect with RFC 3986 around the
    presence of {} character in URLs.

    To solve this issue and make the IM server to be compliant to that,
    you need to upgrade the IM server to version 14.3 to handle this.

  https://knowledge.broadcom.com/external/article?articleId=134422

Resolution

 

Upgrade Web Agent to the latest Web Agent 12.52SP1 serie to solve this
issue;