After upgrading a standalone environment (2 nodes JBoss cluster) from 14.2 to 14.4.1 CHF001, accessing Identity Portal Recertification module pages are not displaying properly.
All list items that are supposed to be shown are missing. When user refreshes the page, it may shows the list items, but then drilling down to the items we didn't see all the list items again.
Some of the pages cannot display list items at all, even though user refresh the Browser multiple times and even if the content does show up after a refresh it may not show for this user again.
The Identity Portal has some static resources like images, files which do not required authentication to access them. Whenever accessing those resources, the IP don’t validate authentication. Those static resources are part of the sigma (Identity Portal) application.
The resources/USERPIC/ folder contains the User Images (Profile Images). Those images will display in the Identity Portal User Console (Right Upper Corner). These Images are not application static resources, so these needs to be protected (without authentication should not be accessed).
In SiteMinder ACO Configuration, there is a property called ignoreExt. Whatever extension (like .jpg, .jpeg, .js etc..) configured in this will be ignored by SiteMinder and will not include SM Header in this request.
When accessing the sigma/rest/resources/USERPIC/xxxxx.jpeg resources, the SiteMinder ignores it, and the Identity Portal validates the authentication as It’s not a static resources. As this request does not have the valid SM header, the Identity Portal reject this request and invalidates existing session and creates new session with new CSRF token. The client is not aware of the new CSRF token and sends old token in the request, so the Identity Portal rejects these requests as well.
To overcome this problem, the SiteMinder needs to add the SM header for all resources (not needed for static resources). The OverrideIgnoreExtFilter override the IgnoreExt values and protect these resources. So adding sigma/rest/resources/USERPIC/ to OverrideIgnoreExtFilter property, the SiteMinder will add SM header to these resources.
Release : 14.4
1. Login to the Siteminder Admin Console
2. Expand Infrastructure --> Agents
3. Click on the Agent Configurations Objects
4. Click on the Agent Configuration (IP)
5. Search for property - OverrideIgnoreExtFilter
6. Click on Modify Button
7. Uncomment the OverrideIgnoreExtFilter.
8. Enter the value - sigma/rest/resources/USERPIC/
9. Save and Submit.
10. Restart CA Access Gateway Engine, CA Access Gateway Proxy.
11. After some time, tries to access the IP User console.
12. Recheck the Enable CSRF in the Portal Admin General Configuration area and verify that everything continues to work as required.