Symantec Access Management

Hi I am working on implementing SessionDNA for one of our apps.

I am following this link:

CA SiteMinder® Integrated Documents 12.52

I have installed R12.52 Policy Server and SPS just for this purpose and configured AAS with same Master Key as suggested by the document. But from agenttrace , it looks like the request is going to CA, may be a property file somewhere?

[Sending request to backend = www.ca.com url = http://www.ca.com/authapp/flows/i/session_assurance_flow.html?SMAUTHREASON=53&SMAGENTNAME=wsd1&TARGET=-SM-https%3a%2f%2fHostname%2fapp%2f

The request never reaches server.log as I am assuming it is going to wrong SPS. Appreciate if anyone has seen this in the past? I am assuming I will run into the REAL issue  isafter I bypass this.

server.log has no requests.

files Under Arcot/logs/CAWebFlowLog.txt has the following error at start up.

2016-07-26 14:29:54,570 [ContextLoader,localhost-startStop-1] ERROR  - Context initialization failed

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'session' defined in class path resource [spring/appContext-authapp.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.factory.BeanDefinitionStoreException: Factory method [public static com.ca.siteminder.sdk.adminapi.Session com.ca.siteminder.userstore.helper.AdminAPISessionHelper.getSMAdminAPISessionFromConfig() throws com.arcot.euds.common.api.UDSException] threw exception; nested exception is com.arcot.euds.common.api.UDSException: Error occurred while reading configuration properties: SM.AdminAPIAgentCache of SiteMinder Policy Server .

        at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:581)

        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1015)

        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:911)

        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:485)

        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)

        at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:294)

        at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:225)

        at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:291)

        at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193)

        at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:585)

        at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:913)

        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:464)

Hi Anil,

Session Assurance is not easy to setup and has a lot of requirement and limitations.

Have you reviewed them all?

One of them commonly missed is "If you do not have a session store, configure one".

There are also reported compatibility defect for integration between different version of policy server and SPS version.

It is best to stick with same version for both.

The error you reported similar to a compatibility defect between different versions of components.

Policy Server says AGENTAPI_NO : as root cause of Exception, when com.ca.siteminder.userstore.helper.AdminAPISessionHelper.getSMAdminAPISessionFromConfig() was called (DE137018).

Hongxu

For the redirection question,

You need to check here:

• Policies -->  Global --> Session Assurance End Points

Thank You Hongxu and Ujwol.

Versions seem to match. Session store is in place.

Policy Server

ProductName=CA SiteMinder Policy Server

FullVersion=12.52.100.499

Location=/opt/netegrity/siteminder

SPS:

Product Name=CA SiteMinder Secure Proxy Server

FullVersion=12.52.0100.499

Version=12.52

Update=0100

Build Number=499

Location=/opt/ca/secure-proxy

InstanceName=default

End point is:

https://myspsservername.com:sslport_from_httpd.conf/authapp/flows/i/session_assurance_flow.html

I get the error:

I am getting the same error when I access proxyUI..I can see the requests flowing through mod_jk log but never reaching server.log.

However, I get successful initialization  when I goto: https://SPS_Host_name:10443/ affwebservices/assertionretriever. Appreciate any insights.

By any chance have you disabled Arcot component on SPS side :

In your server.conf you should have following :

<Context name="AALoginService">

docBase="aaloginservice"

path="aaloginservice"

enable="yes"

</Context>

<Context name="Advacned Auth Application">

docBase="authapp"

path="authapp"

enable="yes"

</Context>

<Context name="UI Application">

docBase="uiapp"

path="uiapp"

enable="yes"

</Context>

</Contexts>

Hi Ujwol,

<Contexts>

        <Context name="Authentication/Authorization web services">

            docBase="CA_AuthAZ"

            path="authazws"

            enable="no"

        </Context>

        <Context name="AALoginService">

                                docBase="aaloginservice"

                                path="aaloginservice"

                                enable="yes"

                        </Context>

                        <Context name="Advacned Auth Application">

                                docBase="authapp"

                                path="authapp"

                                enable="yes"

                        </Context>

                        <Context name="UI Application">

                                docBase="uiapp"

                                path="uiapp"

                                enable="yes"

                        </Context>

    </Contexts>

Hi,

In addition to Ujwol's comment...

As for the Noodle_ConnectException, another discussion pointed it out.

Noodle ConnectException

SPS Tomcat server.log will not log any HTTP transactions. You need to enable ACO parameters of TraceFile* for SPS as well as LogFile*. It’s quite similar to normal Web Agent settings.

Enhanced Session Assurance is served by “CA RiskMinder Service” on the Policy Server computer. Please check the service (arrfserver.exe) is ready and listening the port 7680.

I would recommend that:

1. verify that such a normal HTML Form Authentication works WITHOUT enabling Session Assurance Endpoint in your Realm settings. (in other words, check to see if SPS default installation works or not.)
2. then, enable the Endpoint in the Realm to see if it works.

Also, sometime newer documentation would be better and you may refer r12.52 SP1 document as well.

Enhanced Session Assurance with DeviceDNA™ - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation

Hope this would help.

Regards,

Koichi Ikarashi

Hi Koichi, I will try your suggestions today

It says "Connection refused remotely, no process is listening on the remote address/port." Do you have connectivity issue between SPS to backend host on ssl port 443?

https://SPS_Host_name:10443/authapp/flows/i/session_assurance_flow.html?SMAUTHREASON=53&SMAGENTNAME=wsd1&TARGET=-SM-https://Hostname/app/

Thanks,

Hongxu

Yes. Telnet works fine and the ports are open.

bash-4.1$ netstat -a | grep 110

tcp        0      0 localhost.localdomain:11005 *:*                         LISTEN     

tcp        0      0 *:11009                     *:*                         LISTEN     

tcp        0      0 *:11080                     *:*                         LISTEN     

tcp        0      0 localhost.localdomain:18541 localhost.localdomain:11009 ESTABLISHED

tcp        0      0 localhost.localdomain:11009 localhost.localdomain:18601 ESTABLISHED

tcp        0      0 localhost.localdomain:11009 localhost.localdomain:19947 ESTABLISHED

tcp        0      0 localhost.localdomain:19947 localhost.localdomain:11009 ESTABLISHED

tcp        0      0 localhost.localdomain:18601 localhost.localdomain:11009 ESTABLISHED

tcp        0      0 localhost.localdomain:11009 localhost.localdomain:18541 ESTABLISHED

tcp        0      0 localhost.localdomain:19809 localhost.localdomain:11009 ESTABLISHED

tcp        0      0 localhost.localdomain:11009 localhost.localdomain:19809 ESTABLISHED

tcp        0      0 localhost.localdomain:11009 localhost.localdomain:18499 ESTABLISHED

We have seen problems in the past when customer use default proxy-rules.xml to forward all request to www.ca.com, which will be blocked by your company firewall immediately.  Then you will get connection refused error from firewall.

You should always modify those default rule to the host that you have access to within the same environment.

I hope you are not running into that.

Earlier, you did mention "[Sending request to backend = www.ca.com url ="

Hongxu

Thanks Hongxu.but that did nt help.

I may have made small progress though.

I am able to open the proxyUI if I directlty goto the http port of Tomcat. Is it how it is supposed to work? Should I be using the same port bypassing apache and connecting directly yo Tomcat?

Hi,

SPS proxyui can be accessible via Tomcat.

Regarding Advance Session Assurance, authapp and uiapp (Ujwol commented on server.conf definition) are accessed via Apache web server in the front end. You do not need to bypass.

Regards,

Koichi

Hi,

Have you tried a normal HTML Form Authentication and seen it worked well? Please let us know if you made any progress.

Regards,

Koichi

Hello @ANIL CHARUGUNDLA

My another take on this issue.

To understand more on this integration, I set this up in my lab.

I must admit, I myself had to go through lot of trouble to get this working.

I am hoping to create a KB article with screenshot documenting the steps needed to get the Session Assurance working.

At one point, I too got the exact same error as yours:

Context initialization failed

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'session' defined in class path resource [spring/appContext-authapp.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.factory.BeanDefinitionStoreException: Factory method [public static com.ca.siteminder.sdk.adminapi.Session

However, based on my research, this very generic error and can be result of multiple issues.

The only way I was able to get more detailed logging was by changing the udsserver.ini file log level as below:

You can find this file at <ARCOT_HOME>/conf/ directory.

[arcot/uds/logger]

log4j.rootCategory=DEBUG, debuglog

log4j.logger.com.arcot.euds=DEBUG

log4j.logger.com.arcot.crypto.impl.SecureStoreUtil=DEBUG

log4j.logger.com.arcot.common.database=DEBUG

log4j.logger.com.arcot.common.cache=DEBUG

After making this change, you should be seeing more helpful tracing in the "arcotuds.log"

located at <ARCOT_HOME>/logs/ directory.

However, I would suggest checking on few things to get started with :

Troubleshooting

• Check if you have SmHostFlow.conf file in <ARCOT_HOME>/conf directory. This is required to perform handshake between RiskMinder component at SPS with the Policy server. If this file does not exist, please re-run the sps-configuration wizard.

• If the SmHostFlow.conf is present, check Policy server log (smps.log ) at the time of the of the SPS restart, and see if you get any handshake error with the IP of your SPS box. If there is "Invalid Shared secret" error , that would indicate that the shared secret in the SmHostFlow.conf is not valid and you would need to re-register the trusted host again. You can just choose to copy the "shared secrets" and "trusted host" from the "SmHost.conf" of the defaultagent as well.

• JCE patch should be applied on the JRE used by SPS
• Ensure that CA RiskMinder service is up and running at the policy server side.

Few other confirmation :

Before proceeding with the Session Assurance configuration at the policy server side, it is absolutely necessary to ensure that there are no fatal startup error in the following logs :

• arcotuds.log
• CAWebFlowlog.txt
• UIAppLog.txt

As all of these arcot webapps are local apps, once they are initialized properly , they DO skip the proxy rules processing. Meaning to say, you do not need to do any configuration on the proxyrules.xml pertaining to this Arcot integration.

arcotuds.log should give you some good info about the actual issue , after enabling those debug logging but if you still couldn't figure it out, I would suggest logging a support case with CA. This most likely need some advanced troubleshooting, as there are so many variables which could go wrong here.

Hopefully, with r12.6 , there will be fewer issues as the SM <--> RiskFort(Arcot) integration design is being simplified.

Good Luck.

Cheers,

Ujwol

Hi Ujwol. Appreciate your detailed analysis. I will try to follow all the steps you mentioned. Support case has been opened for 2 weeks , as usual it is going through time drag process of 'Version gathering' right now.

Looks like my RiskMinder is not running

start-all shows RiskMinder started but

stop-all says:

RiskMinder is not running

SiteMinder Policy Server is stopping...

SiteMinder Policy Server is no longer running

SiteMinder Health Monitor is stopping..

SiteMinder Health Monitor is no longer running

Neither smps nor smexec show any messages related to RiskMinder. I dug around my installation and it looks like I had installed Advanced Authenitcation (Strong and Risk authentication) on the same box as Policy Server which might have over written contents of ca/aas folder. At this point logs show they are unable to connect to database which probaly is an issue for next month for me. To make this easier, I setup another instance in my lab, installed R1252 , however  I see only 4 folders under /aas and bin is completely empty. Obviously I am missing something.

Install log shows 4 non fatal errors:

                          Status: ERROR

                          Additional Notes: ERROR - Unable to locate ASCII text file to be manipulated.  Deferring...

Modify Text File - Single File:   /opt/ca/aas/dbscripts/postgresql/ca-db-seed-for-auth-8.0.sql

                          Status: ERROR

                          Additional Notes: ERROR - Unable to locate ASCII text file to be manipulated.  Deferring...

Modify Text File - Single File:   /opt/ca/aas/dbscripts/oracle/ca-db-seed-for-auth-8.0.sql

                          Status: ERROR

                          Additional Notes: ERROR - Unable to locate ASCII text file to be manipulated.  Deferring...

Modify Text File - Single File:   /opt/ca/aas/dbscripts/mysql/ca-db-seed-for-auth-8.0.sql

                          Status: ERROR

                          Additional Notes: ERROR - Unable to locate ASCII text file to be manipulated.  Deferring...

and also this:

Custom Action:

File /opt/ca/aas/install_config_info/CA_Advanced_Authentication_Service_Install_2016-08-03-15-48-59.log does not exist.

This is a brand new box. Can you think of 'that obvious step' I am missing.

contents of aas: there are no objects under aas/bin

[smuser@ install_config_info]$ cd ..

[smuser@ siteminder]$ cd ../aas/

[smuser@ aas]$ cd

bin/       conf/      lib/       resources/

[smuser@ aas]$ cd conf/

datracesettings.ini   smshareddbtrace.conf 

[smuser@ aas]$ cd conf/

datracesettings.ini   smshareddbtrace.conf 

[smuser@ aas]$ cd lib/

cryptojFIPS.jar               libicui18n.so.49              libicule.so.49.1.2            libicutu.so                   libsmagentapi.so              libsmshareddbcomponent.so     smjavasdk2.jar

cryptoj.jar                   libicui18n.so.49.1.2          libiculx.so                   libicutu.so.49                libsmagentconmgrcomponent.so  libSmXlate.so                 smrpc.jar

imsjavasdk.jar                libicuio.so                   libiculx.so.49                libicutu.so.49.1.2            libsmagentfunccomponent.so    log4j.jar                    

libicudata.so                 libicuio.so.49                libiculx.so.49.1.2            libicuuc.so                   libsmcommonutil.so            smadminapi.jar               

libicudata.so.49              libicuio.so.49.1.2            libicutest.so                 libicuuc.so.49                libsmerrlog.so                smagentapi.jar               

libicudata.so.49.1.2          libicule.so                   libicutest.so.49              libicuuc.so.49.1.2            libsmi18n.so                  smanalyzer.jar               

libicui18n.so                 libicule.so.49                libicutest.so.49.1.2          libsmadminapi.so              libsmjavaagentapi.so          smjavaagentapi.jar           

[smuser@ aas]$ cd resources/AgentFunc_

AgentFunc_de.properties     AgentFunc_es.properties     AgentFunc_it.properties     AgentFunc_ko.properties    

AgentFunc_en.properties     AgentFunc_fr.properties     AgentFunc_ja.properties     AgentFunc_pt_BR.properties 

Hi Anil,

That looks bad.

Please try creating a installer debug logs following these steps :

IBM How to debug InstallAnywhere when installing Connect Java based products - United States

It usually gives more insight into why the install is failing.

If that doesn't help, I would then try to use strace to capture the installation process activity :

strace -Ff -t -i -v -o strace.log -s 16384 <command_to_install_policyserver>

I am sure you must have validated the platform is supported for the version of the Policy server you are trying to install?

Regards,

Ujwol

Hi Anil,

Once your are done with fixing the CA Risk Minder component startup issue at the Policy server side, have a look at following blog post.

This might come handy for your troubleshooting :

Tech Tip : CA Single Sign-On :: Policy Server:How to Configure Enhanced Session Assurance

Tech Tip : CA Single Sign-On :: CA Access Gateway:How to troubleshoot Advanced Authentication Flow Application (Session Assurance)

Thanks Ujwol. I have a full new R12.52 system at hand.

ProductName=CA SiteMinder Policy Server

FullVersion=12.52.100.499

However I still have the same error with my riskfort. Please note I have not done single config change to enable riskfort, but looks like it expects a database based on the following log. Is there a tech tip on configuring risk fort as part of policy server installation or as part of Session Assurance? Or if there is any reference in technote

I am not enabling a full-on 'Advanced Authentication' suite.

11:21:10.984 2016 INFO:    pid 15972 tid 4083549904: 2: 0: Listing the DB configuration record [1]

Tue Aug 09 11:21:10.984 2016 INFO:    pid 15972 tid 4083549904: 2: 0: Datasource.1..................................: [CAAdvancedAuthDSN]

Tue Aug 09 11:21:10.984 2016 INFO:    pid 15972 tid 4083549904: 2: 0: UserName.1....................................: [password]

Tue Aug 09 11:21:10.984 2016 INFO:    pid 15972 tid 4083549904: 2: 0: [arcot/riskfort/server/MaxIssuanceThreads]: Value is [128]

Tue Aug 09 11:21:10.984 2016 INFO:    pid 15972 tid 4083549904: 2: 0: [arcot/riskfort/server/MinIssuanceThreads]: Value is [32]

Tue Aug 09 11:21:10.984 2016 INFO:    pid 15972 tid 4083549904: 2: 0: [arcot/riskfort/server/MaxTransWSThreads]: Value is [128]

Tue Aug 09 11:21:10.984 2016 INFO:    pid 15972 tid 4083549904: 2: 0: [arcot/riskfort/server/MinTransWSThreads]: Value is [32]

Tue Aug 09 11:21:10.984 2016 INFO:    pid 15972 tid 4083549904: 2: 0: [arcot/db/dbconfig/MaxTransactionRetries]: Value is [3]

Tue Aug 09 11:21:10.985 2016 INFO:    pid 15972 tid 4083549904: 2: 0: [arcot/db/dbconfig/TransactionRetrySleepTime]: Value is [10]

Tue Aug 09 11:21:10.985 2016 INFO:    pid 15972 tid 4083549904: 2: 0: [arcot/riskfort/server/MaxAdminWSThreads]: Value is [32]

Tue Aug 09 11:21:10.985 2016 INFO:    pid 15972 tid 4083549904: 2: 0: [arcot/riskfort/server/MinAdminWSThreads]: Value is [16]

Tue Aug 09 11:21:10.985 2016 INFO:    pid 15972 tid 4083549904: 2: 0: [arcot/riskfort/server/BindPriority]: Value is [0]

Tue Aug 09 11:21:10.985 2016 INFO:    pid 15972 tid 4083549904: 2: 0: [arcot/riskfort/server/BindOnAll]: Value is [0]

Tue Aug 09 11:21:10.985 2016 INFO:    pid 15972 tid 4083549904: 2: 0: [arcot/db/dbconfig/MonitorSleepTimeOnFailureSecs]: Value is [20]

Tue Aug 09 11:21:10.985 2016 INFO:    pid 15972 tid 4083549904: 2: 0: [arcot/db/dbconfig/StartWithAnyPool]: Value is [1]

Tue Aug 09 11:21:10.985 2016 INFO:    pid 15972 tid 4083549904: 2: 0: [arcot/crypto/device/HSMDevicePinLocation]: Parameter not present/not set. Defaulting to [FILE]

Tue Aug 09 11:21:10.985 2016 INFO:    pid 15972 tid 4083549904: 2: 0: ---------------------------------------------------------------------

Tue Aug 09 11:21:10.985 2016 INFO:    pid 15972 tid 4083549904: 2: 0: Listing ini section : [arcot/crypto/device]

Tue Aug 09 11:21:10.985 2016 INFO:    pid 15972 tid 4083549904: 2: 0: ---------------------------------------------------------------------

Tue Aug 09 11:21:10.985 2016 INFO:    pid 15972 tid 4083549904: 2: 0: HSM Device....................................: [S/W]

Tue Aug 09 11:21:10.985 2016 INFO:    pid 15972 tid 4083549904: 2: 0: HSM Pin Location..............................: [FILE]

Tue Aug 09 11:21:11.012 2016 WARNING: pid 15972 tid 4083549904: 2: 0: No backup databases are configured.

Tue Aug 09 11:21:11.327 2016 WARNING: pid 15972 tid 4083549904: 2: 0: ArDBConnection::GetDBDiagnosis: SQL State:28000, Native Code: FFFFFFFF, ODBC code: SiteMinder Agent API initialization failure

Tue Aug 09 11:21:11.327 2016 WARNING: pid 15972 tid 4083549904: 2: 0: ArDBConnection::connect: Connection to database [CAAdvancedAuthDSN]. user [password] failed. Error detail [SQL State:28000, Native Code: FFFFFFFF, ODBC code: SiteMinder Agent API initialization failure]

FYI, I am still waiting for support team to respond after initial config gathering exercise. Appreciate any insight you can offer.

Hi Anil,

The main problem seems to be here:

ArDBConnection::connect: Connection to database [CAAdvancedAuthDSN]. user [password] failed. Error detail [SQL State:28000, Native Code: FFFFFFFF, ODBC code: SiteMinder Agent API initialization failure]

The password to connect to DSN is stored in securestore.enc file under<ARCOT_HOME>/conf directory.

My guess is either this file does not exist or it can't decrypt the password inside it.

There is a command line option to reset this password but before going that route have ,can you please try following:

1. Check SmHostFlow.conf under <ARCOT_HOME>/bin directory.

2. Delete this file, also delete the Trusted host that it is referring to.

3. Re-run the policy server configuration wizard without selecting ANY option.

The above steps should usually correct any configuration isssues with the Arcot configuration on the PS side.

Thanks for the quick reply. I only have these 4 subfodlers under bin, there is no SmHostFlow.conf

-rwxrwxr-x  1 smuser smuser 6577 Jun  4  2014 casemanagementserver

-rw-rw-r--  1 smuser smuser  166 Aug  9 11:21 nohup-riskfort.out

-rwxrwxr-x  1 smuser smuser 6568 Jun  4  2014 riskfortserver

-rwxrwxr-x  1 smuser smuser 3630 Jun  4  2014 webfortserver

My FullVersion=12.52.100.499. What version did you test this on?

Regards to the database, I have never specified a database to be used as part of PS configuration. I only configured Policy Store which only dealt with Policy store details. I am sorry to have to bother you but you seem to be my best hope, unfortunately. My case has been taken over by somone else, and the new case owner wanted me to fill out 'Business Impact section'. Hope he has some insights into technical details.

Hi Anil,

I have tested this on the same version at my end without any problem.

The log is referring to FILE based database which is created for ARCOT/Riskfort integration. This file exists by name resource.dat and should reside on Policy server bin folder. This is configured automatically during Policy server configuration.

The only configuration needed for this are the MasterKey password which is asked during the PS configuration.

What is your case#?

Regards,

Ujwol Shrestha

Sent from my iPhone. Please excuse brevity and typos if any.

Okay, I have the resource.dat file under ps/bin. I have updated {{!__SERVERNAME__!}}.{{!__INSTALLPATH__!}} wth actual server name and install path as 'Patrick Dussalt' mentioned below, although I still have some

~{!__SERVERNAME__!} instances such as :

RiskMinder~10~5~18~{!__SERVERNAME__!}~18~6~3~8.0~3~7~237~102%0afe80::1534:7255:52e2:d87e%2510%0a106%0a50%0a107%0a{!__INSTALLPATH__!}%0a108%

Do I have to modify those to actual server name and path as well?

I don't have SmHostFlow.conf under by aas/bin.

My case # 00461694

Appreciate if you can take ownership. I am either I am very close or I am so far away.

Thanks. Let me review the case first. I work from Australia support center. I am not sure if my shift timings will be convenient for you. I am still almost three hours away to begin my shift for the day.

Hi Anil,

It seems we are on different page

I checked both my PS and SPS installation directory, I don't have these sub folders under bin directory (as yours)

-rwxrwxr-x  1 smuser smuser 6577 Jun  4  2014 casemanagementserver

-rw-rw-r--  1 smuser smuser  166 Aug  9 11:21 nohup-riskfort.out

-rwxrwxr-x  1 smuser smuser 6568 Jun  4  2014 riskfortserver

-rwxrwxr-x  1 smuser smuser 3630 Jun  4  2014 webfortserver

Are you also installing standalone Advanced Authentication server beside Policy server and SPS ?

For session assurance it is enough to install and PS & SPS. We do not need standalone Advanced Auth server.

Please confirm.

These are under /opt/ca/aas/bin.

It came with regular sm install only.. I did nt do separate advanced auth install

Sent from my iPhone

We made some progress. Support asked me to upgrade to R1252 CR5, both policy server and POlicy store. Risk Minder started without issues after upgrading. Currently in the process of upgrading SPS and Adminui to CR5.

Will keep this thread informed on how this implementation is progressing.

Thanks for the update Anil. Keep us posted.

Today support asked me to downgrade my SPS to R1252CR4. That did nt help me either. Waiting to hear back from support.

However, i now see SmHostFlow.conf under my sps/arcot/conf.

There are no logs on SPS/arcot/logs. Is there a config file I can turn on to enable logging?

I found your blog and updated the conf file but still no luck..

##                      ARCOT USER DATA SERVICE CONFIGURATION                 ##

############################################################################

############################################################################

## USER DATA SERVICE CONFIG SECTION : LOGGING CONFIGURATIONS      ##

############################################################################

[arcot/uds/logger]

log4j.rootCategory=DEBUG, debuglog

log4j.logger.com.arcot.euds=DEBUG

log4j.logger.com.arcot.crypto.impl.SecureStoreUtil=DEBUG

log4j.logger.com.arcot.common.database=DEBUG

log4j.logger.com.arcot.common.cacheDEBUG

#UDS Log Handle.

log4j.appender.debuglog=org.apache.log4j.RollingFileAppender

# By default the arcotuds.log file will be created under ARCOT_HOME/logs.

# If a different file is needed, provide the absolute path of the log file.

# Make sure that the provided path exists.

#log4j.appender.debuglog.File=${arcot.home}/logs/arcotuds.log

log4j.appender.debuglog.File=/opt/ca/secure-proxy/arcot/logs/arcotuds.log

log4j.appender.debuglog.MaxFileSize=10MB

log4j.appender.debuglog.MaxBackupIndex=100

log4j.appender.debuglog.layout=org.apache.log4j.PatternLayout

log4j.appender.debuglog.Encoding=UTF-8

log4j.appender.debuglog.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss,SSS z} : [%t] : %-5p : %-5c{3} : %m%n

#-------------------------------ARCOT INTERNAL------------------------------------#

log4j.logger.com.arcot.crypto.impl.NCipherCrypter=FATAL

odbc.ini shows:

[ODBC Data Sources]

CAAdvancedAuthDSN=SiteMinder Policy Server Wire Protocol

[CAAdvancedAuthDSN]

Driver=/opt/ca/secure-proxy/arcot/lib/libdaproxy.so

HostConfigFile=/opt/ca/secure-proxy/arcot/conf/SmHostFlow.conf

[ODBC]

Trace=1

DATrace=1

DATraceSettingsFile=/opt/ca/secure-proxy/arcot/conf/datracesettings.ini

TraceFile=/opt/ca/secure-proxy/arcot/logs/odbctrace.out

TraceDll=/opt/ca/secure-proxy/arcot/odbc/lib/NStrc27.so

InstallDir=/opt/ca/secure-proxy/arcot/odbc/

Also, On SPS side , is there a process or test I can do to ensure all the arcot components are initialized successfully ? On the policy server side I have a process called 'arrf' running indicating that risk minder initialized successfully.

My Tomcat process details with the config, I dont see any arcot config in here..

apache    5500     1  0 15:01 ?        00:00:00 /opt/ca/secure-proxy/httpd/bin/httpd -d /opt/ca/secure-proxy/httpd -k start -D SSL

apache    5508  5500  0 15:01 ?        00:00:00 /opt/ca/secure-proxy/httpd/bin/rotatelogs /opt/ca/secure-proxy/httpd/logs/mod_jk.log 10M

apache    5511  5500  0 15:01 ?        00:00:00 /opt/ca/secure-proxy/httpd/bin/httpd -d /opt/ca/secure-proxy/httpd -k start -D SSL

apache    5512  5500  0 15:01 ?        00:00:00 /opt/ca/secure-proxy/httpd/bin/httpd -d /opt/ca/secure-proxy/httpd -k start -D SSL

apache    5513  5500  0 15:01 ?        00:00:00 /opt/ca/secure-proxy/httpd/bin/httpd -d /opt/ca/secure-proxy/httpd -k start -D SSL

apache    6068     1  2 15:01 pts/2    00:00:24 /opt/ca/jdk_32bit_1.6.0_35/bin/java -ms256m -mx1024m -server -XX:MaxPermSize=256M -Dcatalina.base=/opt/ca/secure-proxy/Tomcat -Dcatalina.home=/opt/ca/secure-proxy/Tomcat -Djava.io.tmpdir=/opt/ca/secure-proxy/Tomcat/temp -DHTTPClient.log.mask=0 -DHTTPClient.Modules=HTTPClient.RetryModule|org.tigris.noodle.NoodleCookieModule|HTTPClient.DefaultModule -Dlogger.properties=/opt/ca/secure-proxy/Tomcat/properties/logger.properties -Djava.endorsed.dirs=/opt/ca/secure-proxy/Tomcat/endorsed -DIWACONFIGHOME=/opt/ca/secure-proxy/proxy-engine/conf/sts-config/globalconfig -DNETE_WA_ROOT= -DPWD=/opt/ca/secure-proxy -classpath /opt/ca/secure-proxy/Tomcat/bin/proxybootstrap.jar:/opt/ca/secure-proxy/Tomcat/properties:/opt/ca/secure-proxy/resources:/opt/ca/jdk_32bit_1.6.0_35/lib/tools.jar:/opt/ca/secure-proxy/Tomcat/bin/bootstrap.jar:/opt/ca/secure-proxy/Tomcat/lib/smi18n.jar:/opt/ca/secure-proxy/agentframework/java/cryptoj.jar com.netegrity.proxy.ProxyBootstrap -config /opt/ca/secure-proxy/proxy-engine/conf/server.conf

apache    6778  5500  0 15:09 ?        00:00:00 /opt/ca/secure-proxy/httpd/bin/httpd -d /opt/ca/secure-proxy/httpd -k start -D SSL

Hi Anil,

After enabling above debug logging are you able to get any logs at all ?

If not have you checked if the arcot components are enabled on the Server.conf ?

Did you have a look at this blog post as well :

Tech Tip : CA Single Sign-On :: CA Access Gateway:How to troubleshoot Advanced Authentication Flow Application (Session Assurance)

Regards,

Ujwol

Ujwol's Single Sign-On Blog

Hi Ujwol, dont have any logs yet. Have nt done any changes in server.conf may be thats what i missing. What changes are needed wrt ARCOT? Your technote does nt have any info related, apologize if I have missed it..

Thanks in advance.

You need to ensure they are enabled as shown below :

<Contexts>

        <Context name="Authentication/Authorization web services">

            docBase="CA_AuthAZ"

            path="authazws"

            enable="no"

        </Context>

        <Context name="AALoginService">

                                docBase="aaloginservice"

                                path="aaloginservice"

                                enable="yes"

                        </Context>

                        <Context name="Advacned Auth Application">

                                docBase="authapp"

                                path="authapp"

                                enable="yes"

                        </Context>

                        <Context name="UI Application">

                                docBase="uiapp"

                                path="uiapp"

                                enable="yes"

                        </Context>

    </Contexts>

Now that created log files which are showing some errors. Although I am trying to get it to actually work, at some point I wd like to understand the entire flow of the request.

Arcotuds.log shows:

2016-08-17 21:32:57,892 CDT : [localhost-startStop-1] : INFO  : userstore.helper.AdminAPISessionHelper : [null] : [null] : PMAPI_Login with UserName : siteminder failed.[facility=4 severity=3 reason=0 status=11 message=Invalid credentials]

2016-08-17 21:32:57,898 CDT : [localhost-startStop-1] : ERROR : web.context.ContextLoader : Context initialization failed

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'session' defined in class path resource [spring/appContext-authapp.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.factory.BeanDefinitionStoreException: Factory method [public static com.ca.siteminder.sdk.adminapi.Session com.ca.siteminder.userstore.helper.AdminAPISessionHelper.getSMAdminAPISessionFromConfig() throws com.arcot.euds.common.api.UDSException] threw exception; nested exception is com.arcot.euds.common.api.UDSException: Error occurred while reading configuration properties: SM.AdminAPIAgentCache of SiteMinder Policy Server .

        at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:581)

        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1015)

        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:911)

        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:485)

        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)

        at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:294)

        at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:225)

        at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:291)

        at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193)

        at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:585)

        at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:913)

        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:464)

        at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:385)

        at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:284)

        at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:111)

        at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:5016)

        at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5524)

        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)

        at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1575)

        at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1565)

        at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)

        at java.util.concurrent.FutureTask.run(FutureTask.java:138)

        at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)

        at java.lang.Thread.run(Thread.java:662)

Caused by: org.springframework.beans.factory.BeanDefinitionStoreException: Factory method [public static com.ca.siteminder.sdk.adminapi.Session com.ca.siteminder.userstore.helper.AdminAPISessionHelper.getSMAdminAPISessionFromConfig() throws com.arcot.euds.common.api.UDSException] threw exception; nested exception is com.arcot.euds.common.api.UDSException: Error occurred while reading configuration properties: SM.AdminAPIAgentCache of SiteMinder Policy Server .

smtrace.log

[08/17/2016][21:32:54.812][21:32:54][31921][4023868272][SmEmsCommandBase.cpp:418][CSmEmsCommandBase::traceRequest][][][][][][][][][][][][][][][][][][][<session=>

<command=login>

        <classid=0>

        <challengereason=0>

        <ipaddress=dz2-ux-wbm6.na.dir.bunge.com/10.152.152.82>

        <password=** Not Shown **>

        <user=siteminder>

][][Processed EMS2 request.]

[08/17/2016][21:32:54.812][21:32:54][31921][4023868272][SmEmsCommandV2.cpp:193][CSmEmsCommandV2::Execute][][][][][][][][][][][][][43][][][][][][][][Leave function CSmEmsCommandV2::Execute]

[08/17/2016][21:32:54.812][21:32:54][31921][4023868272][SmEmsCommandBase.cpp:231][CSmEmsCommandBase::Encode][][][][][][][][][][][][][][][][][][][][][Enter function CSmEmsCommandBase::Encode]

[08/17/2016][21:32:54.812][21:32:54][31921][4023868272][SmEmsCommandBase.cpp:497][CSmEmsCommandBase::traceResponse][][][][][][][][][][][][723][][][][][][][<session=>

<command=login>

<status=E/02d3/0/Invalid credentials>

][][Processed EMS2 response.]

smps.log:

[31921/-302568592][Wed Aug 17 2016 21:31:30][CA.SPS:STANDARD][INFO]

INFO:XPSConnector::connectXPS:XPS Connection successful

[31921/-229139600][Wed Aug 17 2016 21:33:04][CA.SPS:STANDARD][INFO]

INFO:XPSConnector::connectXPS:XPS Connection successful

Hi Anil,

Thank you for time on the remote session today.

For the benefit of the community user, I am documenting our progress here as well.

Action Taken

===========

-Uninstalled PS completely

-Re-installed PS and choose to configure a fresh new policy store.

-Ensure that Arcot component on the Policy server could start up without any error.

Then, we moved on the re-configure SPS with this policy server

-The UDS component on the SPS can now startup without any error.

- CAWebflow component however has an error connecting to policy server on 7680 port as currently the 7680 port is not opened between PS and SPS.

Next Action

==========

1. You will enable firewall and open port 7680 between PS and SPS

2. Configure session assurance using following tech note :

https://communities.ca.com/community/ca-security/blog/2016/08/04/tech-tip-ca-single-sign-on-policy-serverhow-to-configure-enhanced-session-assurance

Regards,

Ujwol

Hi Ujwol, I got the connectivity on 7680 today and hopefully the last error. I am using Basic authentication on webagent for this resource. Hope you can help me easily on this.

I was redirected to the following upon my initial login:

/authapp/flows/i/session_assurance_flow.html?SMAUTHREASON=53&SMAGENTNAME=-SM-zXX7djEcfB5KE4KaaPHWW51pbHeg%2bEw5397Vf9pAZ27HOtq5XpoVx6giSS4lCnKW&TARGET=-SM-https%3a%2f%2fmodel%2ebga%2ebunge%2ecom%2ftsf%2f HTTP/1.1

and then to:

GET /uiapp/error/-1?error_code=system.error HTTP/1.1

Nothing on Policy Server logs but on SPS side I show errors:

CAWebFlowLog.txt:

2016-08-18 17:12:31,208 [FlowExecutor,ajp-bio-9009-exec-3] ERROR  - TID[-1] 807259999: Unexpected exception in flow {0}(ID={1}); destroying session

java.lang.RuntimeException: com.arcot.corejsvr.ExceptionWithNC: 808068044: Token ID missing from request.

        at com.ca.aa.ui.auth.authapp.flow.executor.token.SAValidatePSToken.execute(SAValidatePSToken.java:79)

        at com.ca.aa.ui.framework.cawebflow.engine.engine.ExecutableFlowState.executeFlowAction(ExecutableFlowState.java:153)

        at com.ca.aa.ui.framework.cawebflow.engine.engine.ExecutableFlowState.enterState(ExecutableFlowState.java:105)

        at com.ca.aa.ui.framework.cawebflow.engine.engine.FlowExecutionController.enterstate(FlowExecutionController.java:675)

        at com.ca.aa.ui.framework.cawebflow.engine.engine.FlowExecutionController.execute(FlowExecutionController.java:591)

        at com.ca.aa.ui.framework.cawebflow.engine.engine.FlowExecutor.runflow(FlowExecutor.java:660)

        at com.ca.aa.ui.framework.cawebflow.engine.engine.FlowExecutor.startOrResumeFlow(FlowExecutor.java:556)

        at com.ca.aa.ui.framework.cawebflow.engine.servlet.FlowEngineServlet.doGet(FlowEngineServlet.java:58)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:620)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at com.ca.aa.ui.framework.cawebflow.engine.servlet.RequestContextManagerFilter.doFilter(RequestContextManagerFilter.java:154)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at com.ca.aa.ui.framework.filters.filter.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:51)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)

        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)

        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)

        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)

        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)

        at com.netegrity.proxy.ProxyValve.processRequest(ProxyValve.java:819)

        at com.netegrity.proxy.ProxyValve.invoke(ProxyValve.java:492)

        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)

        at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190)

        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)

        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)

        at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)

        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

        at java.lang.Thread.run(Thread.java:662)

Caused by: com.arcot.corejsvr.ExceptionWithNC: 808068044: Token ID missing from request.

        at com.ca.aa.ui.auth.authapp.flow.executor.token.SAValidatePSToken.execute(SAValidatePSToken.java:78)

        ... 33 more

2016-08-18 17:22:22,784 [OrganizationManagerImpl,ajp-bio-9009-exec-1] DEBUG  - [null] : [null] : Request received to get default Organiza

UIAPPLOG:

2016-08-18 17:22:22,831 [StringPropertyProvider,ajp-bio-9009-exec-1] WARN   - TID[-1] 3011005: Required configurations not set: default string resource for key 'template.ca-error.message' (Repeated 5 times)

2016-08-18 17:21:43,875 CDT : [pool-3-thread-1] : DEBUG : java.sql.Connection : ooo Using Connection [org.apache.commons.dbcp.cpdsadapter.ConnectionImpl@1eb2e9f]

2016-08-18 17:21:43,875 CDT : [pool-3-thread-1] : DEBUG : java.sql.Connection : ==>  Preparing: select max(LAST_UPDATED) from AAUI_CONFIG

2016-08-18 17:21:43,876 CDT : [pool-3-thread-1] : DEBUG : java.sql.PreparedStatement : ==> Parameters:

2016-08-18 17:21:43,878 CDT : [pool-3-thread-1] : DEBUG : java.sql.ResultSet : <==    Columns: MAX(LAST_UPDATED)

2016-08-18 17:21:43,878 CDT : [pool-3-thread-1] : DEBUG : java.sql.ResultSet : <==        Row: 2013-10-18 21:25:23.33000000

2016-08-18 17:21:43,878 CDT : [pool-3-thread-1] : DEBUG : spring.transaction.SpringManagedTransaction : Committing JDBC Connection [org.apache.commons.dbcp.cpdsadapter.ConnectionImpl@1eb2e9f]

2016-08-18 17:21:43,878 CDT : [pool-3-thread-1] : DEBUG : mybatis.spring.SqlSessionUtils : Closing non transactional SqlSession [org.apache.ibatis.session.defaults.DefaultSqlSession@1baa46d]

2016-08-18 17:22:22,831 CDT : [ajp-bio-9009-exec-1] : WARN  : browser.core.StringPropertyProvider : TID[-1] 3011005: Required configurations not set: default string resource for key 'template.ca-error.message' (Repeated 5 times)

2016-08-18 17:22:42,506 CDT : [CacheUpdater] : DEBUG : rpc.rpc.ClientDispatcher : call getCacheUpdates

Are you using Host Only cookie ? Session assurance doesn't support Host Only Cookie.

I just reproduced the same error Anil.

This error is thrown when the Host Only cookie is used.

You will need to ensure that cookie domain of the target resource (protected resource) and the Session assurance end point are same.

HEYYYYYYYYY.. I finally got it to work by making sure cookie domains match so SMSESSION is passed back and forth.

Ujwol, You are a ROCK STAR. Thank You.

That's awesome

We will catchup on Monday.

Hi Anil,

You need first to insure the Session Assurance is configured and

run on the Policy Server. If not, it will never work on the SPS side.

2 things to do on the Policy Server :

- Check that the bin/resource.dat has the following names

  replaced with the server name and install path :

  {{!__SERVERNAME__!}}.{{!__INSTALLPATH__!}}

  if it shows like that, the Session Assurance isn't configured

  on the Policy Server;

- If above is configured, insure that Session Assurance runs :

  Try to telnet the Policy Server on port 7680 as like :

  telnet policy_server_ip 7680

  and if it tells you "Connect failed", then the Session Assurance

  doesn't run on the Policy Server.

I hope that's help

Patrick

Thank You Patrick, obviously the issue is my riskminder is not running. I am working on fixing it.