Index 5 out of bounds for length 5 when handling OIDC flow from 12.8SP8CR01 mixed with 12.8SP6a Policy Server
Article ID: 402123
Updated On:
Products
Issue/Introduction
Running a Policy Server 12.8SP8CR01 with another Policy Server 12.8SP6 in mix mode for an in-place upgrade, when the Policy Server 12.8SP8CR01 handles OIDC requests, it reports intermittently the error:
java.lang.ArrayIndexOutOfBoundsException: Index 5 out of bounds for length 5
as
[05/29/2025][08:28:25.441][08:28:25][4436][6348][CServer.cpp:6371][CServer::ProcessRequest][][][][][][][][][][][][][][][][][][][][][Enter function CServer::ProcessRequest]
[05/29/2025][08:28:25.441][08:28:25][4436][6348][BaseAccessTokenTunel.java][validateAccessToken][][][][][][][][][][][][][][][][][][][][][Data after unmarshalling from decrypted JSON: InternalData [clientId=<clientId>, userId=<clientId>, redirectURI=https://www.example.com/app/page.html, scope=openid, authTime=1748500093, userDirectoryOID=<id>, accessToken=<token>, isRevoked=false, isRedirecturiPresentInAZFlow=false, nonce=<nonce>, refreshTokenIssuedTime=0, tokenIssuedTime=<time>, authLevel=200, ]tokenIssuedTime=<time>, tokenIssuedTimeMillisec0,authLevel=200, , refreshTokenRotationCounter=0,]]
[05/29/2025][08:28:25.441][08:28:25][4436][6348][SessionManager.java][validatefromTokenSession][][][][][][][][][][][][][][][][][][][][][SLO: validatefromTokenSession for access_token BEGINS]
[05/29/2025][08:28:25.441][08:28:25][4436][6348][UserInfoTunnelService.java][tunnel][][][][][][][][][][][][][][][][][][][][][ Exception caught: java.lang.ArrayIndexOutOfBoundsException: Index 5 out of bounds for length 5
at com.ca.fedserver.common.util.CommonUtil.retrieveSessionID(CommonUtil.java:111)
at com.ca.fedserver.common.SessionManager.validatefromTokenSession(SessionManager.java:1002)
at com.ca.fedserver.common.tunnel.BaseAccessTokenTunnel.validateAccessToken(BaseAccessTokenTunnel.java:196)
at com.ca.federation.openidconnect.tunnel.UserInfoTunnelService.tunnel(Unknown Source)
at com.netegrity.policyserver.smapi.TunnelServiceContext.tunnel(TunnelServiceContext.java:245)
]
To avoid further disruption, the Policy Server 12.8SP8CR01 has been put off-line, keeping 7 out of 8 running Policy Server in 12.8SP6a.
Environment
1 Policy Server 12.8SP8CR01;
7 Policy Servers 12.8SP6a.
Cause
The processing of AccessToken is failing in the upgraded version of Policy Server i.e 12.8SP08CR01 when the AccessToken is created in JWTFormat in 12.8SP6a.
The issue occurs when the Policy Servers are in mixed mode; that means when 12.8 SP6 and above 12.8 SP7 Policy Servers co-exist in the same environment.
The AccessToken can exist in two formats: Opaque and JWT format, depending on configuration.
A fix addresses the issue to process the Access token irrespective of its origin of generative Policy Server version, and the Access Token is exchanged among different Policy Servers.
Resolution
Open a Support Case to get a fix to be put on the Policy Server to handle this flow the time the Policy Server 12.8SP6a is being upgraded to 12.8SP8CR01.
Feedback
