Intermittent long delay between Certificate authentication calls.

book

Article ID: 211618

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

Customer uses x509 certificate authentication.

For the most part, everything works.

User observed intermittent long delay between Certificate authentication calls.

In Agent Trace log:

First request isProtected call started at [03/10/2021][16:02:50].

[03/10/2021][16:02:50][88554][2424256256][CSmCredentialManager.cpp:132][CSmCredentialManager::GatherCredentials][000000000000000000000000378d700a-159ea-604933fa-907f3700-325524ed8598][*10.112.141.6][][agentname][/resource][][Calling SM_WAF_HTTP_PLUGIN->ProcessCredentials.]
[03/10/2021][16:02:50][88554][2424256256][CSmCredentialManager.cpp:169][CSmCredentialManager::GatherCredentials][000000000000000000000000378d700a-159ea-604933fa-907f3700-325524ed8598][*10.112.141.6][][agentname][/resource][][SM_WAF_HTTP_PLUGIN->ProcessCredentials returned SmSuccess.]

Second request IsAuthenticated call was not received by policy server until [03/10/2021][16:04:20], based on policy server trace log:

[03/10/2021][16:04:20][16:04:20.281][][][][][][4088][3376][s1267260/r7][][][][][][][][][SmMessage.cpp:557][CSmMessage::ParseAgentMessage][][][][][][][][][][][][][][][][][][][][][][][][000000000000000000000000378d700a-159ea-604933fa-907f3700-325524ed8598][][][Receive request attribute 221, data size is 69][][][][][][][][][][][][][][][][][][]

...

[03/10/2021][16:04:20][16:04:20.281][][][][][][4088][3376][s1267260/r7][][][][][][][][][SmMessage.cpp:557][CSmMessage::ParseAgentMessage][agentname][][][][][][][][][][][][][][][][][][][][][][][POST][][][Receive request attribute 202, data size is 4][][][][][][][][][][][][][][][][][][]

[03/10/2021][16:04:20][16:04:20.282][][][][][][4088][3376][][][][][][][][][][SmAuthCert.cpp:3887][getSpecificScheme][][][][][][][Cert][][][][][][][][][][][][][][][][][][][][Auth Scheme used: Cert][][][][][][][][][][][][][][][][][][]

[03/10/2021][16:04:20][16:04:20.282][][][][][][4088][3376][][][][][][][][][][SmAuthCert.cpp:4188][parseCert][][][][][][][][][][][][][][][][][][][][][][][][][][][Enter function parseCert][][][][][][][][][][][][][][][][][][]

[03/10/2021][16:04:20][16:04:20.283][][][][][][4088][3376][][][][][][][][][][SmDsDir.cpp:272][CSmDsDir::IsValidUsername][][][][][][][][][][][][][][][][][][][][][][User ='user1'][][][][][Start of call IsValidUsername.][][][][][][][][][][][][][][][][][][]

..

[03/10/2021][16:04:20][16:04:20.294][][][][][][4088][3376][s1267260/r7][][][][][][][][][Sm_Auth_Message.cpp:4902][CSm_Auth_Message::SendReply][agentname][][][trustedhost][realm][][agent][][][][UserStore][][][uid=user1, ou=....][][][][][][][][][][][][][** Status: Authenticated. ][][][][][][][][][][][][][06-1587fb53-82e0-4016-b912-bdcd77fbf46d][][][][][]

 

Cause

X509 flow is not the same as fcc form authentication. Any 10 to 20 seconds delay is normal. Because, between the calls, it is part of user interaction with browser, where user may have to manually choose a cert and submit it.

The time difference varies from user to user and depends upon number of certs that they have to choose from, etc.

Or maybe users are simply slow or got interrupted in between the clicks.

Environment

Release : 12.52

Component : SITEMINDER -WEB AGENT FOR APACHE

Resolution

There is no delay in performance from Siteminder product side. Siteminder policy server processed the request as soon as it gets it.

The particular use case reported by customer has 3rd party tool involved. Out of box, x509 auth request uses HTTP GET.

This 3rd party tool was possibly handling the conversion of HTTP GET to HTTP POST during authentication calls.

The delay could be due to 3rd party tool's involvement of extra data processing and protocol change.