ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

CA Access Gateway (SPS) missing headers sent to the backend application

book

Article ID: 226122

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

 

When running CA Access Gateway (SPS), when user access the Web Site,
after authentication and authorization, the backend server doesn't
receives the header it should be.

The only header arriving at the backend server are :

    Content-Length=0
    Host=mydomain.com
    SM_AUTHTYPE=Auto
    SM_SDOMAIN=.mydomain.com
    SM_TRANSACTIONID=24c661a5-45w22s56a-a595b231-43126693-7cdd0444-7ab

 

Cause

 

To investigate the issue, do the following

  - Insure that the CA Access Gateway (SPS) ACO parameter
  EnableAuthorization is set to yes (1);

  - In server.conf, enable the httpclient logs :

    httpclientlog=yes

  - Restart CA Access Gateway (SPS);

From the generated httpclient log, which is the component sending the
request to the backend server, we can see that it sends the headers
with the related values, which means that the issue is outside the CA
Access Gateway (SPS).

httpclient0.log :

  Oct 12, 2021 8:42:32 AM com.ca.proxy.apache.httpclient.impl.client.DefaultSPSHttpClient tryExecute
  FINE: Attempt 1 to execute request
  Oct 12, 2021 8:42:32 AM com.ca.proxy.apache.httpclient.conn.SPSConnection sendRequestHeader
  FINE: Sending request: GET / HTTP/1.1
  Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
  FINE:  >> "GET /myApp/myPage.html HTTP/1.1[\r][\n]"
  FINE:  >> "SM_UNIVERSALID: jsmith[\r][\n]"
  Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
  FINE:  >> "SM_TIMETOEXPIRE: 7145[\r][\n]"
  Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
  FINE:  >> "SM_USERDN: uid=jsmith,dc=mydomain,dc=com[\r][\n]"
  Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
  FINE:  >> "SM_REALM: myRealm[\r][\n]"
  Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
  FINE:  >> "SM_AUTHDIRNAMESPACE: LDAP:[\r][\n]"
  Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
  FINE:  >> "SM_SDOMAIN: .mydomain.com[\r][\n]"
  Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
  FINE:  >> "SM_AUTHTYPE: Form[\r][\n]"
  Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
  FINE:  >> "SM_AUTHREASON: 0[\r][\n]"
  Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
  FINE:  >> "SM_SERVERSESSIONID: dasdaswwwsdas444wsad=[\r][\n]"
  Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
  FINE:  >> "SM_AUTHDIRSERVER: 10.0.0.1:389[\r][\n]"
  Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
  FINE:  >> "SM_SERVERSESSIONSPEC: iuM0OvNMC8Bni2bxPx3QSD3uF7IgauYTh9SgF005HtDM0OVGUMBXolDkjJ5pT0Kdzh [...] +zKl2muVTGjODF6gLg==[\r][\n]"
  Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
  FINE:  >> "SM_REALMOID: 06-19be-4ffe-a0fe-39ae57631b07[\r][\n]"
  Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
  FINE:  >> "SM_AUTHDIROID: 0e-6406fab7-48df-a695-7c18199fc89f[\r][\n]"
  Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
  FINE:  >> "SM_AUTHDIRNAME: myLdap[\r][\n]"
  Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
  FINE:  >> "SM_TRANSACTIONID: 7f4c6e7a-12945af9-b24acd68-849a45c8-e0[\r][\n]"
  Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
  FINE:  >> "SM_USER: myUser[\r][\n]"
  Oct 12, 2021 8:42:32 AM org.apache.http.wire wire
  FINE:  >> "SM_SERVERIDENTITYSPEC: [\r][\n]"

The problem is outside CA Access Gateway (SPS). An intermediate
equipment like loadbalancer, firewall or other might be responsible
of the removal of them. Or the application itself hasn't the code to
retrieve it.

 

Resolution

 

- Investigate on the network and on the backend server to point out
  where the headers are getting lost to solve this issue;

 

Additional Information

 

(1)

    Custom HTTP response headers missing

      HTTP_SM_SERVERSESSIONID and HTTP_SM_USER are missing in response headers.

      Following messages are evident in the agent trace:

 EnableAuthorization was disabled. User and Session headers are not
set

      [...]

      Set EnableAuthorization to yes (or comment out as the default value
      is yes)

    https://knowledge.broadcom.com/external/article?articleId=136122