Intermittent io.https.response.truncationProtection.disable

book

Article ID: 75366

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

io.https.response.truncationProtection.disable=FALSE Causing outage in production. The following is evident in the SPSAgentTrace.log when SPS tries to connect to the API Gateway:

[02/16/2018][02:24:20][7220][139993319991040][2291d863-69f2b7e7-c0fab176-35246223-9e81d7f1-81d][execute][Inbound closed before receiving peer's close_notify: possible truncation attack?]

[02/16/2018][02:24:20][7220][139993319991040][2291d863-69f2b7e7-c0fab176-35246223-9e81d7f1-81d][execute][Retrying to send the request to backend web server.Retry count: 3] [02/16/2018][02:24:20][7220][139993319991040][2291d863-69f2b7e7-c0fab176-35246223-9e81d7f1-81d][execute][Tried to send the request to backend web server three times.Throwing the exception to client. ] [02/16/2018][02:24:20][7220][139993319991040][2291d863-69f2b7e7-c0fab176-35246223-9e81d7f1-81d][Noodle::doGet][javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? at com.rsa.sslj.x.aH.d(Unknown Source)]

Cause

Analysis for SSO AG side: SSO AG sends a request the backend server it receives a FIN instead of valid responses back at this point SPS will go into retry mode, when AG reaches MAX retry count exception is recorded and sent back to the client
 
Each retry attempt releases the connection as not reusable possible truncation attack
Log messages:
  • Released connection is not reusable
  • Inbound closed before receiving peer's close_notify: possible truncation attack
 
When doing SSL the request exception:
[javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?         at com.rsa.sslj.x.aH.d(Unknown Source)]
 
 

Environment

Client -> F5 -> CA Access Gateway (R12.7) --> F5 -> (2) CA API Gateway 9.2(OAuth token) 

Resolution

SSO Access Gateway (AG) is working as designed going into a retry state if no response is received