Symantec Access Management

Tech Tip : CA Single Sign-On : I don't see IdleTimeout Reason when the Web Agent is configured for webappclientresponse

  • 1.  Tech Tip : CA Single Sign-On : I don't see IdleTimeout Reason when the Web Agent is configured for webappclientresponse

    Broadcom Employee
    Posted Jun 02, 2017 03:51 AM

    Issue:

     

    I've configured webappclientresponse and idletimeouturl that way in
    the Web Agent ACO :

     

    [567/5][Thu May 25 2017 11:58:18]webappclientresponse='Resource=/myurl/*|Method=GET,POST
      |Status=302|Body=/home/service/server/apache/conf/custom_web20.xml
      |Content-Type=application/xml|Charset=us-ascii'.

     

    [567/5][Thu May 25 2017 11:58:18]
      idletimeouturl='http://myhost.mydomain.com/login/mylogin.jsp'.

     

    I see indeed the redirection going to the mylogin.jsp page, but the reason
    is a Challenge, and there's no URL given in the custom response.

     

    [05/25/2017][12:17:20.092][580][25][0000000000000000000000000d813f56-0244-59270390-0019-23a33da3]
      [CSmHttpCredCore.cpp:1973][CSmHttpCredCore::DoFormsChallenge][mywebagent]
      [/myurl/][GET][host01][Redirecting to credential collector 'https://myhost.mydomain.com/login/mylogin.jsp?
      TYPE=33554433&REALMOID=06-96649a07-00e6-4e38-a96b-d0cfa0a8ca01&GUID=0&SMAUTHREASON=0&METHOD=GET&
      SMAGENTNAME=-SM-Y%2fl0%2fmOuarOGQa2IPRUCwvcnNL8%2b0SQFGKK%2bsx1feM9h1dEfiuItLXe2Thq3HvADirGDdTEKA%2f08b3nwo
      Kgi6wllKPHXUxdl&TARGET=-SM-http%3A%2F%2Fmyhost.mydomain.com%2Fmyurl%2F'.]
    [05/25/2017][12:17:20.093][580][25][][CSmWeb20Cache.cpp:210][CSmWeb20Cache::GetForm][][][][]
      [Form template '/home/service/server/apache/conf/custom_web20.xml'
      not found in cache.]
    [05/25/2017][12:17:20.093][580][25][][CSmWeb20Cache.cpp:227][CSmWeb20Cache::GetForm][][][][]
      [Serving form template '/home/service/server/apache/conf/custom_web20.xml'
      from disk.]
    [05/25/2017][12:17:20.093][580][25][][CSmWeb20Cache.cpp:270][CSmWeb20Cache::GetForm][][][][]
      [Form template '/home/service/server/apache/conf/custom_web20.xml'
      stored in cache.]
    [05/25/2017][12:17:20.092][580][25][0000000000000000000000000d813f56-0244-59270390-0019-23a33da3]
      [CSmWeb20Response.cpp:108][HandleCustomizedResponsRequest][mywebagent][/myurl/]
      [GET][host01][Sending WEB 2.0 custom response (Url '' and Reason 'Challenge')]
    [05/25/2017][12:17:20.092][580][25][0000000000000000000000000d813f56-0244-59270390-0019-23a33da3]
      [CSmChallengeManager.cpp:124][CSmChallengeManager::DoChallenge][mywebagent]
      [/myurl/][GET][host01][SM_WAF_HTTP_PLUGIN->ProcessChallenge returned SmExit.]
    [05/25/2017][12:17:20.092][580][25][0000000000000000000000000d813f56-0244-59270390-0019-23a33da3]
      [CSmHighLevelAgent.cpp:607][ProcessRequest][mywebagent][/myurl/][GET][host01]
      [Challenge Manager returned SmExit, end new request.]


    Environment:

     

    Web Agent 12.52SP1CR06 on Apache 2.2 on RedHat

     

    Cause:

     

      The url you have defined has a wild card and you forget to tell the
      Web Agent to not update the SMSESSION cookie on the resource /myurl/*,
      and this is why you don't see the reason idletimeout. You need to
      specify overlooksessionforurls to get the idletimeout handled and you
      need to set overlooksessionaspattern to handle the wildcard *


    Resolution:

     

    Add the following ACO configuration :

     

      overlooksessionforurls=/myurl/*
      overlooksessionaspattern=yes

     

    in order to solve the issue and get Reason : idletimeout.

     

    KB : TEC1133821