search cancel

Web Agent :: Back End : ProxyTrust

book

Article ID: 21123

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Description:

Running Reverse Proxy Web Agent (RPWA) in front of a Backend Web Agent(BEWA) I noticed that if I set ProxyTrust to no on the BEWA, then the session timeout is equal to the value of the ProxyTimeout ACO Parameter on the RPWA. Is that behavior as expected?

Solution:

The behavior seen is as designed.

When the browser reaches the RPWA, and User authenticates, then the RPWA creates 2 SMSESSION cookies, 1 for the RPWA and the other for the BEWA:

The expiry period for the RPWA SMSESSION cookie is the realm timeout.
The expiry period for the BEWA SMSESSION cookie is the RPWA ProxyTimeout value.

On each request, the RPWA sends to the BEWA SMSESSION cookie to the BEWA server. If the BEWA does not trust the RPWA, then it does look at the BEWA SMSSESION cookie and takes the timeout from this one which is based on the RPWA ProxyTimeout and not from the realm. If ProxyTrust on the BEWA server is set to yes, then the session time out is based on the realm.

So if you set ProxyTrust to no on the BEWA and the RPWA ProxyTimeout is set to 2 minutes, then if you wait more than 2 minutes to refresh the page, the session will time out.

As told before, in order to get the realm timeout applied for the session, you should set on the BEWA ProxyTrust to yes.

Environment

Release:
Component: SMAPC