Getting not authorized error with SM protecting TEWS on subsequent calls with Forgotten Password.

book

Article ID: 52137

calendar_today

Updated On:

Products

DIRECTORY CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On SECURITY MISC CODES SINGLE SIGN ON - LEGACY CA Data Protection (DataMinder) CA User Activity Reporting

Issue/Introduction

Description:

Forgotten Password is a three step TEWS call. With TEWS being protected by SM and the right security parameters set for SM in the web.xml, customer is noticing that only his first Forgotten Password TEWS call (to verify user identity) is successful and the subsequent TEWS call is coming back with a "401 Not Authorized" error on the client side. This document describes a way to work around this issue since the problem lies within Apache Axis and not the client side TEWS code or IDM.

Solution:

Apache Axis 1.3 and 1.4 have a problem with the way they send cookie headers, they send them in the form of cookie:

cookie1=value
cookie: cookie2=value

The above format is not RFC compliant and Webservers reject all but the first cookie as they expect it to be in RFC compliant form:

cookie: cookie1=value; cookie2=value

There is a patch to the Axis clients, however it is a manual patch that requires recompiling Axis. The patch for Axis 1.4 is attached.

Environment

Release:
Component: IDMGR

Attachments

1558535394356TEC507554.zip get_app

Feedback

thumb_up Yes

thumb_down No