search cancel

ICAP Assertion failing without ICAP headers populated for certain files

book

Article ID: 202478

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway

Issue/Introduction

This a a PROD issue impacting business and needs urgent attention. ICAP Assertion is failing for a certain group of PDF files without populating ICAP Header Responses. Issue is reproducible in Test environment but needs urgent fix.\

Contacted McAfee Appliance owner and they confirmed that the PDF file is good and no virus is detected. SSG Logs indicate below message which is incorrect as the service is up and running i.e. available. 

2020-09-22T08:27:50.011-0700 WARNING 408 com.l7tech.external.assertions.icapantivirusscanner.server.ServerIcapAntivirusScannerAssertion: 9452: Service not available icap://nonprod-mfe-icap.bankEDITED.com:1344/respmod.

Environment

Release : 9.4

Component : API GATEWAY

Cause

DecodingException and TooLongFrameException thrown if the number of the bytes of all ICAP Response Headers exceeds the default max value, 8192

Resolution

by making the default max value be configurable via a cluster-wide property, icap.response.maxIcapHeaderSize.  If the cluster property is set as -1, it means the max integer 2147483647 will be assigned to it.

 The below left screenshot shows the default value.  The right screenshot shows the customer should set it to -1.

Hot fix files need to be applied to have the new cluster property available:

ssg-9.4.00-11019_CR03_hotfix_DE482032_DE430052.noarch.rpm

ssg-appliance-9.4.00-11019_CR03_hotfix_DE482032_DE430052.x86_64.rpm

Policy Manager and Manager are available if you want to update the Policy Manager also. The rpm are for the linux gateway.

Hotfix Installation Instructions:

Steps for the customer upgrading the gateway with the hotfix in TEST/QA environment:
1. service ssg stop
2. rpm -Uvh ssg-9.4.00-11019_CR03_hotfix_DE482032_DE430052.noarch.rpm
3. rpm -Uvh ssg-appliance-9.4.00-11019_CR03_hotfix_DE482032_DE430052.x86_64.rpm
4. service ssg start
5. login into a policy manager , goes to Menu Tasks -> Global Settings -> Manage Cluster Wide Properties and add/set the cluster property, icap.response.maxIcapHeaderSize to -1
6. Consume the simple policy for testing

Note: if you update the gateway in PROD, please backup some gateway configuration files such as
node.properties, system.properties, etc. The database should not be impacted.

Attachments