After Linux patching, OIDC transactions failing with a 400, client_id is invalid or missing.
search cancel

After Linux patching, OIDC transactions failing with a 400, client_id is invalid or missing.

book

Article ID: 280021

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

After Linux patching, OIDC transactions failing. The Access Gateway logs show the following:

[28641/140215684167424][Mon Feb 26 2024 02:16:28.255][OpenIDConnectServiceBase.java][ERROR][sm-FedClient-03802] Invalid Request. client_id is invalid or missing.
[28641/140215684167424][Mon Feb 26 2024 02:16:28.255][AuthorizationService.java][ERROR][sm-FedClient-02890] Transaction with ID: xxxxxxxxxxxxxxxxxxxxxxx failed. Reason: NO_CLIENT_INFO (, , )
[xxxxxxxxxxxxx][Mon Feb 26 2024 02:16:28.254][OpenIDConnectTunnelClient.java][ERROR][sm-FedClient-01660] Exception caught in class com.ca.federation.webservices.openidconnect.d, method getOidcClientInfo, message java.lang.IllegalArgumentException: "Cannot parse bytes to a Response". (, )
[02/26/2024][02:16:28][xxxx][xxxxxxxxxx][xxxxxxxxxxxxxxxxxx][OpenIDConnectServiceBase.java][sendError][ Sending error response: client_id is invalid or missing. 
   with error code:400]

Prior to patching this was working.

Environment

Applicable to the Access Gateway

Cause

Going the Policy Server smtrace log, another error was found:

[02/26/2024][06:51:06][06:51:06.348][][][][][][xxxxx][xxxxxxxxxx][][][][][][][][][][CServer.cpp:7006][CServer::Tunnel][][][][][][][][][][][][][][][][][][][][][][][][][][][Status: Tunnel error: service 'smjavaapi', function 'JavaTunnelService'. java.lang.NoClassDefFoundError: Could not initialize class com.ca.federation.openidconnect.tunnel.ClientInfoByClientIDTunnelService]

The ClientInfoByClientIDTunnelService can be found in: /<policy_server_home>/bin/jars/openidconnectserver.jar

Ran # lsof -p <processid> | grep /apps/CA/siteminder/bin/jars/openidconnectserver.jar to verify if the jar was being loaded and it was.

Another exception was found:

[02/26/2024][05:46:07][05:46:07.556][][][][][][xxxxxx][xxxxxxxxxx][][][][][][][][][][JsonWebKeySetTunnelService.java][tunnel][][][][][][][][][][][][][][][][][][][][][][][][][][][ Exception caught: java.lang.NoClassDefFoundError: com/google/protobuf/MessageOrBuilder
    at com.ca.federation.openidconnect.tunnel.JsonWebKeySetTunnelService.tunnel(Unknown Source)
    at com.netegrity.policyserver.smapi.TunnelServiceContext.tunnel(TunnelServiceContext.java:245)

 

Searched the system for protobuf* and found it in ./CA/siteminder/bin/thirdparty/protobuf-java-3.21.2.jar.gz

The jar was gzip'd which is wrong and why it couldn't be found. Checking the rest of the system led us to find other jars that had been gzip'd as well.

Resolution

Jars cannot be gzip'd or they are not capable of being loaded. Gunip'd the jars and restarted the Policy Server. OIDC transactions were now successful.

There is no process in SiteMinder that would gzip files, so it was do to a misstep in the patching process.

Powered by Wolken Software