OTK policy- OTK session DB, which attempts to read session Data from Cache if present prior to looking for data in OTK DB
search cancel

OTK policy- OTK session DB, which attempts to read session Data from Cache if present prior to looking for data in OTK DB

book

Article ID: 281434

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

After the OTK upgrade in PRODUCTION, we are facing issue with a flow , customer is affected and not working with error '0001' code.

the pub OTK require OAuth 2.0 Token policy export has "client_cert" as key for encapsulated assertion "pub OTK OAuth 2.0 Token Validation - BEARER", whereas we see that the the encapsulated assertion has input label as "client_cert_base64".

Could we know what could be the root cause of this scenario ?

the related logs from XX service show that client cert is not found and this in turn deletes the client custom data from the final response.

Context variable 'request.ssl.clientCertificate' is not found.
2024-03-12T10:26:18.486-0400 INFO    1304 com.l7tech.external.assertions.comparison.server.ServerComparisonAssertion: 7103: At least one comparison value was null
2024-03-12T10:26:18.486-0400 INFO    1304 com.l7tech.external.assertions.evaluatejsonpathexpressionv2.server.ServerEvaluateJsonPathExpressionV2Assertion: 9649: Could not find any matching result; assertion therefore fails; Expression is 'act'.
2024-03-12T10:26:18.486-0400 INFO    1304 com.l7tech.server.policy.assertion.ServerAuditDetailAssertion: -4: CUSTOM:  {
    "otk": {"client_type": "confidential","grant_type": "authorization_code","code_challenge": "xxxx","code_challenge_method": "S256"},
    "portal": {},
    "mag": {},
    "clientkey": {"client_custom": {},"client_key_custom": {"lifetimes": {"oauth2_access_token_lifetime_sec": 900,"oauth2_refresh_token_lifetime_sec": 432000}}},
    "mTLS_certificate_thumbprint": ""
  }

Environment

API Gateway 10.1, 11.x

OTK 4.6.1

Cause

The root cause , the OTK policy- OTK session DB, which attempts to read session Data from Cache if present prior to looking for data in OTK DB. 

there was a customized  Pub OTK session DB Assertion and has Enabled cache look up

Resolution

Disable the cache lookup in policy when not required - GET and STORE

Engineering provided the following steps to resolve the issue

  1. Create a new Policy fragment(Ex: OTK Session DB CustomerNamed) outside the OTK folder
  2. Copy the assertions from OTK Session DB (Location -  /OTK/Policy Fragments/persistence/session) to the new policy
  3. Make any changes to policy logic as needed
  4. Right Click on OTK Session DB CustomerNamed policy & Click on Create Encapsulated Assertion.
  5. Click Yes for the prompt -"Auto-populate inputs and outputs for encapsulated assertion"
  6. Provide the name OTK Session DB CustomerNamed for the encapsulated assertion & save it.
  7. Include this new encapsulated assertion OTK Session DB CustomerNamed  within the required Services in place of OTK Session DB

Note : This is a temp solution meanwhile Product Management will notify when this feature can be added in a new release.

Powered by Wolken Software