During a particular operation, the user that is logged into the CA Service Desk Manager GUI through the web browser, receives "AHD04400:Argument error".  Additionally, several messages are written to the STDLOG.

The messages written to the STDLOG are similar to the following messages:

[SDM-SERVER] web:local 28275 ERROR session.c 5329 Parameter FAQ_WINDOW_NAME's value =(KT_FAQ_cr:418832),was failed against the pattern (AlphaNumericUnderScoreDot)

[SDM-SERVER]  web:local 28275 ERROR session.c 5330 Hence this web request will be rejected

[SDM-SERVER]  web:local 28275 ERROR session.c 4652 Error parsing cgi POST string "ENV_HTTP_USER_AGENT=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36&-[OMITTED]

CA Service Desk Manager 12.9, 14.1 and 17.x

All Supported Operating Systems

The value of a security parameter in the web.cfg of the corresponding webengine process is preventing a request that is underlying the operation from being processed due to the pattern of the value does not match the expected pattern for the parameter.

The name of the security parameter and corresponding value is specified in one of the messages that are written to the STDLOG.

For example, in the following message:

"[SDM-SERVER] web:local 28275 ERROR session.c 5329 Parameter FAQ_WINDOW_NAME's value =(KT_FAQ_cr:418832),was failed against the pattern (AlphaNumericUnderScoreDot)"

the security parameter is "FAQ_WINDOW_NAME" and the value is "KT_FAQ_cr:418832". 

The pattern, "AlphaNumericUnderScoreDot", indicates that the value is expected to contain a dot character (".") in addition to alphanumeric characters and underscores.  The value is not expected to contain a colon (":")

Modify the NX_ROOT\BOPCFG\WWW\web.cfg file that corresponds to the webengine named in the message. Search for all occurrences of the security parameter and confirm that the corresponding pattern is set according to what you require. 

In the case above, the webengine is "web:local".  Check the pdm_startup file that exists in the NX_ROOT\pdmconf directory to confirm the name of the corresponding web.cfg file.  The default web.cfg file is named "web.cfg".  For example, the following statement in pdm_startup shows that "web:local" webengine is associated with "web.cfg":

WEBENGINE(webengine, $NX_LOCAL_HOST, web:local, domsrvr, $NX_ROOT/bopcfg/www/web.cfg, "", "rpc_srvr:%h")

In the case above, if you want to allow values that do not contain a dot but that do contain a colon, change the following statement in the web.cfg from:

SecureParameter.FAQ_WINDOW_NAME AlphaNumericUnderScoreDot

to either:

SecureParameter.FAQ_WINDOW_NAME AlphaNumericUnderScoreColon

or:

SecureParameter.FAQ_WINDOW_NAME AlphaNumericUnderScore

You should make the same change to the corresponding web.cfg.tpl file so that the change persists.

The webengine needs to be recycled to pick up the change to web.cfg.  The webengine can be recycled either by killing it and allowing it to restart automatically, or by stopping and restarting the CA Service Desk Manager service. 

It is also possible to disable the validation. 

For information on how to disable or enable the relevant Options Manager option (or corresponding environment variable), please review the following documentation: Secure CA SDM from Cross-Site Scripting Vulnerabilities

One should also view any errors that appear closely.  For instance, in the stdlog, one may see 

Parameter KEEP.POPUP_NAME's value = XXXX was failed against the pattern (AlphaNumericUnderScoreEqualSpaceDot)

As the affected parameter is "KEEP.POPUP_NAME", one will need to create/modify an entry for "KEEP.POPUP_NAME"

SecureParameter.KEEP.POPUP_NAME AlphaNumericUnderScoreEqualSpaceDot

A new whitelist parameter may be necessary based on the nature of the error.