CA Service Management

 View Only
Expand all | Collapse all

CA SDM Login creates multiple sessions using Single Sign On.

  • 1.  CA SDM Login creates multiple sessions using Single Sign On.

    Posted 7 days ago

    Hi,

    We have SDM 17.3.0.12 in Advanced Availability configured for https and SSO on Windows Servers.
    When we open the URL https://<servername>/CAisd/pdmweb.exe the user is automatically logged in and two sessions are automatically opened instead of only one session.
    Opening a contact detail creates another session.
    Using refresh F5 in main window only closes one session and creates two new ones.
    It's generally the same behaviour with Internet Explorer and Edge, just a small difference that the Refresh (F5) in Contact Detail causes an extra session in Edge, and no new session is generated in IE.
    The main problem is that we get a multiple number of sessions than the actual logged-in users.
    Have any of you seen this kind of behaviour?
    How can we eliminate these multiple sessions from being created?

    Thanks and best regards
    Janos Mertz



  • 2.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted 5 days ago
    Hi Janos,

    We too are experiencing this behavior on several instances and is interested if there is a solution.

    Are you also seeing the following entries in your stdlog?
    Session 1688885974:0x00000152F8BE3D40 login by analyst XXXXX (cnt:D0AB394B2FD7CC5C9A51C8E7DD9F3AE0); session count 19
    Session 1688885974:0x00000152F8BE3D40 login by analyst XXXXX (cnt:D0AB394B2FD7CC5C9A51C8E7DD9F3AE0); session count 20
    Session 1688885974:0x00000152F8BE3D40 login by analyst XXXXX (cnt:D0AB394B2FD7CC5C9A51C8E7DD9F3AE0); session count 21
    Session 1688885974:0x00000152F8BE3D40 login by analyst XXXXX (cnt:D0AB394B2FD7CC5C9A51C8E7DD9F3AE0); session count 22
    Session 1688885974:0x00000152F8BE3D40 login by analyst XXXXX (cnt:D0AB394B2FD7CC5C9A51C8E7DD9F3AE0); session count 23

    Regards,
    Ruben


  • 3.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted 5 days ago
    Hi Ruben,

    I have checked the active sessions with pdm_webstat for the logged in user after the following activities.
    But I also find the entries in stdlog which you described with increasing session count.
    Here is an example of number of active sessions by different activities for my user.
    I ran on application server-1, with URL specified directly to that server, so not through load balancer.
    The server is configured with SSO and I used Edge for these keys.
    • Before Login                                 0
    • After Login                                    2
    • After contach search                    2
    • Opening contact detail                3
    • refresh contact detail (F5)           4
    • changing to other role and back 4
    • refresh main window                    6
    • After logout                                   5

    So in a very short time I have achieved that 5 unnecessary active sessions remained active until the timeout.
    I believe that they are also written in the session_log table.
    I ran the same test on all application servers, on background servers, then also via Load Balancer using Internet Explorer and also with Edge.
    I want to determine if it is related to Load Balancer or SSO, or something else?
    In my development environment without advanced availability configuration, without load balancer and SSO, it works perfectly with just one generated session which will be closed after logout.
    I will now configure at least SSO for my development machine and check it that way.
    Do you have similar behaviours?

    Thanks and best regards
    Janos


  • 4.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted yesterday
    Hi Janos,

    We had this behavior on a conventional setup, just 1 application server.
    If I remember correctly, on my initial Login I got 5 sessions. I'll do the same test and report back here.

    On the last version it was on, I think 17.1 or 17.2, it was worse. The total session count would bump up to as high as 12000 sessions and at that point, several daemons would crash (ran out of memory) making the application unavailable but the daemons would eventually recover so that is something to watch out for.

    When we upgraded to 17.3, the sessions were no longer reaching 120000 but we still had multiple sessions being generated per user.

    Regards,
    Ruben


  • 5.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted 6 hours ago
    Hi Ruben,
    I believe it really is Load Balancer related as Michael described.
    The customer made some changes in Load Balancer and now it works correctly with Internet Explorer, only Refresh (F5) in main window creates unnecessary session.
    Unfortunately we still have the problem with Edge, a simple login generates two sessions, and each detail window generates another new one.
    We'll keep looking and I'll update our findings in this thread.
    Thanks and best regards
    Janos


  • 6.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted 5 days ago
    Perhaps check if this article is relevant:
    Google Chrome creates many Service Desk sessions for every activity (broadcom.com)


  • 7.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted 5 days ago
    Hi Stewart,
    It seems that this article describes a problem very similar to our problem.
    Because of other activities I will probably only be able to check it carefully on Monday.
    Anyway thanks a lot and I will update this thread with my findings.
    Thanks and best regards
    Janos


  • 8.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted 5 days ago
    Hi all.
    Another potential reason for multiple backend sessions for the same single frontend (browser) could be a misconfiguration of your loadbalancer.
    When SSO is configured you need to assure that on LB level the same SDM session will always be forwarded to the same app server (sticky session).
    In fact this should be configured in a non SSO environment as well, otherwise the user gets prompted for login each time he hits a different app server/webengine. This is because web session as well as SOAP sessions are not shared accross webengines. Btw. REST sessions are .

    Regards
    ...Michael


  • 9.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted 5 days ago
    Hi Michael,

    Thanks a lot.
    I also think we need to check towards LB and/or SSO.
    Do you think that we have to take the LB into account if I specify the application server directly in the URL?
    I've thought that in that way it is then purely dependent on the application server.
    As I mentioned in this thread before I plan to check these properties in my single server development system.
    If I can reproduce similar behavior using SSO, then I can disregard the load balancer temporarily.
    It means that I am still looking for the causes and collecting the information.

    Thanks and best regards
    Janos


  • 10.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted 5 days ago

    Hi Janosh.

    Yes, usualy you adopt the lb fqdn into NX.env web_url and other NX.env url vars.

    That might lead to, that you are going through the LB later on, even though you started your session directly on the app server.
    Sure, this depends on the setup.
    Anyway, the lb access should work anyhow !
    Best regards
    ...Michael




  • 11.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted 2 days ago
    Hi Michael,

    Thanks a lot.
    I couldn't reproduce it in a single server configuration.
    The duplicate session is only created when you refresh the main form using F5.
    Do you have any hints how to configure the load balancer correctly?
    It was configured by the customer and I would like to have ideas in which direction we can look further.

    Thanks and best regards
    Janos


  • 12.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted yesterday
    Hi Janos.
    I suggest the following , more general procedure (some of these might be checked by you already)
    • First check your settings in NX.env in regards to url's.
      I have the following vars in mind:
      @NX_WEB_CGI_URL
      @NX_SERVLET_SERVER_URL
      @NX_LOCAL_SERVLET_SERVER_URL
      @NX_CMDB_VISUALIZER
      All of them should point to your load balancer, in my understanding, and should look the same on all app server.
    • Then I would do another test to reproduce the issue , mostly as the only user on the system, to reduce confusion.
      Then check the webserver logs for incoming requests on all app server.
      If reproduced, and different app server have received requests, it would definitively point to a loadbalancer issue.
    • The load balancer needs to be configured with so called sticky sessions. How this is done depends on the loadbalancer in use, and could usually be done in various ways: by cookies, by incoming ip, maybe others.
    • In general the lb should also be configured to check the availability of app server's. The health servlet can be perfectly used to accomplish this. However, this kind of config is not related to this issue, but is part of a reliable loadbalancer setup
    Hope this helps
    Regards
    ...Michael


  • 13.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted 6 hours ago
    Hi Michael,
    Thanks a lot.
    Customer has checked the load balancer settings and made small changes.
    I haven't received any information about what exactly, but now it works correctly with Internet Explorer, only Refresh (F5) in main window creates unnecessary session.
    Unfortunately we still have the problem with Edge. A simple login generates already two sessions, and each detail window generates another new one.
    I have checked the URLs in NX.env, and the following URLs are set in all servers:
    • @NX_WEB_CGI_URL=https://LOAD_BALANCER_NAME/CAisd/pdmweb.exe
    • @NX_SERVLET_SERVER_URL=https://HOSTNAME:8443
    • @NX_LOCAL_SERVLET_SERVER_URL=https://HOSTNAME:8443
    • @NX_WSP_CGI_URL=http://HOSTNAME/CAisd/pdmweb.exe

    We don't use visualizer.
    Do you think these settings are incorrect?
    Thanks and best regards
    Janos


  • 14.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted 6 hours ago
    Hi Michael,
    Thanks a lot.
    Customer has checked the load balancer settings and made small changes.
    I haven't received any information about what exactly, but now it works correctly with Internet Explorer, only Refresh (F5) in main window creates unnecessary session.
    Unfortunately we still have the problem with Edge, a simple login generates two sessions, and each detail window generates another new one.
    I have checked the URLs in NX.env, and the following URLs are set in all servers:
    @NX_WEB_CGI_URL=https://LOAD_BALANCER_NAME/CAisd/pdmweb.exe
    @NX_SERVLET_SERVER_URL=https://HOSTNAME:8443
    @NX_LOCAL_SERVLET_SERVER_URL=https://HOSTNAME:8443
    @NX_WSP_CGI_URL=http://HOSTNAME/CAisd/pdmweb.exe
    The following URLs are set in all servers?
    Thanks and best regards
    Janos


  • 15.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Posted 5 hours ago
    Hi Janos.

    Good news, and obviously confirms, that additional unneccassary sessions might be related to a mis-configuration of the load balancer.

    I don't think, that new sesssions when doing a refresh (F5) in the main window is an issue.
    At least I can observe the same in this scenario: Single SDM server, no SSO. Doing a refresh forces me to do a new login.
    Hence a new session is created. So, this obviously behaves the same as in your situation.
    If your customer sees this as an issue, this would be a different topic ;)

    Regarding different behaviour of the Edge browser, there might be a technical reason for it. To examine this further on, I would take a look at the http requests, this browser sends, and compare them to a working browser behaviour.

    In regards the NX.env variable setup, I have the following thoughts:
    One of the main reasons implementing advanced availability, is exactly that: advanced availability.
    By using a specifc server for the sevlet urls, you have a single point of failure again.
    Second, you don't have load balancing capabilities any more. So all servlet activities like upload,download,report would use only one server.
    It's nothing wrong with this setup, but its more insufficient, in regards to the intent of advanced availability.

    Hope this helps.

    Best regards
    ...Michael




  • 16.  RE: CA SDM Login creates multiple sessions using Single Sign On.

    Broadcom Employee
    Posted an hour ago
    Hi All,

    We have addressed couple of SAML related issues in 17.3RU11, 17.3RU12 and 17.3RU13 and delivered the changes in pdmweb.jar. Please make sure you are on the latest RU level and pdmweb.jar is updated.

    Apart from the code fix there are couple of configuration changes are recommended in the load balancer settings.

    Can you please try with default persistence = None option and Click on the Update button in the "Load Balancing" Section like below screenshot.

    Also make changes in web.xml.

    NX_ROOT\bopcfg\www\CATALINA_BASE\webapps\CAisd\WEB-INF\web.xml

      <init-param>
        <param-name>exclude-urls-regex</param-name>
        <!-- <param-value>/images/|/js/|/css/</param-value> -->
        <param-value>/images/|/js/|/css/|/scripts/|/html/|/img/|/fonts/|/capa.properties</param-value>
      </init-param>

    After making above change, restart SDM tomcat or SDM service and verify the issue.

    Thanks & Regards,
    Hema.