Error: Unable to handle request in Secure mode in logout.fcc Web Agent
search cancel

Error: Unable to handle request in Secure mode in logout.fcc Web Agent


Article ID: 211629


Updated On:


CA Single Sign On Agents (SiteMinder) SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)



After ACO SecureURLs are enabled in infrastructure with logout.fcc, the error "Unable to handle the request in Secure mode" appears in the Web Agent trace.    

Logout.fcc is part of the logout page in an existing working application.

Because this is a logout page, there is expected to be no SMQUERYDATA submitted during the request.

[CSmHighLevelAgent.cpp:322][ProcessRequest][<Transaction ID>][][][][][][Start new request.]
[CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][<Transaction ID>][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]
[SmApache24WebFilterCtxt.cpp:1757][CSmApache24WebFilterCtxt::SetP3PCompactPolicy][][][][][][][sP3PCompactPolicy: '']
[CSmHttpPlugin.cpp:5359][CSmHttpPlugin::isIP][][][][][][][Invalid IPv4 Address - invalid address length.]
[CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][<Transaction ID>][][][][][][Resolved HTTP_HOST: '_hostname'.]
[CSmHttpPlugin.cpp:5518][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][_hostname]
[CSmHttpPlugin.cpp:489][CSmHttpPlugin::ProcessResource][<Transaction ID>][][][][][][Resolved _hostname: '_hostname'.]
[CSmHttpPlugin.cpp:508][CSmHttpPlugin::ProcessResource][<Transaction ID>][][][][][][Resolved agentname: '_agent1'.]
[CSmHttpPlugin.cpp:5899][CSmHttpPlugin::ResolveClientIp][<Transaction ID>][][][_agent1][][][Resolved Client IP address 'x.x.x.x'.]
[CSmHttpPlugin.cpp:703][CSmHttpPlugin::ProcessResource][<Transaction ID>][*x.x.x.x][][_agent1][][][Resolved URL: '/logout.fcc'.]
[CSmHttpPlugin.cpp:5943][CSmHttpPlugin::AutoAuthorizedUrl][][][][][][][Auto-authorizing resource, matches IgnoreUrl filter.]
[CSmHttpPlugin.cpp:767][CSmHttpPlugin::ProcessResource][<Transaction ID>][*x.x.x.x][][_agent1][/logout.fcc][][Autoauthorizing URL : 'https://<Server Name>/logout.fcc' , Method: 'GET' ]
[CSmHttpPlugin.cpp:850][CSmHttpPlugin::ProcessResource][<Transaction ID>][*x.x.x.x][][_agent1][/logout.fcc][][Resolved METHOD: 'GET'.]
[CSmHttpPlugin.cpp:915][CSmHttpPlugin::ProcessResource][<Transaction ID>][*x.x.x.x][][_agent1][/logout.fcc][][Resolved cookie domain: ''.]
[CSmHttpPlugin.cpp:981][CSmHttpPlugin::ProcessResource][<Transaction ID>][*x.x.x.x][][_agent1][/logout.fcc][][Error. Unable to handle request in Secure mode.]
[CSmResourceManager.cpp:104][CSmResourceManager::ProcessResource][<Transaction ID>][*x.x.x.x][][_agent1][/logout.fcc][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmFailure.]
[CSmHighLevelAgent.cpp:330][ProcessRequest][<Transaction ID>][*x.x.x.x][][_agent1][/logout.fcc][][ResourceManager returned SmNoAction or SmFailure, end new request.]
[CSmLowLevelAgent.cpp:3643][ReportHealthData][][][][][][][Accumulating HealthMonitorCtxt.]




Web Agent 12.52SP1CR10




The product is working as designed.




Current SiteMinder SecureURLs code logic checks two things, if ACO SecureURLs is on an extension is any of the (.fcc, .ntc, .kcc, sfcc etc), and at the same time no SMQUERYDATA submitted, it will generate an error "Unable to handle the request in Secure mode.".

This error often during login post preservation redirect where SMQUERYDATA was lost, but this is the first time in a logout request.

ACO SecureURLs serves two purposes by design:

  1. It encrypts the query parameter that is generated when the request is redirected to the credential collector page (.fcc, .ntc, .kcc, sfcc, etc).  Agentname, target, authreason, etc are generated when the original request is redirected to the credential collector.

    SecureURLs will encrypt these parameters. SecureURLs will work only on .fcc, .kcc,.ntc,.scc,.sfcc etc extensions.
  2. Web Agent and CA Access Gateway (SPS) will process the URLs with the above-mentioned extensions only when they contain encrypted query data. This signifies that Web Agent prevents the processing of fcc url generated by any other application other than Web Agent / CA Access Gateway (SPS) / SDK Agent when SecureURLs is set to yes.
    ACO SecureURLs can not be implemented in this use case. It will require a change to the existing setup by altering the file extension of Logout.fcc, or other possible related data flow. Otherwise entire SiteMinder SecureURLs code logic has to be redesigned.