CA Access Gateway (SPS) missing headers sent to the backend application
Article ID: 226122
Updated On:
Products
Issue/Introduction
When running CA Access Gateway (SPS), when user access the Web Site,
after authentication and authorization, the backend server doesn't
receives the header it should be.
The only header arriving at the backend server are :
Content-Length=0
Host=mydomain.com
SM_AUTHTYPE=Auto
SM_SDOMAIN=.mydomain.com
SM_TRANSACTIONID=24c661a5-45w22s56a-a595b231-43126693-7cdd0444-7ab
Cause
To investigate the issue, do the following
- Insure that the CA Access Gateway (SPS) ACO parameter
EnableAuthorization is set to yes (1);
- In server.conf, enable the httpclient logs :
httpclientlog=yes
- Restart CA Access Gateway (SPS);
From the generated httpclient log, which is the component sending the
request to the backend server, we can see that it sends the headers
with the related values, which means that the issue is outside the CA
Access Gateway (SPS).
httpclient0.log :
Oct 12, 2021 8:42:32 AM com.ca.proxy.apache.httpclient.impl.client.DefaultSPSHttpClient tryExecute
FINE: Attempt 1 to execute request
Oct 12, 2021 8:42:32 AM com.ca.proxy.apache.httpclient.conn.SPSConnection sendRequestHeader
FINE: Sending request: GET / HTTP/1.1
Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
FINE: >> "GET /myApp/myPage.html HTTP/1.1[\r][\n]"
FINE: >> "SM_UNIVERSALID: jsmith[\r][\n]"
Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
FINE: >> "SM_TIMETOEXPIRE: 7145[\r][\n]"
Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
FINE: >> "SM_USERDN: uid=jsmith,dc=mydomain,dc=com[\r][\n]"
Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
FINE: >> "SM_REALM: myRealm[\r][\n]"
Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
FINE: >> "SM_AUTHDIRNAMESPACE: LDAP:[\r][\n]"
Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
FINE: >> "SM_SDOMAIN: .mydomain.com[\r][\n]"
Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
FINE: >> "SM_AUTHTYPE: Form[\r][\n]"
Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
FINE: >> "SM_AUTHREASON: 0[\r][\n]"
Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
FINE: >> "SM_SERVERSESSIONID: dasdaswwwsdas444wsad=[\r][\n]"
Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
FINE: >> "SM_AUTHDIRSERVER: 10.0.0.1:389[\r][\n]"
Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
FINE: >> "SM_SERVERSESSIONSPEC: iuM0OvNMC8Bni2bxPx3QSD3uF7IgauYTh9SgF005HtDM0OVGUMBXolDkjJ5pT0Kdzh [...] +zKl2muVTGjODF6gLg==[\r][\n]"
Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
FINE: >> "SM_REALMOID: 06-19be-4ffe-a0fe-39ae57631b07[\r][\n]"
Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
FINE: >> "SM_AUTHDIROID: 0e-6406fab7-48df-a695-7c18199fc89f[\r][\n]"
Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
FINE: >> "SM_AUTHDIRNAME: myLdap[\r][\n]"
Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
FINE: >> "SM_TRANSACTIONID: 7f4c6e7a-12945af9-b24acd68-849a45c8-e0[\r][\n]"
Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
FINE: >> "SM_USER: myUser[\r][\n]"
Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
FINE: >> "SM_SERVERIDENTITYSPEC: [\r][\n]"
The problem is outside CA Access Gateway (SPS). An intermediate
equipment like loadbalancer, firewall or other might be responsible
of the removal of them. Or the application itself hasn't the code to
retrieve it.
Resolution
- Investigate on the network and on the backend server to point out
where the headers are getting lost to solve this issue;
Additional Information
(1)
Custom HTTP response headers missing
HTTP_SM_SERVERSESSIONID and HTTP_SM_USER are missing in response headers.
Following messages are evident in the agent trace:
EnableAuthorization was disabled. User and Session headers are not
set
[...]
Set EnableAuthorization to yes (or comment out as the default value
is yes)
https://knowledge.broadcom.com/external/article?articleId=136122
Feedback
