Long delay during x509 Certificate authentication calls
search cancel

Long delay during x509 Certificate authentication calls

book

Article ID: 211618

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction


SiteMinder environment uses x509 Certificate Authentication Scheme.

For the most part, everything works.

Some users have observed intermittent long delay between Certificate authentication calls.

In Agent Trace log:

The first request was for a protected call starting at 03/10/2021 at 16:02:50 :

[03/10/2021][16:02:50][88554][2424256256][CSmCredentialManager.cpp:132][CSmCredentialManager::GatherCredentials][000000000000000000000000378d700a-159ea-604933fa-907f3700-325524ed8598][][][agentname][/resource][][Calling SM_WAF_HTTP_PLUGIN->ProcessCredentials.]
[03/10/2021][16:02:50][88554][2424256256][CSmCredentialManager.cpp:169][CSmCredentialManager::GatherCredentials][000000000000000000000000378d700a-159ea-604933fa-907f3700-325524ed8598][][][agentname][/resource][][SM_WAF_HTTP_PLUGIN->ProcessCredentials returned SmSuccess.]

The second request for authentication was not received by the Policy Server until 03/10/2021 16:04:20, based on the Policy Server trace log:

[03/10/2021][16:04:20][16:04:20.281][][][][][][4088][3376][s1267260/r7][][][][][][][][][SmMessage.cpp:557][CSmMessage::ParseAgentMessage][][][][][][][][][][][][][][][][][][][][][][][][000000000000000000000000378d700a-159ea-604933fa-907f3700-325524ed8598][][][Receive request attribute 221, data size is 69][][][][][][][][][][][][][][][][][][]

[...omitted for brevity...]

[03/10/2021][16:04:20][16:04:20.281][][][][][][4088][3376][][][][][][][][][][SmMessage.cpp:557][CSmMessage::ParseAgentMessage][agentname][][][][][][][][][][][][][][][][][][][][][][][POST][][][Receive request attribute 202, data size is 4][][][][][][][][][][][][][][][][][][]

[03/10/2021][16:04:20][16:04:20.282][][][][][][4088][3376][][][][][][][][][][SmAuthCert.cpp:3887][getSpecificScheme][][][][][][][Cert][][][][][][][][][][][][][][][][][][][][Auth Scheme used: Cert][][][][][][][][][][][][][][][][][][]

[03/10/2021][16:04:20][16:04:20.282][][][][][][4088][3376][][][][][][][][][][SmAuthCert.cpp:4188][parseCert][][][][][][][][][][][][][][][][][][][][][][][][][][][Enter function parseCert][][][][][][][][][][][][][][][][][][]

[03/10/2021][16:04:20][16:04:20.283][][][][][][4088][3376][][][][][][][][][][SmDsDir.cpp:272][CSmDsDir::IsValidUsername][][][][][][][][][][][][][][][][][][][][][][User ='<user>'][][][][][Start of call IsValidUsername.][][][][][][][][][][][][][][][][][][]

[...omitted for brevity...]

[03/10/2021][16:04:20][16:04:20.294][][][][][][4088][3376][][][][][][][][][][Sm_Auth_Message.cpp:4902][CSm_Auth_Message::SendReply][agentname][][][trustedhost][realm][][agent][][][][UserStore][][][uid=<user>, [...omitted for brevity...]][][][][][][][][][][][][][** Status: Authenticated. ][][][][][][][][][][][][][][][][][][]

 

Cause


The X509 flow is not the same as an FCC Form Authentication. Any 10 to 20 second delay is normal. Because, between the calls, it is part of user interaction with browser, where users may have to manually choose a cert and submit it.

The time difference varies from user to user and depends upon a number of certs that they have to choose from, etc.

It can be also that the users are simply slow or got interrupted in between the clicks.

 

Resolution


There is no delay in the performance of the SiteMinder product side. The SiteMinder Policy Server processed the request as soon as it received it.

The particular use case reported has a third-party tool involved. Out of the box, the x509 authentication request uses HTTP GET.

This third party tool was possibly handling the conversion of HTTP GET to HTTP POST during authentication calls.

The delay could be due this third party tool's involvement of extra data processing and protocol change.