Layer7 API Management

  • Private Community

  • 1.  How to troubleshoot API Gateway - CA SSO Integration

    Broadcom Employee
    Posted Sep 10, 2018 11:48 AM

    We installed API Gateway and CA SSO Integration.

    Everything works properly, API Gateway is able to generate SMSESSION cookies and validate them in the following calls.

    The issue now is that the API Gateeway is not able to recognize the SMSESSION cookies generated by other Web Server in the same CA SSO environment and at the same time the Web Servers are not able to recognize the SMSESSION cookies generated by the Gateway.

     

    How can we troubleshoot this issue? 



  • 2.  Re: How to troubleshoot API Gateway - CA SSO Integration

    Broadcom Employee
    Posted Sep 10, 2018 12:16 PM

    Hello there.

     

    Have you enabled the AcceptTPCookie on your host configuration object? Are those policy servers in the same domain? If not you might need to enable the cookie provider: Single Sign-On Cookie Domains and Web Agents - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

     

    I hope this helps.



  • 3.  Re: How to troubleshoot API Gateway - CA SSO Integration
    Best Answer

    Posted Sep 10, 2018 01:22 PM

    In addition to the AcceptTPCookie mentioned by Alan, we had to do the following in our FIPS Only environment (using API GW RHEL VM); without it there were issues with verifying the tokens.

     

    - Log into the Gateway

    - Go to /opt/SecureSpan/Gateway/runtime/etc/profile.d

    - Edit the file siteminder-env.sh

    - add the following above the line “CAPKIHOME=${CAROOT}/CAPKI”
    CA_SM_PS_FIPS140=ONLY

    - add the following after the LD_LIBRARY_PATH CAPKIHOME
    CA_SM_PS_FIPS140

    - Restart the Gateway

    -------

    File section should look like this

    CA_SM_PS_FIPS140=ONLY
    CAPKIHOME=${CAROOT}/CAPKI
    export CAROOT LD_LIBRARY_PATH CAPKIHOME CA_SM_PS_FIPS140

     

     

    =====

     

    Also make sure the SSO Zone is all setup to match. If you use a separate SSO Zone between them it can cause failures as well since API Gateway defaults (like a normal agent) to the SM zone. I assumed it was "SM" zone though since you reference SMSESSION, but just in case



  • 4.  Re: How to troubleshoot API Gateway - CA SSO Integration

    Broadcom Employee
    Posted Sep 13, 2018 03:27 AM

    Thanks a lot.

     

    I had already set the AcceptTPCookie parameter, but nothing worked till I changed the siteminder-env.sh file as Bertagnolli said above.



  • 5.  Re: How to troubleshoot API Gateway - CA SSO Integration

    Broadcom Employee
    Posted Sep 13, 2018 06:28 AM

    I add another point.

    The check IP flag need to be removed, because the cookie, generated by a web server, does not use the same IP.

    If this parameter is set, the authorization assertion fails and policy logs the esser "invalid session IP".    



  • 6.  Re: How to troubleshoot API Gateway - CA SSO Integration

    Broadcom Employee
    Posted Sep 11, 2018 07:07 PM

    Enabling SSO tracing is not so simple in Gateway - but it can be done - if the other settings do not fix your issue : 

     

    Enabling CA Single Sign On (CA SSO) tracing in API Gateway 

     

    Cheers - Mark