In the process of upgrading all our clusters to RHEL8 and noticed something strange in the OTK authorization server.
Article ID: 275365
Updated On:
Products
CA API Gateway
Issue/Introduction
CentOS and Gateway10.1CR2 with OTK version 4.4.0-4346.
We are in the process of upgrading all our clusters to RHEL8 and noticed something strange in the OTK authorization server.
For the /auth/oauth/v2/authorize endpoint, right around assertion 60, we have an error: "Code not available for assertion: CustomAssertion" for the "Check Response Type Supported" assertion.
We see it in multiple places throughout the OTK, but that's the one that's getting us now.
- I looked through the techdocs, specifically OTK check Response type supported Code missed in "auth/oauth/v2/authorize" policy (broadcom.com), since that encapsulates our issue almost perfectly.
- We tried exporting/importing, uninstalling/reinstalling the OTK, and the error persists. We can delete the assertion, but then OAuth messages take far longer to run, so this wouldn't work for us in a production environment.
- In the logs, I am seeing warnings for unlicensed assertions in the OTK, but that seems like it's a symptom of the issue, not the cause.
"Policy for service <serviceID>, auth/oauth/v2/authorize (<anotherID>) contains an unlicensed assertion: Code not available for assertion: CustomAssertion
Environment
Release : 10.1
Cause
Using Software Gateway 10.1 form Factor on RHEL8 STIG , has enabled fapolicyd to restrict application execution
Resolution
fapolicyd, for some reason, on the base default RHEL8 STIG, doesn't allow the "check response type supported" assertion for our node.
We disabled fapolicyd, and we were able to get the assertion to come back.
Additional Information
Feedback
Yes
No
Powered by
