Proxy to backend server gave Noodle_GenericException

book

Article ID: 6072

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Configure proxy rule to redirect the request to the backend https enabled application URL.

We are getting an error Noodle_GenericException at browser.

 

 

 

 

Cause

From SPS server.log or nohup.log, we can confirm trusted certificate found

ie:

[06/Mar/2017:11:08:14-985] [INFO] - Found trusted certificate: [
  Version: V1
  Serial Number: 1234567890000000000
  SignatureAlgorithm: SHA256withRSA (1.2.840.123456.1.1.11)
  Issuer Name: CN=SMSSO, OU=Support, O=CA, L=AUS, ST=AUS, C=AUS

  Validity From: Fri Mar 03 14:51:52 CST 2017
           To:   Thu Feb 21 14:51:52 CST 2019
  Subject Name: CN=my.smdemo.com, OU=Support, O=CA, L=AUS, ST=AUS, C=AUS

but later reported Internal error

[06/Mar/2017:11:08:15-016] [INFO] - ***Created and initialized encryption cipher
[06/Mar/2017:11:08:15-016] [INFO] - CipherAlg: AES/CBC/NoPadding
[06/Mar/2017:11:08:15-016] [INFO] - CipherKey: 12345..a53c46a643d66890e2dee0f43096632c1a6ae0bed0b7c288e91685a7c35
[06/Mar/2017:11:08:15-016] [INFO] - ***Created and initialized Mac
[06/Mar/2017:11:08:15-016] [INFO] - MacAlg: HmacSHA1
[06/Mar/2017:11:08:15-016] [INFO] - MacKey: 12345..3f8a49733025b5c9139dd9412c34606e8e1
[06/Mar/2017:11:08:15-016] [INFO] - Mac length used: 20
[06/Mar/2017:11:08:15-016] [INFO] - ***SEND Alert Fatal, Internal Error

Based on the flow in server log, SPS is able to find the trusted CA but get an error when it try to create and initialized encryption cipher. This is an indication JCE patch not apply causing the issue.

Environment

SPS: R12.52SP1CR6

Resolution

JRE need to have JCE patched

Reference:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-52-01/installing/install-ca-siteminder-sps.html


Snippet from documentation:
@@@
JCE patches required -- The current Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction patches are required to use the Java cryptographic algorithms. To locate the JCE package for your operating platform, go to the Oracle website.
Apply the patches to the following files on your system:
local_policy.jar
US_export_policy.jar
These files are in the following directories:
Windows:jre_home\lib\security
UNIX:jre_home/lib/security

jre_home specifies the location of the Java Runtime Environment installation.
@@@

Additional Information

Enable logging to debug SSL in SPS

For SPS the files to apply that debug setting are : 

Windows : proxy-engine/conf/SmSpsProxyEngine.properties

Unix  : proxy-engine/proxyserver.sh

Need to add the parameter -Djavax.net.debug=all to the java startup command.

Reference:

https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=42115

Attachments

1558707860128000006072_sktwi1f5rjvs16qul.png get_app