logout.fcc Error "Unable to handle request in Secure mode"

book

Article ID: 211629

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder)

Issue/Introduction

Product Name=CA SiteMinder Web Agent
FullVersion=12.52.110.2813
Version=12.52
Update=110
Build Number=2813

After ACO SecureURLs is enabled in infrastructure with logout.fcc, Customer saw the Error. Unable to handle request in Secure mode. 

Logout.fcc is part of logout page customer has in existing working application.

Because this is logout page, it is expected there is no SMQUERYDATA submitted during the request.


[02/25/2021][09:10:44][10053][2852009728][CSmHighLevelAgent.cpp:322][ProcessRequest][000000000000000000000000fc8ee290-2745-6037afe4-a9fe3700-d4ba743d0367][][][][][][Start new request.]
[02/25/2021][09:10:44][10053][2852009728][CSmResourceManager.cpp:75][CSmResourceManager::ProcessResource][000000000000000000000000fc8ee290-2745-6037afe4-a9fe3700-d4ba743d0367][][][][][][Calling SM_WAF_HTTP_PLUGIN->ProcessResource.]
[02/25/2021][09:10:44][10053][2852009728][SmApache24WebFilterCtxt.cpp:1757][CSmApache24WebFilterCtxt::SetP3PCompactPolicy][][][][][][][sP3PCompactPolicy: '']
[02/25/2021][09:10:44][10053][2852009728][CSmHttpPlugin.cpp:5359][CSmHttpPlugin::isIP][][][][][][][Invalid IPv4 Address - invalid address length.]
[02/25/2021][09:10:44][10053][2852009728][CSmHttpPlugin.cpp:399][CSmHttpPlugin::ProcessResource][000000000000000000000000fc8ee290-2745-6037afe4-a9fe3700-d4ba743d0367][][][][][][Resolved HTTP_HOST: 'hostname'.]
[02/25/2021][09:10:44][10053][2852009728][CSmHttpPlugin.cpp:5518][Entered CSmHttpPlugin::ResolveFQServerName sHost: ][][][][][][][hostname]
[02/25/2021][09:10:44][10053][2852009728][CSmHttpPlugin.cpp:489][CSmHttpPlugin::ProcessResource][000000000000000000000000fc8ee290-2745-6037afe4-a9fe3700-d4ba743d0367][][][][][][Resolved hostname: 'hostname'.]
[02/25/2021][09:10:44][10053][2852009728][CSmHttpPlugin.cpp:508][CSmHttpPlugin::ProcessResource][000000000000000000000000fc8ee290-2745-6037afe4-a9fe3700-d4ba743d0367][][][][][][Resolved agentname: 'agent1'.]
[02/25/2021][09:10:44][10053][2852009728][CSmHttpPlugin.cpp:5899][CSmHttpPlugin::ResolveClientIp][000000000000000000000000fc8ee290-2745-6037afe4-a9fe3700-d4ba743d0367][][][agent1][][][Resolved Client IP address 'x.x.x.x'.]
[02/25/2021][09:10:44][10053][2852009728][CSmHttpPlugin.cpp:703][CSmHttpPlugin::ProcessResource][000000000000000000000000fc8ee290-2745-6037afe4-a9fe3700-d4ba743d0367][*x.x.x.x][][agent1][][][Resolved URL: '/logout.fcc'.]
[02/25/2021][09:10:44][10053][2852009728][CSmHttpPlugin.cpp:5943][CSmHttpPlugin::AutoAuthorizedUrl][][][][][][][Auto-authorizing resource, matches IgnoreUrl filter.]
[02/25/2021][09:10:44][10053][2852009728][CSmHttpPlugin.cpp:767][CSmHttpPlugin::ProcessResource][000000000000000000000000fc8ee290-2745-6037afe4-a9fe3700-d4ba743d0367][*x.x.x.x][][agent1][/logout.fcc][][Autoauthorizing URL : 'https://..../logout.fcc' , Method: 'GET' ]
[02/25/2021][09:10:44][10053][2852009728][CSmHttpPlugin.cpp:850][CSmHttpPlugin::ProcessResource][000000000000000000000000fc8ee290-2745-6037afe4-a9fe3700-d4ba743d0367][*x.x.x.x][][agent1][/logout.fcc][][Resolved METHOD: 'GET'.]
[02/25/2021][09:10:44][10053][2852009728][CSmHttpPlugin.cpp:915][CSmHttpPlugin::ProcessResource][000000000000000000000000fc8ee290-2745-6037afe4-a9fe3700-d4ba743d0367][*x.x.x.x][][agent1][/logout.fcc][][Resolved cookie domain: '.dev.com'.]
[02/25/2021][09:10:44][10053][2852009728][CSmHttpPlugin.cpp:981][CSmHttpPlugin::ProcessResource][000000000000000000000000fc8ee290-2745-6037afe4-a9fe3700-d4ba743d0367][*x.x.x.x][][agent1][/logout.fcc][][Error. Unable to handle request in Secure mode.]
[02/25/2021][09:10:44][10053][2852009728][CSmResourceManager.cpp:104][CSmResourceManager::ProcessResource][000000000000000000000000fc8ee290-2745-6037afe4-a9fe3700-d4ba743d0367][*x.x.x.x][][agent1][/logout.fcc][][SM_WAF_HTTP_PLUGIN->ProcessResource returned SmFailure.]
[02/25/2021][09:10:44][10053][2852009728][CSmHighLevelAgent.cpp:330][ProcessRequest][000000000000000000000000fc8ee290-2745-6037afe4-a9fe3700-d4ba743d0367][*x.x.x.x][][agen][/logout.fcc][][ResourceManager returned SmNoAction or SmFailure, end new request.]
[02/25/2021][09:10:44][10053][2852009728][CSmLowLevelAgent.cpp:3643][ReportHealthData][][][][][][][Accumulating HealthMonitorCtxt.]

Cause

Product is working as designed.

Environment

Release : 12.8

Component : SITEMINDER -WEB AGENT FOR APACHE

Resolution

Current SiteMinder SecureURLs code logic checks two things, if ACO SecureURLs is on and extension is any of the (.fcc, .ntc, .kcc, sfcc etc), and at the same time no SMQUERYDATA submitted, it will generate error "Unable to handle request in Secure mode."  We saw this error often during login post preservation redirect where SMQUERYDATA was lost, but this is first time in logout request.

ACO SecureURLs serves two purposes by design:

1. It encrypts the query parameter that is generated when request is redirect to credential collector page (.fcc, .ntc, .kcc, sfcc etc).  Agentname, target, authreason etc are generated when the original request is redirected to credential collector.

SecureURLs will encrypt these parameters.  SecureURLs will work only on .fcc, .kcc,.ntc,.scc,.sfcc etc extensions.

2. Webagent/SPS will process the urls with the above mentioned extensions only when they contain encrypted query data. This signifies that WA prevents the processing of fcc url generated by any other application other than WA/SPS/SDK, when SecureURLs is set to yes.

ACO SecureURLs can not be implemented in this use case. It will require change to existing setup by altering file extension of Logout.fcc, or other possible related data flow. Otherwise entire SiteMinder SecureURLs code logic has to be redesigned.

Additional Information

DE495133