search cancel

SSO 12.8 generating too many http requests to protected resource

book

Article ID: 201581

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a CA Access Gateway (SPS) and when a user accesses an application
protected by SPS, after loging in, the browser page keeps being blank.

If we try to refresh 5 times the page, the page keeps being blank.

We observed that on the backend vApp application (CA Identity Suite
Virtual Appliance Version 14.3.0), the vApp Apache server processes
amount raises to 256. This server runs on Linux.

The vApp Apache reports error :

    [error] server reached MaxClients setting, consider raising the MaxClients setting

Why does the CA Access Gateway (SPS) makes the vApp Apache server to
reach that MaxClients ?

When running former 12.52 SPS version, this issue doesn't happen on
the vApp.

How can we fix this ?

 

Cause

 

The number of connections that are made from SPS to vApp server is
the same from both 12.52 and 12.8.

Captured TCP dump and analyzed the TCP dump using ssldump. Both
12.52 and 12.8 made 140 connections to the backend server ( when the
browser is refreshed thrice). But the number of the process
increased while accessing through 12.8 whereas through 12.52 the
number of the process did not increase.

With non-SSL also the number of connections was 140 and httpd
processes did not increase in 12.52 and 12.8.

So all parameters remaining the same, the only change is the SSL
protocol. 12.52 uses SSLv3 which is not supported in 12.8. As 12.8
SPS uses TLSV1.2.

 

Environment

 

  CA Access Gateway (SPS) 12.8SP3 on Windows 2016;
    JDK 1.8.0_161 64bit;
  CA Identity Suite Virtual Appliance Version 14.3;

 

Resolution

 

Configure and make the backend Server to accept TLSv1.2.