Symantec Access Management

 View Only
  • 1.  CA SSO 12.52 SP01 CR08 & CA SSO 12.7 SP01 has HTTP Header variable Issues

    Posted Jan 16, 2018 04:14 PM

    After Upgraded to CA SSO POLICYSERVER R12.52 SP01 CR08 One Field Part of HTTP Header not populating

    And

    After Upgraded to CA SSO POLICYSERVER R12.7 SP01  One Field Part of HTTP Header not populating

     

    After Upgraded to CA SSO POLICYSERVER R12.52 SP01 CR08 One Field Part of HTTP Header not populating WebAgent-HTTP-Header-Variable firstName=<%userattr="givenname"%> Below is the error seeing in Web Agent Trace log , after First name there is no value.

    [Setting custom HTTP header variable: 'HTTP_firstName=']

    CA Support Updated it is Know Issue on CA SSO POLICYSERVER R12.52 SP01 CR08 Release & Provided a dev fix DE324989 for only Linux Based Policy Servers. There is No fix provided for Windows based Policy Servers.

     

    If any one planning for Upgrading/Installing CA SSO 12.52 SP01 CR08 & CA SSO 12.7 SP01 Make sure there is no fix available for Windows Based Policy Servers.

    We reported issue to CA Support on 12/13/2017, CA Engineering has not provided any update regarding fix for Windows.



  • 2.  Re: CA SSO 12.52 SP01 CR08 & CA SSO 12.7 SP01 has HTTP Header variable Issues
    Best Answer

    Posted Jan 16, 2018 05:28 PM

    Hi Kishore,

     

    Thanks for making the community aware of this defect in CR8.

    We have published a KB for this :

    SSO R12.52 SP1 CR08 Issue with retrieving attributes from User store is case sensitive 

     

    Also, please note , I just checked the engineering ticket , they have now provided the dev fix for windows also.

    The assinged engineer would reach out to you shortly. 

    Thank you for your patience.

     

    Symptoms:

    Our clients who upgraded from earlier releases of SSO 12 SP3 , 12.5, 12.51, 12.52, and 12.52 SP1  to 12.52 SP1 CR08 has experienced that User attributes configured in responses are no longer being set if the attribute defined in the response does not match the case sensitivity of the attributes name on the directory side.

    For Example, Active directory "mail" attribute is defined in a response header as follows "userattr=Mail" will no longer be set while if defined as "userattr=mail" gets set successfully.

     

    Environment:
    SSO Release 12.52 SP1 CR08 all platforms
    Cause:

    This is caused by a known Defect introduced in SSO 12.52 SP1 CR08 where the lookup for the user attribute was case sensitive.

    In our Example below, we defined two Response headers for the same policy as follows 

    * TEST_MAIL_LOWERCASE="userattr=mail"

    * TEST_MAIL="userattr=Mail"

    From policy server Trace, we can see the below Results 

    - For TEST_MAIL_LOWERCASE="userattr=mail"

    [Processing Attribute [Property = mail] [Trim Property = mail] [Separator = ^]][][][][][][][][] 

    [SmAuthUser.cpp:2213][GetPropIndex] Processing Attribute [Property = mail] [Trim Property = mail] [Separator = ^]][][][][][][][][] 

    [SmDsUser.cpp:403][GetProp][Property 'mail' for user 'CN=joe10,CN=Users,DC=mysite,DC=com' found in cache][][][][][][][][] 

    [SmActiveExpr.cpp:520][CSmActiveExprLibrary::GetActiveValue][TEST_MAIL_LOWERCASE=joe10@ca.com][][][][][][][][Leave function CSmActiveExprLibrary::GetActiveValue][][][][][][][][] 

     

    - For TEST_MAIL="userattr=Mail"

    [SmAuthUser.cpp:2213][GetPropIndex][Processing Attribute [Property = Mail] [Trim Property = Mail] [Separator = ^]][][][][][][][][] 

    [SmDsUser.cpp:403][GetProp][Property 'Mail' for user 'CN=joe10,CN=Users,DC=mysite,DC=com' found in cache][][][][][][][][] 

    [SmActiveExpr.cpp:520][CSmActiveExprLibrary::GetActiveValue][][][][][][][][][][][][][][][][][][][TEST_MAIL=][][][][][][][][Leave function CSmActiveExprLibrary::GetActiveValue][][][][][][][][] 

     

    Resolution:

    This Defect will be addressed within 12.52 SP1 CR09.

    If you require a DEV fix for 12.52 SP1 CR08, please open a Case with CA support to get the DEV fix based on your platform.

     

    Regards,

    Ujwol



  • 3.  Re: CA SSO 12.52 SP01 CR08 & CA SSO 12.7 SP01 has HTTP Header variable Issues

    Posted Jan 16, 2018 05:54 PM

    Hi Ujwol,

     

    Thanks for the Update.

     

    We are seeing the same Behavior in CA SSO 12.7 SP01 also. I have updated a Screenshot to case i have opened.

     

    As updated in KB, we are using user attribute values are in lower case only.

    email=<%userattr="mail"%>

    firstName=<%userattr="givenname"%>



  • 4.  Re: CA SSO 12.52 SP01 CR08 & CA SSO 12.7 SP01 has HTTP Header variable Issues

    Posted Jan 16, 2018 06:00 PM

    Hi Kishore,

     

    Yes, this defect affects 12.7/12.7 SP1 also.

    If you need dev fix please request in support case.

     

    This fix will be avaiable in 12.8 (not sure if we have plan for 12.7 SP2)

     

    Regards,

    Ujwol



  • 5.  Re: CA SSO 12.52 SP01 CR08 & CA SSO 12.7 SP01 has HTTP Header variable Issues

    Posted Jan 17, 2018 11:57 AM

    Hi Ujwol,

     

    I have opened a support case already for getting dev fix for  CA SSO 12.52 SP01 CR08 & 12.7 SP01. Please find below response from CA Support given 01/11/2018.

     

    Please provide URL for all Dev fixes of CA SSO if any 

     

    Created By: catechnicalsupport@ca.com (01/11/2018 14:40:32.000) Subject: CA Support Case 00123456 -After Upgraded to CA SSO POLICYSERVER R12.52 SP01 CR08

     

    Hi , I have contacted engineering to see what is the status of the binary. I have not gotten an update from engineering on the timeframe for a Windows fix. I will let you know as soon as I have something.

    Thank You,

    Christian Alteri

    CA Technologies SSO Support



  • 6.  Re: CA SSO 12.52 SP01 CR08 & CA SSO 12.7 SP01 has HTTP Header variable Issues

    Posted Jan 17, 2018 04:09 PM

    The window dev fix was provided by SE on 17/01. Please reach out to support engineer.



  • 7.  Re: CA SSO 12.52 SP01 CR08 & CA SSO 12.7 SP01 has HTTP Header variable Issues

    Posted Jan 18, 2018 11:29 AM

    Hi Ujwol,

    We got smds.dll file size: 364 KB from Support

     

    1. After Replacing existing smds.dll file with new smds.dll provided we are seeing APS(Advanced Password servcie's) errors in smps.log & still Custom HTTP Header User Attributes are not populating on 12.52 SP01 CR08

     

    [4180/2988][Thu Jan 18 2018 10:35:04][SmActiveExpr.cpp:646][ERROR][sm-Server-02740] AE failed to load library 'smaps'. System error: The specified procedure could not be found.

    .
    [4180/6692][Thu Jan 18 2018 10:35:04][SmActiveExpr.cpp:646][ERROR][sm-Server-02740] AE failed to load library 'smaps'. System error: The specified procedure could not be found.

     

    2. After Replacing existing smds.dll file with new smds.dll provided we are seeing Policy server not coming Up & Not producing any log file also on 12.7 SP01.