CA Service Management

 View Only
Expand all | Collapse all

CA SDM Login creates multiple sessions using Single Sign On.

  • 1.  CA SDM Login creates multiple sessions using Single Sign On.

    Posted May 11, 2022 09:50 AM

    Hi,

    We have SDM 17.3.0.12 in Advanced Availability configured for https and SSO on Windows Servers.
    When we open the URL https://<servername>/CAisd/pdmweb.exe the user is automatically logged in and two sessions are automatically opened instead of only one session.
    Opening a contact detail creates another session.
    Using refresh F5 in main window only closes one session and creates two new ones.
    It's generally the same behaviour with Internet Explorer and Edge, just a small difference that the Refresh (F5) in Contact Detail causes an extra session in Edge, and no new session is generated in IE.
    The main problem is that we get a multiple number of sessions than the actual logged-in users.
    Have any of you seen this kind of behaviour?
    How can we eliminate these multiple sessions from being created?

    Thanks and best regards
    Janos Mertz



  • 2.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted May 12, 2022 04:22 PM
    Hi Janos,

    We too are experiencing this behavior on several instances and is interested if there is a solution.

    Are you also seeing the following entries in your stdlog?
    Session 1688885974:0x00000152F8BE3D40 login by analyst XXXXX (cnt:D0AB394B2FD7CC5C9A51C8E7DD9F3AE0); session count 19
    Session 1688885974:0x00000152F8BE3D40 login by analyst XXXXX (cnt:D0AB394B2FD7CC5C9A51C8E7DD9F3AE0); session count 20
    Session 1688885974:0x00000152F8BE3D40 login by analyst XXXXX (cnt:D0AB394B2FD7CC5C9A51C8E7DD9F3AE0); session count 21
    Session 1688885974:0x00000152F8BE3D40 login by analyst XXXXX (cnt:D0AB394B2FD7CC5C9A51C8E7DD9F3AE0); session count 22
    Session 1688885974:0x00000152F8BE3D40 login by analyst XXXXX (cnt:D0AB394B2FD7CC5C9A51C8E7DD9F3AE0); session count 23

    Regards,
    Ruben


  • 3.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted May 13, 2022 04:43 AM
    Hi Ruben,

    I have checked the active sessions with pdm_webstat for the logged in user after the following activities.
    But I also find the entries in stdlog which you described with increasing session count.
    Here is an example of number of active sessions by different activities for my user.
    I ran on application server-1, with URL specified directly to that server, so not through load balancer.
    The server is configured with SSO and I used Edge for these keys.
    • Before Login                                 0
    • After Login                                    2
    • After contach search                    2
    • Opening contact detail                3
    • refresh contact detail (F5)           4
    • changing to other role and back 4
    • refresh main window                    6
    • After logout                                   5

    So in a very short time I have achieved that 5 unnecessary active sessions remained active until the timeout.
    I believe that they are also written in the session_log table.
    I ran the same test on all application servers, on background servers, then also via Load Balancer using Internet Explorer and also with Edge.
    I want to determine if it is related to Load Balancer or SSO, or something else?
    In my development environment without advanced availability configuration, without load balancer and SSO, it works perfectly with just one generated session which will be closed after logout.
    I will now configure at least SSO for my development machine and check it that way.
    Do you have similar behaviours?

    Thanks and best regards
    Janos


  • 4.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted May 17, 2022 03:19 AM
    Hi Janos,

    We had this behavior on a conventional setup, just 1 application server.
    If I remember correctly, on my initial Login I got 5 sessions. I'll do the same test and report back here.

    On the last version it was on, I think 17.1 or 17.2, it was worse. The total session count would bump up to as high as 12000 sessions and at that point, several daemons would crash (ran out of memory) making the application unavailable but the daemons would eventually recover so that is something to watch out for.

    When we upgraded to 17.3, the sessions were no longer reaching 120000 but we still had multiple sessions being generated per user.

    Regards,
    Ruben


  • 5.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted May 18, 2022 03:19 AM
    Hi Ruben,
    I believe it really is Load Balancer related as Michael described.
    The customer made some changes in Load Balancer and now it works correctly with Internet Explorer, only Refresh (F5) in main window creates unnecessary session.
    Unfortunately we still have the problem with Edge, a simple login generates two sessions, and each detail window generates another new one.
    We'll keep looking and I'll update our findings in this thread.
    Thanks and best regards
    Janos


  • 6.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted May 12, 2022 07:29 PM
    Perhaps check if this article is relevant:
    Google Chrome creates many Service Desk sessions for every activity (broadcom.com)


  • 7.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted May 13, 2022 06:48 AM
    Hi Stewart,
    It seems that this article describes a problem very similar to our problem.
    Because of other activities I will probably only be able to check it carefully on Monday.
    Anyway thanks a lot and I will update this thread with my findings.
    Thanks and best regards
    Janos


  • 8.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted May 13, 2022 01:30 AM
    Hi all.
    Another potential reason for multiple backend sessions for the same single frontend (browser) could be a misconfiguration of your loadbalancer.
    When SSO is configured you need to assure that on LB level the same SDM session will always be forwarded to the same app server (sticky session).
    In fact this should be configured in a non SSO environment as well, otherwise the user gets prompted for login each time he hits a different app server/webengine. This is because web session as well as SOAP sessions are not shared accross webengines. Btw. REST sessions are .

    Regards
    ...Michael


  • 9.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted May 13, 2022 05:04 AM
    Hi Michael,

    Thanks a lot.
    I also think we need to check towards LB and/or SSO.
    Do you think that we have to take the LB into account if I specify the application server directly in the URL?
    I've thought that in that way it is then purely dependent on the application server.
    As I mentioned in this thread before I plan to check these properties in my single server development system.
    If I can reproduce similar behavior using SSO, then I can disregard the load balancer temporarily.
    It means that I am still looking for the causes and collecting the information.

    Thanks and best regards
    Janos


  • 10.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted May 13, 2022 08:30 AM

    Hi Janosh.

    Yes, usualy you adopt the lb fqdn into NX.env web_url and other NX.env url vars.

    That might lead to, that you are going through the LB later on, even though you started your session directly on the app server.
    Sure, this depends on the setup.
    Anyway, the lb access should work anyhow !
    Best regards
    ...Michael




  • 11.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted May 16, 2022 03:31 PM
    Hi Michael,

    Thanks a lot.
    I couldn't reproduce it in a single server configuration.
    The duplicate session is only created when you refresh the main form using F5.
    Do you have any hints how to configure the load balancer correctly?
    It was configured by the customer and I would like to have ideas in which direction we can look further.

    Thanks and best regards
    Janos


  • 12.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted May 17, 2022 02:50 AM
    Hi Janos.
    I suggest the following , more general procedure (some of these might be checked by you already)
    • First check your settings in NX.env in regards to url's.
      I have the following vars in mind:
      @NX_WEB_CGI_URL
      @NX_SERVLET_SERVER_URL
      @NX_LOCAL_SERVLET_SERVER_URL
      @NX_CMDB_VISUALIZER
      All of them should point to your load balancer, in my understanding, and should look the same on all app server.
    • Then I would do another test to reproduce the issue , mostly as the only user on the system, to reduce confusion.
      Then check the webserver logs for incoming requests on all app server.
      If reproduced, and different app server have received requests, it would definitively point to a loadbalancer issue.
    • The load balancer needs to be configured with so called sticky sessions. How this is done depends on the loadbalancer in use, and could usually be done in various ways: by cookies, by incoming ip, maybe others.
    • In general the lb should also be configured to check the availability of app server's. The health servlet can be perfectly used to accomplish this. However, this kind of config is not related to this issue, but is part of a reliable loadbalancer setup
    Hope this helps
    Regards
    ...Michael


  • 13.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted May 18, 2022 03:19 AM
    Hi Michael,
    Thanks a lot.
    Customer has checked the load balancer settings and made small changes.
    I haven't received any information about what exactly, but now it works correctly with Internet Explorer, only Refresh (F5) in main window creates unnecessary session.
    Unfortunately we still have the problem with Edge. A simple login generates already two sessions, and each detail window generates another new one.
    I have checked the URLs in NX.env, and the following URLs are set in all servers:
    • @NX_WEB_CGI_URL=https://LOAD_BALANCER_NAME/CAisd/pdmweb.exe
    • @NX_SERVLET_SERVER_URL=https://HOSTNAME:8443
    • @NX_LOCAL_SERVLET_SERVER_URL=https://HOSTNAME:8443
    • @NX_WSP_CGI_URL=http://HOSTNAME/CAisd/pdmweb.exe

    We don't use visualizer.
    Do you think these settings are incorrect?
    Thanks and best regards
    Janos


  • 14.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted May 18, 2022 03:20 AM
    Hi Michael,
    Thanks a lot.
    Customer has checked the load balancer settings and made small changes.
    I haven't received any information about what exactly, but now it works correctly with Internet Explorer, only Refresh (F5) in main window creates unnecessary session.
    Unfortunately we still have the problem with Edge, a simple login generates two sessions, and each detail window generates another new one.
    I have checked the URLs in NX.env, and the following URLs are set in all servers:
    @NX_WEB_CGI_URL=https://LOAD_BALANCER_NAME/CAisd/pdmweb.exe
    @NX_SERVLET_SERVER_URL=https://HOSTNAME:8443
    @NX_LOCAL_SERVLET_SERVER_URL=https://HOSTNAME:8443
    @NX_WSP_CGI_URL=http://HOSTNAME/CAisd/pdmweb.exe
    The following URLs are set in all servers?
    Thanks and best regards
    Janos


  • 15.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted May 18, 2022 04:13 AM
    Hi Janos.

    Good news, and obviously confirms, that additional unneccassary sessions might be related to a mis-configuration of the load balancer.

    I don't think, that new sesssions when doing a refresh (F5) in the main window is an issue.
    At least I can observe the same in this scenario: Single SDM server, no SSO. Doing a refresh forces me to do a new login.
    Hence a new session is created. So, this obviously behaves the same as in your situation.
    If your customer sees this as an issue, this would be a different topic ;)

    Regarding different behaviour of the Edge browser, there might be a technical reason for it. To examine this further on, I would take a look at the http requests, this browser sends, and compare them to a working browser behaviour.

    In regards the NX.env variable setup, I have the following thoughts:
    One of the main reasons implementing advanced availability, is exactly that: advanced availability.
    By using a specifc server for the sevlet urls, you have a single point of failure again. 
    Second, you don't have load balancing capabilities any more. So all servlet activities like upload,download,report would use only one server.
    It's nothing wrong with this setup, but its more insufficient, in regards to the intent of advanced availability.

    Hope this helps.

    Best regards
    ...Michael




  • 16.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted May 19, 2022 02:54 PM
    Hello everybody,
    Our problem seems to be solved, and several clues point us in the right direction.
    After the customer changed redirect configurations in the load balancer, we didn't get multiple sessions with Internet Explorer, but still with Edge.
    Since the Edge is based on Chrome technology, I followed Stuart Matthews' advice and checked the Internet Information Server settings in all servers in the test and productive environments running in advanced availability configuration.
    In two out of three application servers in the productive environment, the HTTP redirect was configured, exactly in both of which are load balanced and in which we had multiple sessions.
    After uncheck the redirect checkbox it also worked correctly with Edge.
    I would like to say a big thank you to all of you for the support.
    Best regards
    Janos


  • 17.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Broadcom Employee
    Posted May 20, 2022 12:05 AM
    Hi Janos,

    Thats a great news. Thanks for letting us know. 
    If possible can you share what are the changes done in redirect configurations of load balancer to address the issue?

    Thanks & Regards,
    Hema.


  • 18.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted May 20, 2022 02:08 AM
    Hi Hema,
    The customer has configured the load balancer and I still have no exact information about what they have changed.
    I also don't have access to the load balancer, but I will try to get the configuration information.
    If I find out anything I'll keep you updated.
    Thanks and best regards
    Janos


  • 19.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted May 20, 2022 03:03 AM
    Hi Hema,
    I received information about changes made in LB configuration.
    The customer has (re)enabled forwarding from port 8080 to port 8443 in the load balancer.
    It was activated a long time ago but was removed again because one of the different interfaces with the redirection did not work properly.
    Now everything works without creating multiple sessions.
    Thanks, and best regards
    Janos


  • 20.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Broadcom Employee
    Posted May 20, 2022 05:29 AM
    Hi Janos,

    Thank you very much for sharing these details.

    Regards,
    Hema.


  • 21.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted May 20, 2022 05:54 AM
    Hi Janos.
    Also from my side, thanks a lot for these details.
    I can imagine, that moving from http to https or vice versa might impact the session behaviour.
    However, I am interested in the details here as well.
    Is the loadbalancer accessed by http or https ? on which port?
    How does the IIS setup look like ? http or https? on which port?
    How does the sdm setup look like? http or https?
    As you know :Tomcat is in use for the serlet? on which port ?
    Do you use tomcat or IIS + pdmweb.exe for serving the GUI?

    Can you please share the details about the changes done on the IIS side. I did not understand the hints you gave already, so that I don't have a complete understanding. You mentioned some redirect configuration. Can you please elaborate a bit more, what kind of redirect config has been done or removed at IIS level? 

    Thanks in advance
    ...Michael


  • 22.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted May 20, 2022 07:08 AM
    Hi Michael,
    I will not be able to answer these questions today,
    I'll leave your email unread so I won't forget on Monday.
    Thanks and best regards
    Janos


  • 23.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted May 24, 2022 04:09 PM
    Hi Michael,
    Sorry I can only reply now.
    Loadbalancer accessed by https using port 443.
    IIS configured with https using port 443, also works with http and port 80.
    SDM Setup? If you mean web_cgi_url this is https.
    Tomcat servlet port: 8443
    IIS is used for GUI.
    In IIS it was a HTTP-Redirect configured to /CAisd/pdmweb.exe, with that, the URL would work with only servername.
    I hope it helps.
    Best Regards
    Janos


  • 24.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Broadcom Employee
    Posted May 18, 2022 08:17 AM
    Hi All,

    We have addressed couple of SAML related issues in 17.3RU11, 17.3RU12 and 17.3RU13 and delivered the changes in pdmweb.jar. Please make sure you are on the latest RU level and pdmweb.jar is updated. 

    Apart from the code fix there are couple of configuration changes are recommended in the load balancer settings.

    Can you please try with default persistence = None option and Click on the Update button in the "Load Balancing" Section like below screenshot.

    Also make changes in web.xml.

    NX_ROOT\bopcfg\www\CATALINA_BASE\webapps\CAisd\WEB-INF\web.xml

      <init-param>
        <param-name>exclude-urls-regex</param-name>
        <!-- <param-value>/images/|/js/|/css/</param-value> -->
        <param-value>/images/|/js/|/css/|/scripts/|/html/|/img/|/fonts/|/capa.properties</param-value>
      </init-param>

    After making above change, restart SDM tomcat or SDM service and verify the issue.

    Thanks & Regards,
    Hema.