Layer7 Access Management

Expand all | Collapse all

Session Assurance - SessionDNA

Jump to Best Answer
  • 1.  Session Assurance - SessionDNA

    Posted 07-26-2016 03:40 PM

    Hi I am working on implementing SessionDNA for one of our apps.

    I am following this link:

     

    CA SiteMinder® Integrated Documents 12.52

     

    I have installed R12.52 Policy Server and SPS just for this purpose and configured AAS with same Master Key as suggested by the document. But from agenttrace , it looks like the request is going to CA, may be a property file somewhere?

     

    [Sending request to backend = www.ca.com url = http://www.ca.com/authapp/flows/i/session_assurance_flow.html?SMAUTHREASON=53&SMAGENTNAME=wsd1&TARGET=-SM-https%3a%2f%2fHostname%2fapp%2f

     

    The request never reaches server.log as I am assuming it is going to wrong SPS. Appreciate if anyone has seen this in the past? I am assuming I will run into the REAL issue  isafter I bypass this.

     

    server.log has no requests.

     

    files Under Arcot/logs/CAWebFlowLog.txt has the following error at start up.

     

    2016-07-26 14:29:54,570 [ContextLoader,localhost-startStop-1] ERROR  - Context initialization failed

    org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'session' defined in class path resource [spring/appContext-authapp.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.factory.BeanDefinitionStoreException: Factory method [public static com.ca.siteminder.sdk.adminapi.Session com.ca.siteminder.userstore.helper.AdminAPISessionHelper.getSMAdminAPISessionFromConfig() throws com.arcot.euds.common.api.UDSException] threw exception; nested exception is com.arcot.euds.common.api.UDSException: Error occurred while reading configuration properties: SM.AdminAPIAgentCache of SiteMinder Policy Server .

            at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:581)

            at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1015)

            at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:911)

            at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:485)

            at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)

            at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:294)

            at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:225)

            at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:291)

            at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193)

            at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:585)

            at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:913)

            at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:464)



  • 2.  Re: Session Assurance - SessionDNA

    Posted 07-26-2016 04:39 PM

    Hi Anil,

     

    Session Assurance is not easy to setup and has a lot of requirement and limitations.

    Have you reviewed them all?

    One of them commonly missed is "If you do not have a session store, configure one".

     

    There are also reported compatibility defect for integration between different version of policy server and SPS version.

    It is best to stick with same version for both.

     

    The error you reported similar to a compatibility defect between different versions of components.

    Policy Server says AGENTAPI_NO : as root cause of Exception, when com.ca.siteminder.userstore.helper.AdminAPISessionHelper.getSMAdminAPISessionFromConfig() was called (DE137018).

     

     

    Hongxu



  • 3.  Re: Session Assurance - SessionDNA

    Posted 07-26-2016 04:44 PM

    For the redirection question,

    You need to check here:

    • Policies -->  Global --> Session Assurance End Points


  • 4.  Re: Session Assurance - SessionDNA

    Posted 07-26-2016 05:31 PM

    Thank You Hongxu and Ujwol.

     

    Versions seem to match. Session store is in place.

     

    Policy Server

    ProductName=CA SiteMinder Policy Server

     

     

    FullVersion=12.52.100.499

     

     

    Location=/opt/netegrity/siteminder

     

     

    SPS:

     

    Product Name=CA SiteMinder Secure Proxy Server

    FullVersion=12.52.0100.499

    Version=12.52

    Update=0100

    Build Number=499

    Location=/opt/ca/secure-proxy

    InstanceName=default

     

    End point is:

     

    https://myspsservername.com:sslport_from_httpd.conf/authapp/flows/i/session_assurance_flow.html



  • 5.  Re: Session Assurance - SessionDNA

    Posted 07-26-2016 07:11 PM

    I get the error:

     

    https://SPS_Host_name:10443/authapp/flows/i/session_assurance_flow.html?SMAUTHREASON=53&SMAGENTNAME=agent&TARGET=-SM-https%3a%2f%2fhostname%2fRequest URI:/authapp/flows/i/session_assurance_flow.html
    Error Type:SPS Exception
    Error Code:Noodle_ConnectException
    Message:Connection refused remotely, no process is listening on the remote address/port.

     

    I am getting the same error when I access proxyUI..I can see the requests flowing through mod_jk log but never reaching server.log.

     

    However, I get successful initialization  when I goto: https://SPS_Host_name:10443/ affwebservices/assertionretriever. Appreciate any insights.



  • 6.  Re: Session Assurance - SessionDNA

    Posted 07-27-2016 12:17 AM

    By any chance have you disabled Arcot component on SPS side :

     

    In your server.conf you should have following :

     

    <Context name="AALoginService">

     

    docBase="aaloginservice"

    path="aaloginservice"

    enable="yes"

    </Context>

     

    <Context name="Advacned Auth Application">

     

    docBase="authapp"

    path="authapp"

    enable="yes"

    </Context>

     

    <Context name="UI Application">

     

    docBase="uiapp"

    path="uiapp"

    enable="yes"

    </Context>

    </Contexts>



  • 7.  Re: Session Assurance - SessionDNA

    Posted 07-27-2016 03:47 PM

    Hi Ujwol,

     

    <Contexts>

            <Context name="Authentication/Authorization web services">

                docBase="CA_AuthAZ"

                path="authazws"

                enable="no"

            </Context>

            <Context name="AALoginService">

                                    docBase="aaloginservice"

                                    path="aaloginservice"

                                    enable="yes"

                            </Context>

                            <Context name="Advacned Auth Application">

                                    docBase="authapp"

                                    path="authapp"

                                    enable="yes"

                            </Context>

                            <Context name="UI Application">

                                    docBase="uiapp"

                                    path="uiapp"

                                    enable="yes"

                            </Context>

        </Contexts>



  • 8.  Re: Session Assurance - SessionDNA

    Posted 07-27-2016 01:10 AM

    Hi,

     

    In addition to Ujwol's comment...

     

    As for the Noodle_ConnectException, another discussion pointed it out.

    Noodle ConnectException

     

    SPS Tomcat server.log will not log any HTTP transactions. You need to enable ACO parameters of TraceFile* for SPS as well as LogFile*. It’s quite similar to normal Web Agent settings.

     

    Enhanced Session Assurance is served by “CA RiskMinder Service” on the Policy Server computer. Please check the service (arrfserver.exe) is ready and listening the port 7680.

     

    I would recommend that:

    1. verify that such a normal HTML Form Authentication works WITHOUT enabling Session Assurance Endpoint in your Realm settings. (in other words, check to see if SPS default installation works or not.)
    2. then, enable the Endpoint in the Realm to see if it works.

     

    Also, sometime newer documentation would be better and you may refer r12.52 SP1 document as well.

    Enhanced Session Assurance with DeviceDNA™ - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation

     

    Hope this would help.

     

    Regards,

    Koichi Ikarashi



  • 9.  Re: Session Assurance - SessionDNA

    Posted 07-27-2016 03:44 PM

    Hi Koichi, I will try your suggestions today



  • 10.  Re: Session Assurance - SessionDNA

    Posted 07-27-2016 12:48 PM

    It says "Connection refused remotely, no process is listening on the remote address/port." Do you have connectivity issue between SPS to backend host on ssl port 443?

     

    https://SPS_Host_name:10443/authapp/flows/i/session_assurance_flow.html?SMAUTHREASON=53&SMAGENTNAME=wsd1&TARGET=-SM-https://Hostname/app/

     

    Thanks,

    Hongxu



  • 11.  Re: Session Assurance - SessionDNA

    Posted 07-27-2016 03:45 PM

    Yes. Telnet works fine and the ports are open.

     

    bash-4.1$ netstat -a | grep 110

    tcp        0      0 localhost.localdomain:11005 *:*                         LISTEN     

    tcp        0      0 *:11009                     *:*                         LISTEN     

    tcp        0      0 *:11080                     *:*                         LISTEN     

    tcp        0      0 localhost.localdomain:18541 localhost.localdomain:11009 ESTABLISHED

    tcp        0      0 localhost.localdomain:11009 localhost.localdomain:18601 ESTABLISHED

    tcp        0      0 localhost.localdomain:11009 localhost.localdomain:19947 ESTABLISHED

    tcp        0      0 localhost.localdomain:19947 localhost.localdomain:11009 ESTABLISHED

    tcp        0      0 localhost.localdomain:18601 localhost.localdomain:11009 ESTABLISHED

    tcp        0      0 localhost.localdomain:11009 localhost.localdomain:18541 ESTABLISHED

    tcp        0      0 localhost.localdomain:19809 localhost.localdomain:11009 ESTABLISHED

    tcp        0      0 localhost.localdomain:11009 localhost.localdomain:19809 ESTABLISHED

    tcp        0      0 localhost.localdomain:11009 localhost.localdomain:18499 ESTABLISHED



  • 12.  Re: Session Assurance - SessionDNA

    Posted 07-27-2016 05:24 PM

    We have seen problems in the past when customer use default proxy-rules.xml to forward all request to www.ca.com, which will be blocked by your company firewall immediately.  Then you will get connection refused error from firewall.

    You should always modify those default rule to the host that you have access to within the same environment.

    I hope you are not running into that.

    Earlier, you did mention "[Sending request to backend = www.ca.com url ="

     

    Hongxu



  • 13.  Re: Session Assurance - SessionDNA

    Posted 07-27-2016 05:46 PM

    Thanks Hongxu.but that did nt help.

    I may have made small progress though.

    I am able to open the proxyUI if I directlty goto the http port of Tomcat. Is it how it is supposed to work? Should I be using the same port bypassing apache and connecting directly yo Tomcat?



  • 14.  Re: Session Assurance - SessionDNA

    Posted 07-28-2016 04:55 AM

    Hi,

    SPS proxyui can be accessible via Tomcat.

    Regarding Advance Session Assurance, authapp and uiapp (Ujwol commented on server.conf definition) are accessed via Apache web server in the front end. You do not need to bypass.

    Regards,

    Koichi



  • 15.  Re: Session Assurance - SessionDNA

    Posted 08-02-2016 01:19 AM

    Hi,

     

    Have you tried a normal HTML Form Authentication and seen it worked well? Please let us know if you made any progress.

     

    Regards,

    Koichi



  • 16.  Re: Session Assurance - SessionDNA

    Posted 08-02-2016 03:12 AM

    Hello @ANIL CHARUGUNDLA

    My another take on this issue.

     

    To understand more on this integration, I set this up in my lab.

    I must admit, I myself had to go through lot of trouble to get this working.

    I am hoping to create a KB article with screenshot documenting the steps needed to get the Session Assurance working.

     

    At one point, I too got the exact same error as yours:

    Context initialization failed

    org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'session' defined in class path resource [spring/appContext-authapp.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.factory.BeanDefinitionStoreException: Factory method [public static com.ca.siteminder.sdk.adminapi.Session

     

    However, based on my research, this very generic error and can be result of multiple issues.

    The only way I was able to get more detailed logging was by changing the udsserver.ini file log level as below:

    You can find this file at <ARCOT_HOME>/conf/ directory.

     

    [arcot/uds/logger]

    log4j.rootCategory=DEBUG, debuglog

    log4j.logger.com.arcot.euds=DEBUG

    log4j.logger.com.arcot.crypto.impl.SecureStoreUtil=DEBUG

    log4j.logger.com.arcot.common.database=DEBUG

    log4j.logger.com.arcot.common.cache=DEBUG

     

    After making this change, you should be seeing more helpful tracing in the "arcotuds.log"

    located at <ARCOT_HOME>/logs/ directory.

     

    However, I would suggest checking on few things to get started with :

     

    Troubleshooting

    • Check if you have SmHostFlow.conf file in <ARCOT_HOME>/conf directory. This is required to perform handshake between RiskMinder component at SPS with the Policy server. If this file does not exist, please re-run the sps-configuration wizard.

     

    • If the SmHostFlow.conf is present, check Policy server log (smps.log ) at the time of the of the SPS restart, and see if you get any handshake error with the IP of your SPS box. If there is "Invalid Shared secret" error , that would indicate that the shared secret in the SmHostFlow.conf is not valid and you would need to re-register the trusted host again. You can just choose to copy the "shared secrets" and "trusted host" from the "SmHost.conf" of the defaultagent as well.

     

    • JCE patch should be applied on the JRE used by SPS
    • Ensure that CA RiskMinder service is up and running at the policy server side.

     

    Few other confirmation :

    Before proceeding with the Session Assurance configuration at the policy server side, it is absolutely necessary to ensure that there are no fatal startup error in the following logs :

     

    • arcotuds.log
    • CAWebFlowlog.txt
    • UIAppLog.txt

     

    As all of these arcot webapps are local apps, once they are initialized properly , they DO skip the proxy rules processing. Meaning to say, you do not need to do any configuration on the proxyrules.xml pertaining to this Arcot integration.

     

    arcotuds.log should give you some good info about the actual issue , after enabling those debug logging but if you still couldn't figure it out, I would suggest logging a support case with CA. This most likely need some advanced troubleshooting, as there are so many variables which could go wrong here.

     

    Hopefully, with r12.6 , there will be fewer issues as the SM <--> RiskFort(Arcot) integration design is being simplified.

     

    Good Luck.

     

    Cheers,

    Ujwol



  • 17.  Re: Session Assurance - SessionDNA

    Posted 08-03-2016 05:06 PM

    Hi Ujwol. Appreciate your detailed analysis. I will try to follow all the steps you mentioned. Support case has been opened for 2 weeks , as usual it is going through time drag process of 'Version gathering' right now.

    Looks like my RiskMinder is not running

    start-all shows RiskMinder started but

     

    stop-all says:

    RiskMinder is not running

    SiteMinder Policy Server is stopping...

    SiteMinder Policy Server is no longer running

    SiteMinder Health Monitor is stopping..

    SiteMinder Health Monitor is no longer running

     

    Neither smps nor smexec show any messages related to RiskMinder. I dug around my installation and it looks like I had installed Advanced Authenitcation (Strong and Risk authentication) on the same box as Policy Server which might have over written contents of ca/aas folder. At this point logs show they are unable to connect to database which probaly is an issue for next month for me. To make this easier, I setup another instance in my lab, installed R1252 , however  I see only 4 folders under /aas and bin is completely empty. Obviously I am missing something.

     

    Install log shows 4 non fatal errors:

     

                              Status: ERROR

                              Additional Notes: ERROR - Unable to locate ASCII text file to be manipulated.  Deferring...

     

     

    Modify Text File - Single File:   /opt/ca/aas/dbscripts/postgresql/ca-db-seed-for-auth-8.0.sql

                              Status: ERROR

                              Additional Notes: ERROR - Unable to locate ASCII text file to be manipulated.  Deferring...

     

     

    Modify Text File - Single File:   /opt/ca/aas/dbscripts/oracle/ca-db-seed-for-auth-8.0.sql

                              Status: ERROR

                              Additional Notes: ERROR - Unable to locate ASCII text file to be manipulated.  Deferring...

     

     

    Modify Text File - Single File:   /opt/ca/aas/dbscripts/mysql/ca-db-seed-for-auth-8.0.sql

                              Status: ERROR

                              Additional Notes: ERROR - Unable to locate ASCII text file to be manipulated.  Deferring...

     

    and also this:

     

    Custom Action:

    File /opt/ca/aas/install_config_info/CA_Advanced_Authentication_Service_Install_2016-08-03-15-48-59.log does not exist.

     

    This is a brand new box. Can you think of 'that obvious step' I am missing.

     

    contents of aas: there are no objects under aas/bin

     

    [smuser@ install_config_info]$ cd ..

    [smuser@ siteminder]$ cd ../aas/

    [smuser@ aas]$ cd

    bin/       conf/      lib/       resources/

    [smuser@ aas]$ cd conf/

    datracesettings.ini   smshareddbtrace.conf 

    [smuser@ aas]$ cd conf/

    datracesettings.ini   smshareddbtrace.conf 

    [smuser@ aas]$ cd lib/

    cryptojFIPS.jar               libicui18n.so.49              libicule.so.49.1.2            libicutu.so                   libsmagentapi.so              libsmshareddbcomponent.so     smjavasdk2.jar

    cryptoj.jar                   libicui18n.so.49.1.2          libiculx.so                   libicutu.so.49                libsmagentconmgrcomponent.so  libSmXlate.so                 smrpc.jar

    imsjavasdk.jar                libicuio.so                   libiculx.so.49                libicutu.so.49.1.2            libsmagentfunccomponent.so    log4j.jar                    

    libicudata.so                 libicuio.so.49                libiculx.so.49.1.2            libicuuc.so                   libsmcommonutil.so            smadminapi.jar               

    libicudata.so.49              libicuio.so.49.1.2            libicutest.so                 libicuuc.so.49                libsmerrlog.so                smagentapi.jar               

    libicudata.so.49.1.2          libicule.so                   libicutest.so.49              libicuuc.so.49.1.2            libsmi18n.so                  smanalyzer.jar               

    libicui18n.so                 libicule.so.49                libicutest.so.49.1.2          libsmadminapi.so              libsmjavaagentapi.so          smjavaagentapi.jar           

    [smuser@ aas]$ cd resources/AgentFunc_

    AgentFunc_de.properties     AgentFunc_es.properties     AgentFunc_it.properties     AgentFunc_ko.properties    

    AgentFunc_en.properties     AgentFunc_fr.properties     AgentFunc_ja.properties     AgentFunc_pt_BR.properties 



  • 18.  Re: Session Assurance - SessionDNA

    Posted 08-03-2016 07:07 PM

    Hi Anil,

     

    That looks bad.

    Please try creating a installer debug logs following these steps :

    IBM How to debug InstallAnywhere when installing Connect Java based products - United States

    It usually gives more insight into why the install is failing.

    If that doesn't help, I would then try to use strace to capture the installation process activity :

     

    strace -Ff -t -i -v -o strace.log -s 16384 <command_to_install_policyserver>

    I am sure you must have validated the platform is supported for the version of the Policy server you are trying to install?

     

    Regards,

    Ujwol



  • 19.  Re: Session Assurance - SessionDNA

    Posted 08-04-2016 03:39 AM

    Hi Anil,

     

    Once your are done with fixing the CA Risk Minder component startup issue at the Policy server side, have a look at following blog post.

    This might come handy for your troubleshooting :

    Tech Tip : CA Single Sign-On :: Policy Server:How to Configure Enhanced Session Assurance

    Tech Tip : CA Single Sign-On :: CA Access Gateway:How to troubleshoot Advanced Authentication Flow Application (Session Assurance)



  • 20.  Re: Session Assurance - SessionDNA

    Posted 08-09-2016 12:44 PM

    Thanks Ujwol. I have a full new R12.52 system at hand.

     

    ProductName=CA SiteMinder Policy Server

    FullVersion=12.52.100.499

     

    However I still have the same error with my riskfort. Please note I have not done single config change to enable riskfort, but looks like it expects a database based on the following log. Is there a tech tip on configuring risk fort as part of policy server installation or as part of Session Assurance? Or if there is any reference in technote

     

    I am not enabling a full-on 'Advanced Authentication' suite.

     

    11:21:10.984 2016 INFO:    pid 15972 tid 4083549904: 2: 0: Listing the DB configuration record [1]

    Tue Aug 09 11:21:10.984 2016 INFO:    pid 15972 tid 4083549904: 2: 0: Datasource.1..................................: [CAAdvancedAuthDSN]

    Tue Aug 09 11:21:10.984 2016 INFO:    pid 15972 tid 4083549904: 2: 0: UserName.1....................................: [password]

    Tue Aug 09 11:21:10.984 2016 INFO:    pid 15972 tid 4083549904: 2: 0: [arcot/riskfort/server/MaxIssuanceThreads]: Value is [128]

    Tue Aug 09 11:21:10.984 2016 INFO:    pid 15972 tid 4083549904: 2: 0: [arcot/riskfort/server/MinIssuanceThreads]: Value is [32]

    Tue Aug 09 11:21:10.984 2016 INFO:    pid 15972 tid 4083549904: 2: 0: [arcot/riskfort/server/MaxTransWSThreads]: Value is [128]

    Tue Aug 09 11:21:10.984 2016 INFO:    pid 15972 tid 4083549904: 2: 0: [arcot/riskfort/server/MinTransWSThreads]: Value is [32]

    Tue Aug 09 11:21:10.984 2016 INFO:    pid 15972 tid 4083549904: 2: 0: [arcot/db/dbconfig/MaxTransactionRetries]: Value is [3]

    Tue Aug 09 11:21:10.985 2016 INFO:    pid 15972 tid 4083549904: 2: 0: [arcot/db/dbconfig/TransactionRetrySleepTime]: Value is [10]

    Tue Aug 09 11:21:10.985 2016 INFO:    pid 15972 tid 4083549904: 2: 0: [arcot/riskfort/server/MaxAdminWSThreads]: Value is [32]

    Tue Aug 09 11:21:10.985 2016 INFO:    pid 15972 tid 4083549904: 2: 0: [arcot/riskfort/server/MinAdminWSThreads]: Value is [16]

    Tue Aug 09 11:21:10.985 2016 INFO:    pid 15972 tid 4083549904: 2: 0: [arcot/riskfort/server/BindPriority]: Value is [0]

    Tue Aug 09 11:21:10.985 2016 INFO:    pid 15972 tid 4083549904: 2: 0: [arcot/riskfort/server/BindOnAll]: Value is [0]

    Tue Aug 09 11:21:10.985 2016 INFO:    pid 15972 tid 4083549904: 2: 0: [arcot/db/dbconfig/MonitorSleepTimeOnFailureSecs]: Value is [20]

    Tue Aug 09 11:21:10.985 2016 INFO:    pid 15972 tid 4083549904: 2: 0: [arcot/db/dbconfig/StartWithAnyPool]: Value is [1]

    Tue Aug 09 11:21:10.985 2016 INFO:    pid 15972 tid 4083549904: 2: 0: [arcot/crypto/device/HSMDevicePinLocation]: Parameter not present/not set. Defaulting to [FILE]

    Tue Aug 09 11:21:10.985 2016 INFO:    pid 15972 tid 4083549904: 2: 0: ---------------------------------------------------------------------

    Tue Aug 09 11:21:10.985 2016 INFO:    pid 15972 tid 4083549904: 2: 0: Listing ini section : [arcot/crypto/device]

    Tue Aug 09 11:21:10.985 2016 INFO:    pid 15972 tid 4083549904: 2: 0: ---------------------------------------------------------------------

    Tue Aug 09 11:21:10.985 2016 INFO:    pid 15972 tid 4083549904: 2: 0: HSM Device....................................: [S/W]

    Tue Aug 09 11:21:10.985 2016 INFO:    pid 15972 tid 4083549904: 2: 0: HSM Pin Location..............................: [FILE]

    Tue Aug 09 11:21:11.012 2016 WARNING: pid 15972 tid 4083549904: 2: 0: No backup databases are configured.

    Tue Aug 09 11:21:11.327 2016 WARNING: pid 15972 tid 4083549904: 2: 0: ArDBConnection::GetDBDiagnosis: SQL State:28000, Native Code: FFFFFFFF, ODBC code: SiteMinder Agent API initialization failure

    Tue Aug 09 11:21:11.327 2016 WARNING: pid 15972 tid 4083549904: 2: 0: ArDBConnection::connect: Connection to database [CAAdvancedAuthDSN]. user [password] failed. Error detail [SQL State:28000, Native Code: FFFFFFFF, ODBC code: SiteMinder Agent API initialization failure]



  • 21.  Re: Session Assurance - SessionDNA

    Posted 08-09-2016 12:46 PM

    FYI, I am still waiting for support team to respond after initial config gathering exercise. Appreciate any insight you can offer.



  • 22.  Re: Session Assurance - SessionDNA

    Posted 08-09-2016 03:01 PM

    Hi Anil,

     

    The main problem seems to be here:

     

    ArDBConnection::connect: Connection to database [CAAdvancedAuthDSN]. user [password] failed. Error detail [SQL State:28000, Native Code: FFFFFFFF, ODBC code: SiteMinder Agent API initialization failure]

     

    The password to connect to DSN is stored in securestore.enc file under<ARCOT_HOME>/conf directory.

     

    My guess is either this file does not exist or it can't decrypt the password inside it.

     

    There is a command line option to reset this password but before going that route have ,can you please try following:

     

    1. Check SmHostFlow.conf under <ARCOT_HOME>/bin directory.

    2. Delete this file, also delete the Trusted host that it is referring to.

    3. Re-run the policy server configuration wizard without selecting ANY option.

     

    The above steps should usually correct any configuration isssues with the Arcot configuration on the PS side.



  • 23.  Re: Session Assurance - SessionDNA

    Posted 08-09-2016 03:11 PM

    Thanks for the quick reply. I only have these 4 subfodlers under bin, there is no SmHostFlow.conf

     

    -rwxrwxr-x  1 smuser smuser 6577 Jun  4  2014 casemanagementserver

    -rw-rw-r--  1 smuser smuser  166 Aug  9 11:21 nohup-riskfort.out

    -rwxrwxr-x  1 smuser smuser 6568 Jun  4  2014 riskfortserver

    -rwxrwxr-x  1 smuser smuser 3630 Jun  4  2014 webfortserver

     

    My FullVersion=12.52.100.499. What version did you test this on?

     

    Regards to the database, I have never specified a database to be used as part of PS configuration. I only configured Policy Store which only dealt with Policy store details. I am sorry to have to bother you but you seem to be my best hope, unfortunately. My case has been taken over by somone else, and the new case owner wanted me to fill out 'Business Impact section'. Hope he has some insights into technical details.



  • 24.  Re: Session Assurance - SessionDNA

    Posted 08-09-2016 03:21 PM

    Hi Anil,

     

    I have tested this on the same version at my end without any problem.

     

    The log is referring to FILE based database which is created for ARCOT/Riskfort integration. This file exists by name resource.dat and should reside on Policy server bin folder. This is configured automatically during Policy server configuration.

     

    The only configuration needed for this are the MasterKey password which is asked during the PS configuration.

     

    What is your case#?

     

     

    Regards,

     

    Ujwol Shrestha

     

    Sent from my iPhone. Please excuse brevity and typos if any.



  • 25.  Re: Session Assurance - SessionDNA

    Posted 08-09-2016 03:36 PM

    Okay, I have the resource.dat file under ps/bin. I have updated {{!__SERVERNAME__!}}.{{!__INSTALLPATH__!}} wth actual server name and install path as 'Patrick Dussalt' mentioned below, although I still have some

     

    ~{!__SERVERNAME__!} instances such as :

     

    RiskMinder~10~5~18~{!__SERVERNAME__!}~18~6~3~8.0~3~7~237~102%0afe80::1534:7255:52e2:d87e%2510%0a106%0a50%0a107%0a{!__INSTALLPATH__!}%0a108%

     

    Do I have to modify those to actual server name and path as well?

     

    I don't have SmHostFlow.conf under by aas/bin.

     

    My case # 00461694

    Appreciate if you can take ownership. I am either I am very close or I am so far away.



  • 26.  Re: Session Assurance - SessionDNA

    Posted 08-09-2016 03:41 PM

    Thanks. Let me review the case first. I work from Australia support center. I am not sure if my shift timings will be convenient for you. I am still almost three hours away to begin my shift for the day.



  • 27.  Re: Session Assurance - SessionDNA

    Posted 08-09-2016 07:13 PM

    Hi Anil,

     

    It seems we are on different page

     

    I checked both my PS and SPS installation directory, I don't have these sub folders under bin directory (as yours)

     

    -rwxrwxr-x  1 smuser smuser 6577 Jun  4  2014 casemanagementserver

    -rw-rw-r--  1 smuser smuser  166 Aug  9 11:21 nohup-riskfort.out

    -rwxrwxr-x  1 smuser smuser 6568 Jun  4  2014 riskfortserver

    -rwxrwxr-x  1 smuser smuser 3630 Jun  4  2014 webfortserver

     

    Are you also installing standalone Advanced Authentication server beside Policy server and SPS ?

    For session assurance it is enough to install and PS & SPS. We do not need standalone Advanced Auth server.

     

    Please confirm.



  • 28.  Re: Session Assurance - SessionDNA

    Posted 08-09-2016 10:45 PM

    These are under /opt/ca/aas/bin.

     

    It came with regular sm install only.. I did nt do separate advanced auth install

     

    Sent from my iPhone



  • 29.  Re: Session Assurance - SessionDNA

    Posted 08-11-2016 06:24 PM

    We made some progress. Support asked me to upgrade to R1252 CR5, both policy server and POlicy store. Risk Minder started without issues after upgrading. Currently in the process of upgrading SPS and Adminui to CR5.

     

    Will keep this thread informed on how this implementation is progressing.



  • 30.  Re: Session Assurance - SessionDNA

    Posted 08-11-2016 07:47 PM

    Thanks for the update Anil. Keep us posted.



  • 31.  Re: Session Assurance - SessionDNA

    Posted 08-17-2016 03:50 PM

    Today support asked me to downgrade my SPS to R1252CR4. That did nt help me either. Waiting to hear back from support.

    However, i now see SmHostFlow.conf under my sps/arcot/conf.

    There are no logs on SPS/arcot/logs. Is there a config file I can turn on to enable logging?



  • 32.  Re: Session Assurance - SessionDNA

    Posted 08-17-2016 04:08 PM

    I found your blog and updated the conf file but still no luck..

     

    ##                      ARCOT USER DATA SERVICE CONFIGURATION                 ##

    ############################################################################

     

     

     

     

    ############################################################################

    ## USER DATA SERVICE CONFIG SECTION : LOGGING CONFIGURATIONS      ##

    ############################################################################

     

     

    [arcot/uds/logger]

    log4j.rootCategory=DEBUG, debuglog

    log4j.logger.com.arcot.euds=DEBUG

    log4j.logger.com.arcot.crypto.impl.SecureStoreUtil=DEBUG

    log4j.logger.com.arcot.common.database=DEBUG

    log4j.logger.com.arcot.common.cacheDEBUG

     

     

    #UDS Log Handle.

    log4j.appender.debuglog=org.apache.log4j.RollingFileAppender

    # By default the arcotuds.log file will be created under ARCOT_HOME/logs.

    # If a different file is needed, provide the absolute path of the log file.

    # Make sure that the provided path exists.

    #log4j.appender.debuglog.File=${arcot.home}/logs/arcotuds.log

    log4j.appender.debuglog.File=/opt/ca/secure-proxy/arcot/logs/arcotuds.log

    log4j.appender.debuglog.MaxFileSize=10MB

    log4j.appender.debuglog.MaxBackupIndex=100

    log4j.appender.debuglog.layout=org.apache.log4j.PatternLayout

    log4j.appender.debuglog.Encoding=UTF-8

    log4j.appender.debuglog.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss,SSS z} : [%t] : %-5p : %-5c{3} : %m%n

     

     

    #-------------------------------ARCOT INTERNAL------------------------------------#

    log4j.logger.com.arcot.crypto.impl.NCipherCrypter=FATAL

     

    odbc.ini shows:

     

    [ODBC Data Sources]

    CAAdvancedAuthDSN=SiteMinder Policy Server Wire Protocol

     

     

    [CAAdvancedAuthDSN]

    Driver=/opt/ca/secure-proxy/arcot/lib/libdaproxy.so

    HostConfigFile=/opt/ca/secure-proxy/arcot/conf/SmHostFlow.conf

     

     

    [ODBC]

    Trace=1

    DATrace=1

    DATraceSettingsFile=/opt/ca/secure-proxy/arcot/conf/datracesettings.ini

    TraceFile=/opt/ca/secure-proxy/arcot/logs/odbctrace.out

    TraceDll=/opt/ca/secure-proxy/arcot/odbc/lib/NStrc27.so

    InstallDir=/opt/ca/secure-proxy/arcot/odbc/



  • 33.  Re: Session Assurance - SessionDNA

    Posted 08-17-2016 04:21 PM

    Also, On SPS side , is there a process or test I can do to ensure all the arcot components are initialized successfully ? On the policy server side I have a process called 'arrf' running indicating that risk minder initialized successfully.

     

     

    My Tomcat process details with the config, I dont see any arcot config in here..

     

     

    apache    5500     1  0 15:01 ?        00:00:00 /opt/ca/secure-proxy/httpd/bin/httpd -d /opt/ca/secure-proxy/httpd -k start -D SSL

    apache    5508  5500  0 15:01 ?        00:00:00 /opt/ca/secure-proxy/httpd/bin/rotatelogs /opt/ca/secure-proxy/httpd/logs/mod_jk.log 10M

    apache    5511  5500  0 15:01 ?        00:00:00 /opt/ca/secure-proxy/httpd/bin/httpd -d /opt/ca/secure-proxy/httpd -k start -D SSL

    apache    5512  5500  0 15:01 ?        00:00:00 /opt/ca/secure-proxy/httpd/bin/httpd -d /opt/ca/secure-proxy/httpd -k start -D SSL

    apache    5513  5500  0 15:01 ?        00:00:00 /opt/ca/secure-proxy/httpd/bin/httpd -d /opt/ca/secure-proxy/httpd -k start -D SSL

    apache    6068     1  2 15:01 pts/2    00:00:24 /opt/ca/jdk_32bit_1.6.0_35/bin/java -ms256m -mx1024m -server -XX:MaxPermSize=256M -Dcatalina.base=/opt/ca/secure-proxy/Tomcat -Dcatalina.home=/opt/ca/secure-proxy/Tomcat -Djava.io.tmpdir=/opt/ca/secure-proxy/Tomcat/temp -DHTTPClient.log.mask=0 -DHTTPClient.Modules=HTTPClient.RetryModule|org.tigris.noodle.NoodleCookieModule|HTTPClient.DefaultModule -Dlogger.properties=/opt/ca/secure-proxy/Tomcat/properties/logger.properties -Djava.endorsed.dirs=/opt/ca/secure-proxy/Tomcat/endorsed -DIWACONFIGHOME=/opt/ca/secure-proxy/proxy-engine/conf/sts-config/globalconfig -DNETE_WA_ROOT= -DPWD=/opt/ca/secure-proxy -classpath /opt/ca/secure-proxy/Tomcat/bin/proxybootstrap.jar:/opt/ca/secure-proxy/Tomcat/properties:/opt/ca/secure-proxy/resources:/opt/ca/jdk_32bit_1.6.0_35/lib/tools.jar:/opt/ca/secure-proxy/Tomcat/bin/bootstrap.jar:/opt/ca/secure-proxy/Tomcat/lib/smi18n.jar:/opt/ca/secure-proxy/agentframework/java/cryptoj.jar com.netegrity.proxy.ProxyBootstrap -config /opt/ca/secure-proxy/proxy-engine/conf/server.conf

    apache    6778  5500  0 15:09 ?        00:00:00 /opt/ca/secure-proxy/httpd/bin/httpd -d /opt/ca/secure-proxy/httpd -k start -D SSL



  • 34.  Re: Session Assurance - SessionDNA

    Posted 08-17-2016 08:25 PM

    Hi Anil,

     

    After enabling above debug logging are you able to get any logs at all ?

    If not have you checked if the arcot components are enabled on the Server.conf ?

    Did you have a look at this blog post as well :

    Tech Tip : CA Single Sign-On :: CA Access Gateway:How to troubleshoot Advanced Authentication Flow Application (Session Assurance)

     

    Regards,

    Ujwol

    Ujwol's Single Sign-On Blog



  • 35.  Re: Session Assurance - SessionDNA

    Posted 08-17-2016 10:23 PM

    Hi Ujwol, dont have any logs yet. Have nt done any changes in server.conf may be thats what i missing. What changes are needed wrt ARCOT? Your technote does nt have any info related, apologize if I have missed it..

    Thanks in advance.



  • 36.  Re: Session Assurance - SessionDNA

    Posted 08-17-2016 10:26 PM

    You need to ensure they are enabled as shown below :

    <Contexts>

            <Context name="Authentication/Authorization web services">

                docBase="CA_AuthAZ"

                path="authazws"

                enable="no"

            </Context>

            <Context name="AALoginService">

                                    docBase="aaloginservice"

                                    path="aaloginservice"

                                    enable="yes"

                            </Context>

                            <Context name="Advacned Auth Application">

                                    docBase="authapp"

                                    path="authapp"

                                    enable="yes"

                            </Context>

                            <Context name="UI Application">

                                    docBase="uiapp"

                                    path="uiapp"

                                    enable="yes"

                            </Context>

        </Contexts>



  • 37.  Re: Session Assurance - SessionDNA

    Posted 08-17-2016 10:39 PM

    Now that created log files which are showing some errors. Although I am trying to get it to actually work, at some point I wd like to understand the entire flow of the request.

     

    Arcotuds.log shows:

     

    2016-08-17 21:32:57,892 CDT : [localhost-startStop-1] : INFO  : userstore.helper.AdminAPISessionHelper : [null] : [null] : PMAPI_Login with UserName : siteminder failed.[facility=4 severity=3 reason=0 status=11 message=Invalid credentials]

    2016-08-17 21:32:57,898 CDT : [localhost-startStop-1] : ERROR : web.context.ContextLoader : Context initialization failed

    org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'session' defined in class path resource [spring/appContext-authapp.xml]: Instantiation of bean failed; nested exception is org.springframework.beans.factory.BeanDefinitionStoreException: Factory method [public static com.ca.siteminder.sdk.adminapi.Session com.ca.siteminder.userstore.helper.AdminAPISessionHelper.getSMAdminAPISessionFromConfig() throws com.arcot.euds.common.api.UDSException] threw exception; nested exception is com.arcot.euds.common.api.UDSException: Error occurred while reading configuration properties: SM.AdminAPIAgentCache of SiteMinder Policy Server .

            at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:581)

            at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1015)

            at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:911)

            at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:485)

            at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:456)

            at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:294)

            at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:225)

            at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:291)

            at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:193)

            at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:585)

            at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:913)

            at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:464)

            at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:385)

            at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:284)

            at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:111)

            at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:5016)

            at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5524)

            at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)

            at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1575)

            at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1565)

            at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)

            at java.util.concurrent.FutureTask.run(FutureTask.java:138)

            at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)

            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)

            at java.lang.Thread.run(Thread.java:662)

    Caused by: org.springframework.beans.factory.BeanDefinitionStoreException: Factory method [public static com.ca.siteminder.sdk.adminapi.Session com.ca.siteminder.userstore.helper.AdminAPISessionHelper.getSMAdminAPISessionFromConfig() throws com.arcot.euds.common.api.UDSException] threw exception; nested exception is com.arcot.euds.common.api.UDSException: Error occurred while reading configuration properties: SM.AdminAPIAgentCache of SiteMinder Policy Server .

     

    smtrace.log

     

    [08/17/2016][21:32:54.812][21:32:54][31921][4023868272][SmEmsCommandBase.cpp:418][CSmEmsCommandBase::traceRequest][][][][][][][][][][][][][][][][][][][<session=>

    <command=login>

            <classid=0>

            <challengereason=0>

            <ipaddress=dz2-ux-wbm6.na.dir.bunge.com/10.152.152.82>

            <password=** Not Shown **>

            <user=siteminder>

    ][][Processed EMS2 request.]

    [08/17/2016][21:32:54.812][21:32:54][31921][4023868272][SmEmsCommandV2.cpp:193][CSmEmsCommandV2::Execute][][][][][][][][][][][][][43][][][][][][][][Leave function CSmEmsCommandV2::Execute]

    [08/17/2016][21:32:54.812][21:32:54][31921][4023868272][SmEmsCommandBase.cpp:231][CSmEmsCommandBase::Encode][][][][][][][][][][][][][][][][][][][][][Enter function CSmEmsCommandBase::Encode]

    [08/17/2016][21:32:54.812][21:32:54][31921][4023868272][SmEmsCommandBase.cpp:497][CSmEmsCommandBase::traceResponse][][][][][][][][][][][][723][][][][][][][<session=>

    <command=login>

    <status=E/02d3/0/Invalid credentials>

    ][][Processed EMS2 response.]

     

    smps.log:

     

    [31921/-302568592][Wed Aug 17 2016 21:31:30][CA.SPS:STANDARD][INFO]

    INFO:XPSConnector::connectXPS:XPS Connection successful

    [31921/-229139600][Wed Aug 17 2016 21:33:04][CA.SPS:STANDARD][INFO]

    INFO:XPSConnector::connectXPS:XPS Connection successful



  • 38.  Re: Session Assurance - SessionDNA
    Best Answer

    Posted 08-18-2016 03:17 AM

    Hi Anil,

    Thank you for time on the remote session today.

    For the benefit of the community user, I am documenting our progress here as well.

     

    Action Taken

    ===========

    -Uninstalled PS completely

    -Re-installed PS and choose to configure a fresh new policy store.

    -Ensure that Arcot component on the Policy server could start up without any error.

     

    Then, we moved on the re-configure SPS with this policy server

    -The UDS component on the SPS can now startup without any error.

    - CAWebflow component however has an error connecting to policy server on 7680 port as currently the 7680 port is not opened between PS and SPS.

     

    Next Action

    ==========

    1. You will enable firewall and open port 7680 between PS and SPS

    2. Configure session assurance using following tech note :

    https://communities.ca.com/community/ca-security/blog/2016/08/04/tech-tip-ca-single-sign-on-policy-serverhow-to-configure-enhanced-session-assurance

     

    Regards,

    Ujwol



  • 39.  Re: Session Assurance - SessionDNA

    Posted 08-18-2016 06:33 PM

    Hi Ujwol, I got the connectivity on 7680 today and hopefully the last error. I am using Basic authentication on webagent for this resource. Hope you can help me easily on this.

     

    I was redirected to the following upon my initial login:

    /authapp/flows/i/session_assurance_flow.html?SMAUTHREASON=53&SMAGENTNAME=-SM-zXX7djEcfB5KE4KaaPHWW51pbHeg%2bEw5397Vf9pAZ27HOtq5XpoVx6giSS4lCnKW&TARGET=-SM-https%3a%2f%2fmodel%2ebga%2ebunge%2ecom%2ftsf%2f HTTP/1.1

     

     

    and then to:

    GET /uiapp/error/-1?error_code=system.error HTTP/1.1

     

    Nothing on Policy Server logs but on SPS side I show errors:

     

     

    CAWebFlowLog.txt:

     

    2016-08-18 17:12:31,208 [FlowExecutor,ajp-bio-9009-exec-3] ERROR  - TID[-1] 807259999: Unexpected exception in flow {0}(ID={1}); destroying session

    java.lang.RuntimeException: com.arcot.corejsvr.ExceptionWithNC: 808068044: Token ID missing from request.

            at com.ca.aa.ui.auth.authapp.flow.executor.token.SAValidatePSToken.execute(SAValidatePSToken.java:79)

            at com.ca.aa.ui.framework.cawebflow.engine.engine.ExecutableFlowState.executeFlowAction(ExecutableFlowState.java:153)

            at com.ca.aa.ui.framework.cawebflow.engine.engine.ExecutableFlowState.enterState(ExecutableFlowState.java:105)

            at com.ca.aa.ui.framework.cawebflow.engine.engine.FlowExecutionController.enterstate(FlowExecutionController.java:675)

            at com.ca.aa.ui.framework.cawebflow.engine.engine.FlowExecutionController.execute(FlowExecutionController.java:591)

            at com.ca.aa.ui.framework.cawebflow.engine.engine.FlowExecutor.runflow(FlowExecutor.java:660)

            at com.ca.aa.ui.framework.cawebflow.engine.engine.FlowExecutor.startOrResumeFlow(FlowExecutor.java:556)

            at com.ca.aa.ui.framework.cawebflow.engine.servlet.FlowEngineServlet.doGet(FlowEngineServlet.java:58)

            at javax.servlet.http.HttpServlet.service(HttpServlet.java:620)

            at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

            at com.ca.aa.ui.framework.cawebflow.engine.servlet.RequestContextManagerFilter.doFilter(RequestContextManagerFilter.java:154)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

            at com.ca.aa.ui.framework.filters.filter.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:51)

            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)

            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)

            at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)

            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)

            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)

            at com.netegrity.proxy.ProxyValve.processRequest(ProxyValve.java:819)

            at com.netegrity.proxy.ProxyValve.invoke(ProxyValve.java:492)

            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)

            at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:190)

            at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)

            at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)

            at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)

            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)

            at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

            at java.lang.Thread.run(Thread.java:662)

    Caused by: com.arcot.corejsvr.ExceptionWithNC: 808068044: Token ID missing from request.

            at com.ca.aa.ui.auth.authapp.flow.executor.token.SAValidatePSToken.execute(SAValidatePSToken.java:78)

            ... 33 more

    2016-08-18 17:22:22,784 [OrganizationManagerImpl,ajp-bio-9009-exec-1] DEBUG  - [null] : [null] : Request received to get default Organiza

     

     

    UIAPPLOG:

     

    2016-08-18 17:22:22,831 [StringPropertyProvider,ajp-bio-9009-exec-1] WARN   - TID[-1] 3011005: Required configurations not set: default string resource for key 'template.ca-error.message' (Repeated 5 times)

     

    2016-08-18 17:21:43,875 CDT : [pool-3-thread-1] : DEBUG : java.sql.Connection : ooo Using Connection [org.apache.commons.dbcp.cpdsadapter.ConnectionImpl@1eb2e9f]

    2016-08-18 17:21:43,875 CDT : [pool-3-thread-1] : DEBUG : java.sql.Connection : ==>  Preparing: select max(LAST_UPDATED) from AAUI_CONFIG

    2016-08-18 17:21:43,876 CDT : [pool-3-thread-1] : DEBUG : java.sql.PreparedStatement : ==> Parameters:

    2016-08-18 17:21:43,878 CDT : [pool-3-thread-1] : DEBUG : java.sql.ResultSet : <==    Columns: MAX(LAST_UPDATED)

    2016-08-18 17:21:43,878 CDT : [pool-3-thread-1] : DEBUG : java.sql.ResultSet : <==        Row: 2013-10-18 21:25:23.33000000

    2016-08-18 17:21:43,878 CDT : [pool-3-thread-1] : DEBUG : spring.transaction.SpringManagedTransaction : Committing JDBC Connection [org.apache.commons.dbcp.cpdsadapter.ConnectionImpl@1eb2e9f]

    2016-08-18 17:21:43,878 CDT : [pool-3-thread-1] : DEBUG : mybatis.spring.SqlSessionUtils : Closing non transactional SqlSession [org.apache.ibatis.session.defaults.DefaultSqlSession@1baa46d]

    2016-08-18 17:22:22,831 CDT : [ajp-bio-9009-exec-1] : WARN  : browser.core.StringPropertyProvider : TID[-1] 3011005: Required configurations not set: default string resource for key 'template.ca-error.message' (Repeated 5 times)

    2016-08-18 17:22:42,506 CDT : [CacheUpdater] : DEBUG : rpc.rpc.ClientDispatcher : call getCacheUpdates



  • 40.  Re: Session Assurance - SessionDNA

    Posted 08-18-2016 06:44 PM

    Are you using Host Only cookie ? Session assurance doesn't support Host Only Cookie.



  • 41.  Re: Session Assurance - SessionDNA

    Posted 08-18-2016 07:29 PM

    I just reproduced the same error Anil.

    This error is thrown when the Host Only cookie is used.

    You will need to ensure that cookie domain of the target resource (protected resource) and the Session assurance end point are same.



  • 42.  Re: Session Assurance - SessionDNA

    Posted 08-18-2016 10:32 PM

    HEYYYYYYYYY.. I finally got it to work by making sure cookie domains match so SMSESSION is passed back and forth.

     

    Ujwol, You are a ROCK STAR. Thank You.



  • 43.  Re: Session Assurance - SessionDNA

    Posted 08-19-2016 07:34 AM

    That's awesome

    We will catchup on Monday.



  • 44.  Re: Session Assurance - SessionDNA

    Posted 08-02-2016 03:38 AM

    Hi Anil,

     

    You need first to insure the Session Assurance is configured and

    run on the Policy Server. If not, it will never work on the SPS side.

     

    2 things to do on the Policy Server :

     

    - Check that the bin/resource.dat has the following names

      replaced with the server name and install path :

     

      {{!__SERVERNAME__!}}.{{!__INSTALLPATH__!}}

     

      if it shows like that, the Session Assurance isn't configured

      on the Policy Server;

     

    - If above is configured, insure that Session Assurance runs :

     

      Try to telnet the Policy Server on port 7680 as like :

     

      telnet policy_server_ip 7680

     

      and if it tells you "Connect failed", then the Session Assurance

      doesn't run on the Policy Server.

     

    I hope that's help

     

    Patrick



  • 45.  Re: Session Assurance - SessionDNA

    Posted 08-03-2016 05:06 PM

    Thank You Patrick, obviously the issue is my riskminder is not running. I am working on fixing it.