Layer7 Access Management

Expand all | Collapse all

Forgot Password services-APS

Jump to Best Answer

Shrwn09-12-2016 04:11 AM

  • 1.  Forgot Password services-APS

    Posted 09-09-2016 03:51 AM

    Hi All,

     

    We have setup APS in our environment. Change password and Admin is working properly while when we are accessing Forgot password services, it's always redirecting us to NOT FOUND URL page. We have enabled trace but still it's not writing what type of query it's searching for in AD.

     

    In PS trace logs, we are getting "Search returned 0 entries." while users are present in AD.

     

    Please guide.

     

    Regards, 

    Shrawan



  • 2.  Re: Forgot Password services-APS

    Posted 09-09-2016 04:04 AM

    Hi Shrawan

    If you set tracing in your policy server and include the LDAP elements in the profiler you should be able to see what query it is doing.

    Then you can try to repeat the ldap search showing in the smtracedefault from the command line. Does it return data ?



  • 3.  Re: Forgot Password services-APS

    Posted 09-09-2016 06:57 AM

    Hi Miquel,

     

    Thanks for you response

    I have included LDAP element in profiler and set tracing in APS.cfg but it didnt work for me.

     

    I have also tried by enabling trace in SmPortal.cfg file and i have read somewhere that if you enable trace or debug in Webserver, service trace logs will be written in webserver trace file.

     

    I have enabled trace in SmPortal.cfg and also tried with debug mode, but it's not writing anything extra apart from normal trace. 

     

    Regards,

    Shrawan



  • 4.  Re: Forgot Password services-APS

    Posted 09-09-2016 04:05 AM

    Hello,

     

    Please let us know how did you configured the "forgot password services" feature in your environment. Not sure that PS and APS would provide this functionality out of the box. Did you check the following ?

     

    https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/configuring/advanced-password-services-configuration/forgotten-password-fps-interface-forgot

     

    Regards,

    Julien.



  • 5.  Re: Forgot Password services-APS

    Posted 09-09-2016 06:59 AM

    Hi Julien,

     

    Thanks for your response

     

    We have configured FPS as mentioned in the docops link provided by you. We have done all the necessary changes in APS.cfg and SmPortal.cfg.

     

    Regards,

    Shrawan



  • 6.  Re: Forgot Password services-APS

    Posted 09-09-2016 09:02 AM

    You can turn ON tracing for FPS by setting following in the SmPortal.cfg file :

     

    <Name of FPS service as specified in Smportal.cfg file>.Trace

     

    More here :

    Configure SmPortal and SmTransact - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

     

    Optional Service Settings

    <service>.Trace
    This setting turns on trace logging for the service. The back-end service library will be notified that tracing is requested. The actual tracing performed is up to the service itself and will vary. All tracing is written to the CA Single Sign-on console log.

    Trace and debug logging may also be turned on within the code. If so, these settings will have no effect.



  • 7.  Re: Forgot Password services-APS

    Posted 09-09-2016 09:07 AM

    You should also enable Audit Log for FPS in APS.cfg file :

    General FPS Settings - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

     

    Audit Log

    Value: File Path

    Default: off

    Recommended: yes

    Complexity Level: Basic

    FPS can log all attempts, successful or failed, to an audit log. This log is written to a flat file in comma-delimited format (suitable for import into many database and spreadsheet applications).

    To specify the location of this log file, use this setting.

    There is no way to control the format or content of this log, nor is there provision for wrapping or deleting the file. If this setting does not appear in the configuration file, no audit log will be written. Please be sure that the user under which the CA Single Sign-on Policy Server processes are running can create and write to this file.

    This file is not terribly useful. A site should check its contents to determine if the information is worth keeping.

    Audit Log=/usr/Netegrity/SiteMinder/Logs/FPS.log



  • 8.  Re: Forgot Password services-APS

    Posted 09-09-2016 09:16 AM

    Hi Ujwol,

     

    We have also enabled Audit logs, but it's writing only those parameters there that we have configured in Lookup section in APS.cfg.

     

    Regards,

    Shrawan



  • 9.  Re: Forgot Password services-APS

    Posted 09-09-2016 09:14 AM

    Hi Ujwol,

     

    Thanks for your esponse

     

    We have configured these in SmPortal.cfg and also uncommented Trace setting in APS.cfg file. It's still not writing for the query its searching for in AD.

     

    While executing FPS task(not observed in CPW or APSAdmin), its' writing following error:

     [ERROR] SmObjLdap failed to bind to LDAP server ***.***.***.***:Port as cn=abc,ou=xyz,cn=123 . LDAP error 91-Can't connect to the LDAP server.

    [ERROR] Policy store failed operation 'Search' for object type 'AgentCommand' . LDAP Erro
    r Doing AgentCommand_Search: 89: Bad parameter to an ldap routine.

     

    Please guide.

     

    Regards,

    Shrawan



  • 10.  Re: Forgot Password services-APS

    Posted 09-09-2016 09:21 AM

    Can you share your SmPortal.cfg & APS.cfg? Those errors doesn't seem related.

     

    Also enable all data and components in the Policy server trace profiler.

     

    If you are using non ssl , you can also capture ldap command using Witeshark capture :

    How to capture and filter LDAP transactions with Wireshark 



  • 11.  Re: Forgot Password services-APS

    Posted 09-12-2016 02:34 AM

    Hi Ujwol,

     

    Sorry i can't share config files here .

    Is it possible for you to share your email id,  i will mail them to you over there?

     

    Regards,

    Shrawan



  • 12.  Re: Forgot Password services-APS

    Posted 09-12-2016 02:46 AM

    HI Shrawan,

     

    Understand We can't share our email address here either.

    Best is to open a support case and provide the case # here, so I can have a look and assist as required.

     

    Regards,

    Ujwol



  • 13.  Re: Forgot Password services-APS

    Posted 09-12-2016 03:02 AM

    Hi Ujwol,

     

    Case# 00504981 is opened regarding this post.

     

    I have attached APS.cfg and SmPortal.cfg files in that case.

     

    Please guide.

     

    Regards,

    Shrawan



  • 14.  Re: Forgot Password services-APS

    Posted 09-09-2016 02:51 PM

    You may want to open support issue it can be complicated

    Turn on FPS logging

    "27-Aug-2015","08:28:06",1,10,"?","Supplied Value: ~uid=A1"

    "27-Aug-2015","08:28:06",1,10,"?","Supplied Value: ~givenName=John"

    "27-Aug-2015","08:28:06",1,10,"?","Supplied Value: ~sn=A1"

    "27-Aug-2015","08:28:06",1,10,"?","Too Many Users Found"

     

    Policy server trace Logs will show the state change during the processing of FPS request

     

    Review of the LDAP access logs with PS logs to see the search being used

     

    [01/31/2014][14:22:57.699][14:22:57][13230][11][CServer.cpp:262][ServerTrace][[SM-APS-06007] Forgotten Password Services...][SmTransact(APSAPI): [SM-APS-06007] Forgotten Password Services...]

    [01/31/2014][14:22:57.701][14:22:57][13230][11][SmAuthUser.cpp:699][ServerTrace][New Macro "target" = "lodsun30a.ca.com:8787/jsp/identify.jsp"][APS-FPS: New Macro "target" = "lodsun30a.ca.com:8787/jsp/identify.jsp"]

    [01/31/2014][14:22:57.701][14:22:57][13230][11][SmAuthUser.cpp:699][ServerTrace][Referrer = http://lodsun30a.ca.com:8787/jsp/Identify.jsp][APS-FPS: Referrer = http://lodsun30a.ca.com:8787/jsp/Identify.jsp]

    [01/31/2014][14:22:57.701][14:22:57][13230][11][SmAuthUser.cpp:699][ServerTrace][State Check: Referrer = http://lodsun30a.ca.com:8787/jsp/Identify.jsp][APS-FPS: State Check: Referrer = http://lodsun30a.ca.com:8787/jsp/Identify.jsp]

    [01/31/2014][14:22:57.701][14:22:57][13230][11][SmAuthUser.cpp:699][ServerTrace][URL Translation "http://lodsun30a.ca.com:8787/jsp/Identify.jsp" -> "//lodsun30a.ca.com:8787/jsp/Identify.jsp"][APS-FPS: URL Translation "http://lodsun30a.ca.com:8787/jsp/Identify.jsp" -> "//lodsun30a.ca.com:8787/jsp/Identify.jsp"]

    [01/31/2014][14:22:57.701][14:22:57][13230][11][SmAuthUser.cpp:699][ServerTrace][Determined state to be 10.][APS-FPS: Determined state to be 10.]

    [01/31/2014][14:22:57.701][14:22:57][13230][11][SmAuthUser.cpp:699][ServerTrace][State Change: Phase 10 -> 12][APS-FPS: State Change: Phase 10 -> 12]

    [01/31/2014][14:22:57.701][14:22:57][13230][11][SmAuthUser.cpp:699][ServerTrace][State Change: Phase 12 -> 10][APS-FPS: State Change: Phase 12 -> 10]

    [01/31/2014][14:22:57.701][14:22:57][13230][11][SmAuthUser.cpp:699][ServerTrace][Redirecting to "http://lodsun30a.ca.com:8787/jsp/Identify-Multiple.jsp"][APS-FPS: Redirecting to "http://lodsun30a.ca.com:8787/jsp/Identify-Multiple.jsp"]

    [01/31/2014][14:22:57.701][14:22:57][13230][11][SmAuthUser.cpp:699][ServerTrace][Phase 10 - No search criteria entered!][APS-FPS: Phase 10 - No search criteria entered!]

    [01/31/2014][14:22:57.702][14:22:57][13230][11][CServer.cpp:262][ServerTrace][[SM-APS-06011] FPS Returning 455 bytes of HTML][SmTransact(APSAPI): [SM-APS-06011] FPS Returning 455 bytes of HTML]

                  

     

    APS.CONF will show what attrbutes need to be searched in my case I mapped UserID to uid attribute only one required

     

    [FPS-Identify]

    Required=UserID

    Optional=FirstName;LastName;Phone;City;State;mail;phonenow;

    Lookup=UserID=uid;Mail=mail;FirstName=~givenname;LastName=~sn;Phone=telephoneNumber,homePhone;City=~l;State=st



  • 15.  Re: Forgot Password services-APS

    Posted 09-12-2016 02:23 AM

    Hi Stephen,

     

    Thanks for your response

     

    We have had mapped UserID and Date of Joining of the user and we are getting these in FPS.log(Audit log of FPS) but we want to know the query combination it's making to search that user in AD.

     

    Regards,

    Shrawan.



  • 16.  Re: Forgot Password services-APS

    Posted 09-12-2016 02:26 AM

    Hi Shrawan,

     

    I checked, there is no configuration available to print the actual LDAP query used from SiteMinder.

    Your best bet is to capture network trace per my previous advice and filter LDAP txns.

     

    Regards,

    Ujwol Shrestha



  • 17.  Re: Forgot Password services-APS

    Posted 09-12-2016 03:44 AM

    Hi Shrawan,

     

    While this may not help with your current query, this tech tip which I just created might help you in configuring FPS in general :

    Tech Tip : CA Single Sign-On :Policy Server::How to configure APS Forgot Password (FPS) Interface 

     

    Regards,

    Ujwol



  • 18.  Re: Forgot Password services-APS

    Posted 09-12-2016 04:11 AM

     



  • 19.  Re: Forgot Password services-APS
    Best Answer

    Posted 09-12-2016 07:25 PM

    Hi Shrawan,

     

    I captured the LDAP request from my lab setup and here is what I got :

    Filter: (&(&(givenname~=Kelly)(sn~=Wong))(objectclass=inetOrgPerson))

     

    Where , givenname and sn were the required fields in my setup.

    So for your use case, I would expect similar query to be triggered.

    Wireshark is best to find out the query.

    Just update the case when you are available and we can have remote session to find this out.