CA Single Sign On Secure Proxy Server (SiteMinder)AXIOMATICS POLICY SERVERCA Single Sign On SOA Security Manager (SiteMinder)CA Single Sign-On
Issue/Introduction
io.https.response.truncationProtection.disable=FALSE Causing outage in production. The following is evident in the SPSAgentTrace.log when SPS tries to connect to the API Gateway:
[02/16/2018][02:24:20][7220][139993319991040][2291d863-69f2b7e7-c0fab176-35246223-9e81d7f1-81d][execute][Inbound closed before receiving peer's close_notify: possible truncation attack?]
[02/16/2018][02:24:20][7220][139993319991040][2291d863-69f2b7e7-c0fab176-35246223-9e81d7f1-81d][execute][Retrying to send the request to backend web server.Retry count: 3] [02/16/2018][02:24:20][7220][139993319991040][2291d863-69f2b7e7-c0fab176-35246223-9e81d7f1-81d][execute][Tried to send the request to backend web server three times.Throwing the exception to client. ] [02/16/2018][02:24:20][7220][139993319991040][2291d863-69f2b7e7-c0fab176-35246223-9e81d7f1-81d][Noodle::doGet][javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? at com.rsa.sslj.x.aH.d(Unknown Source)]
Cause
Analysis for SSO AG side: SSO AG sends a request the backend server it receives a FIN instead of valid responses back at this point SPS will go into retry mode, when AG reaches MAX retry count exception is recorded and sent back to the client
Each retry attempt releases the connection as not reusable possible truncation attack Log messages:
Released connection is not reusable
Inbound closed before receiving peer's close_notify: possible truncation attack
When doing SSL the request exception: [javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? at com.rsa.sslj.x.aH.d(Unknown Source)]
Environment
Client -> F5 -> CA Access Gateway (R12.7) --> F5 -> (2) CA API Gateway 9.2(OAuth token)
Resolution
SSO Access Gateway (AG) is working as designed going into a retry state if no response is received