Layer7 API Management

  • Private Community

  • 1.  INFO: API Gateway 9.2cr5 with Siteminder 12.7 Response Header Issue

    Posted Dec 19, 2017 05:18 PM

    This is not really a question but more of something I recently uncovered.  

     

    We were running CA SSO 12.52sp2 with API Gateway 9.2 and OTK 4.1 successfully with a custom authentication shim module that we developed. This was all working very well until we upgraded our CA SSO version to 12.7. After doing so, our OTK solution seemed to immediately stop working. After many hours of troubleshooting, I was able to determine the cause was that the siteminder response attribute configured in our custom authentication shim was returning a null value for one of the attributes when the response attribute was defined with "UID" instead of "uid":

    ATTR_UID=<%userattr="uid" %> GOOD
    ATTR_UID=<%userattr="UID" %> BAD

     

    This is either a bug with the API Gateway's siteminder agent interpretation of response headers with the siteminder 12.7 version, or a bug in the way that siteminder 12.7 returns response headers. I was able to set up a header dump page on a regular web agent running IIS and the case sensitivity issue did not seem to occur there. Either way returned the attribute to the page.

    Also, I managed to run a siteminder policy server trace of its construction of the response headers and found something kind of interesting:

    Good Response Trace:
    [12/19/2017][14:40:36.773][14:40:36][4868][3496][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][s40/r4][OUR_AGENT_NAME][][][][OUR_REALM_NAME][OUR_DOMAIN_NAME][][][][][][][][][][][][][ATTR_UID=MYUSERNAME][Send response attribute 236, data size is 23]
    [12/19/2017][14:40:36.773][14:40:36][4868][3496][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][s40/r4][OUR_AGENT_NAME][][][][OUR_REALM_NAME][OUR_DOMAIN_NAME][][][][][][][][][][][][][ATTR_UID=MYUSERNAME][Send response attribute 224, data size is 23]

     

    Bad Response Trace:
    [12/19/2017][14:43:14.440][14:43:14][4868][4520][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][s55/r4][OUR_AGENT_NAME][][][][OUR_REALM_NAME][OUR_DOMAIN_NAME][][][][][][][][][][][][][ATTR_UID=][Send response attribute 224, data size is 9]
    [12/19/2017][14:43:14.440][14:43:14][4868][4520][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][s55/r4][OUR_AGENT_NAME][][][][OUR_REALM_NAME][OUR_DOMAIN_NAME][][][][][][][][][][][][][ATTR_UID=MYUSERNAME][Send response attribute 236, data size is 23]

     

    For some reason, the policy server returns two "versions" of the attribute response, or at least says it does in the trace, but one is returned empty.  I've submitted a case with CA on this issue.

     

    Hopefully this helps someone out there.



  • 2.  Re: INFO: API Gateway 9.2cr5 with Siteminder 12.7 Response Header Issue
    Best Answer

    Broadcom Employee
    Posted Dec 19, 2017 11:50 PM

    Hello,

     

    It looks your problem is the same as the following knowledge doc:

    SSO R12.52 SP1 CR08 Issue with retrieving attributes from User store is case sensitive 

    Please request a fix for the Policy Server in your support case.

     

    Best regards,

    Seiji



  • 3.  Re: INFO: API Gateway 9.2cr5 with Siteminder 12.7 Response Header Issue

    Posted Dec 20, 2017 09:39 AM

    Yep, that looks like it!  I guess that didn't included in the 12.7 release.  I'll update support with that document, thank you!!

    -Dave