SPS Admin Login failing
search cancel

SPS Admin Login failing

book

Article ID: 7524

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

SPS proxyui bug after successful AU/AZ the webapp (proxyui) makes additional call, gets config and uses the value in aco defaultagentname instead of current agentname

 

Environment

Linux SPS R12.6 Linux policy server R12.6

Cause

Bug is in the additional call from proxyui to getconfig and use defaulagentname – this will not always be the cause where customers protect proxyui with defaultagentname

For proxyui access it uses defaultagentname – not documented.  

Prosxyui is protected, user is AU/AZ, however after AZ call the webapp proxyui makes a call to PS with defaultagentname – which could returns not protected

Expected results: Allow access to proxyui

 

Actual results: Presented with page ‘You must protect proxyui”

29092/140638892373760][Tue Apr 04 2017 15:12:38] agentname=lodbl510vm001-sps1,sps1.mysite.com

[29092/140638892373760][Tue Apr 04 2017 15:12:38] agentname=lodbl510vm001-sps2,sps2.mysite.com

[29092/140638892373760][Tue Apr 04 2017 15:12:38] agentname=lodbl510vm001-proxyui,lodbl510vm001.mysite.com

.

[29092/140638892373760][Tue Apr 04 2017 15:12:38] defaultagentname=lodbl510vm001-default

 

 

Sequence

First isProtect:

[04/04/2017][15:18:40.334][15:18:40][25551][139956160698112][Sm_Az_Message.cpp:598][CSm_Az_Message::SendReply][s25/r6][DOMAIN-SPSADMINUI-lodbl510vm001-proxyui][REALM-SPSADMINUI-lodbl510vm001-proxyui][lodbl510vm001-proxyui][** Status: Protected. ]

 

AU:

[04/04/2017][15:18:49.427][15:18:49][25551][139956160698112][SmDsLdapProvider.cpp:2378][CSmDsLdapProvider::Search][(Search) Base: 'dc=ca,dc=com', Filter: '(uid=A20)'. Status: 1 entries.][Ldap Search callout succeeds.]

[04/04/2017][15:18:49.429][15:18:49][25551][139956160698112][Sm_Auth_Message.cpp:4759][CSm_Auth_Message::SendReply][s14/r11][A20][DOMAIN-SPSADMINUI-lodbl510vm001-proxyui][REALM-SPSADMINUI-lodbl510vm001-proxyui][lodbl509vm022-2000-UID][lodbl510vm001-proxyui][AUTHSCHEME-SPSADMINUI][** Status: Authenticated. ]

 

AZ:

[04/04/2017][15:18:49.432][15:18:49][25551][139956202657536][Sm_Az_Message.cpp:598][CSm_Az_Message::SendReply][s14/r12][A20][DOMAIN-SPSADMINUI-lodbl510vm001-proxyui][REALM-SPSADMINUI-lodbl510vm001-proxyui][lodbl510vm001-proxyui][** Status: Authorized. ]

 

After successful AU/AZ a seconds call from webapp to get config then use defaultagentname to perform isProect

[04/04/2017][15:18:49.598][15:18:49][25551][139956244616960][Sm_Az_Message.cpp:598][CSm_Az_Message::SendReply][s28/r2][** Status: GetConfig. ]

[04/04/2017][15:18:50.712][15:18:50][25551][139956297066240][Sm_Az_Message.cpp:598][CSm_Az_Message::SendReply][s29/r2][** Status: GetConfig. ]

[04/04/2017][15:18:50.717][15:18:50][25551][139956192167680][Sm_Az_Message.cpp:598][CSm_Az_Message::SendReply][s29/r3][lodbl510vm001-default][** Status: Not Protected. ]

 

 

ProxyUI log

"2017-Apr-04 15:15:25,818 - INFO - com.ca.sps.adminui.listener.ProxyUIPhaseListener - Agent API Init status= 0 
"2017-Apr-04 15:15:25,818 - DEBUG - com.ca.sps.adminui.listener.ProxyUIPhaseListener - Connectiong to PS for getting agent name and LocalConfig ACO Parameters 
"2017-Apr-04 15:15:25,822 - DEBUG - com.ca.sps.adminui.listener.ProxyUIPhaseListener - getAgentConfig status = 1 
"2017-Apr-04 15:15:25,822 - DEBUG - com.ca.sps.adminui.listener.ProxyUIPhaseListener - getAttribute() count = 75 
"2017-Apr-04 15:15:25,823 - DEBUG - com.ca.sps.adminui.listener.ProxyUIPhaseListener - defaultAgentName = lodbl510vm001-default 
"2017-Apr-04 15:15:25,823 - DEBUG - com.ca.sps.adminui.listener.ProxyUIPhaseListener - AllowLocalConfig in ACO is no 
"2017-Apr-04 15:15:25,824 - INFO - com.ca.sps.adminui.listener.ProxyUIPhaseListener - Verifying if AllowLocalConfig ACO parameter is enabled 
"2017-Apr-04 15:15:25,824 - DEBUG - com.ca.sps.adminui.listener.ProxyUIPhaseListener - agentName = lodbl510vm001-default,contextPath= /proxyui 
"2017-Apr-04 15:15:25,825 - DEBUG - com.ca.sps.adminui.listener.ProxyUIPhaseListener - IsProtected returned retCode = FALSE 

Resolution

Bug filed DE285970 this will be fixed in a fortune release of SPS

Work around:

Created agent group:  proxyui-group

Added the defaultagent (spsdefault) and (utlxa550_sps-adminui)

Change the SPS Proxyui realm agent to the new agent group (proxyui-group)

 

Bug info:  Bug parse ACO in the code for the list of agentnames this resulted in always using defaultagentname, if the defaultagentname is not part of the domain used to protect the SPS it will fail to allow access with message ProxyUI must be protected

agentname=lodbl510vm001-sps1,sps1.mysite.com

agentname=lodbl510vm001-sps2,sps2.mysite.com

agentname=lodbl510vm001-proxyui,lodbl510vm001.mysite.com

.

defaultagentname=lodbl510vm001-default

 

Powered by Wolken Software