search cancel

Risk engine denied transaction to be allowed

book

Article ID: 41768

calendar_today

Updated On:

Products

CA Advanced Authentication CA Strong Authentication CA Risk Authentication

Issue/Introduction

One of the options in the Advanced Authentication’s Siteminder integration is risk authentication. After selecting this option you may see the error “Risk engine denied transaction to be allowed” appear in the Siteminder Policy server trace logs and the login process is denied. This error condition may indicate that  the client connection should be denied. You can confirm this by reviewing the Risk Authentication reports or following the Adapter AFM logs to verify why this client connection was denied. If the Risk Authentication status does not match the condition reported by Siteminder then the following may be the cause. This behavior may be inconsistent and only happen during peak usage.

Sample error        [ERROR] ARCOT: [706051106]: Risk engine denied transaction to be allowed.[20160401180816.964.77532656]

Environment

Release: 9.x
Component: AuthMinder ( Arcot WebFort)

RiskMinder(Arcot RiskFort)

Cause

This condition can be caused by a timeout in the Siteminder Adapter. To avoid  issues where Siteminder does not respond to client connections in a timely fashion Siteminder Policy server will timeout the connection to Advanced Authentication if not received. Normally the Risk Authentication should be rather quick in order to keep the login process moving. If the network connection between the Siteminder policy server and any Advanced Authentication components or database connection issues slow the Risk Authentication workflow this condition may occur.

Resolution

The optimal resolution would be to further isolate the reasons for the slow response times to improve the performance of the network or the application. 

Due to the time and effort that may be involved in isolating the performance problems you can workaround the issue by modifying the following setting in the adaptershim.ini in ARCOT_HOME/conf on the Siteminder Policy server will allow the adapter to either wait longer for a response or retry multiple times. Each setting should be reviewed for its possible impact to the overall workflow of the application to ensure the timeout values are not set too high.

ARCOT_HOME/conf/adaptershim.ini

# "ArcotSMRetries" property specifies the number of times your application is

# allowed to connect to the Arcot State Manager.

# Value of 0 indicates only one connect attempt can be made, without any retries.

# Default: 0

# Required: No

#ArcotSMRetries=0

ArcotSMRetries=3

 # "ArcotSMResponseWait" property specifies the number of seconds to wait for a

# response from the Arcot State Manager before closing the connection.

# Required: Yes

#ArcotSMResponseWait=30

 #ArcotSMResponseWait=30