Symantec Access Management

Hi,

I'm trying out a simple variable scenario as below.

I have defined a static variable in the domain as below. 

Then I have defined a response that will use this static variable as below. After the user authenticates via FCC, this response is tied to both getpost rule and also azaccept rule.

I can see that the TEST_HEADER is set correctly. I am able to read the value. 

However, the variable response fails. I see this error in the PS trace log.

[02/27/2017][17:28:40.555][17:28:40][12211][4034329456][SmActiveExpr.cpp:1003][CSmActiveExprLibrary::GetActiveValue][][][][][][][][][][][][][][Active expression 'GetActiveAttr;smjavaapi;JavaActiveExpression;com.netegrity.scriptevaluation.scriptactiveexpression.ActiveVariable TEST_STATIC_VARIABLE' failed with error 'Could not resolve parameter: "TEST_STATIC_VARIABLE"'][][][][][][][Leave function CSmActiveExprLibrary::GetActiveValue][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

Anybody seen this before? Does this need a session server to work? All I'm trying is a static variable. Eventually I want to use a FORM Post variable, but this is the first step that I'm trying to resolve.

Hi Anand3g,

You should not use "active response" with static variable in your response.
You should define Attribute as static, or to use a common variable as you
shown, set a "variable definition".

Best Regards,
Patrick

Variable can NOT be used in just Response.

This first need to be used in Policy Expression to get evaluated.

Thanks Ujwol Patrick-Dussault

Patrick, when I set the response, that's the only option I see. I select variable, enter variable name and lookup definition, and this is what gets saved.

Ujwol, Do you have any examples you can share with me on how to specify static variable in a policy expression so that it gets evaluated?

Regards,

Anand.

Anand anand3g

What is your version of Policy Server and version of Policy Store. 

12.52 sp1 cr 04 for both.

CA directory as the policy store. 12 sp 17

Regards,

Anand.

On Feb 28, 2017 10:12 AM, "Hubert Dennis" <

Awesome - I had a feeling it was R12.52 SP1 CR04 and CA Directory as Policy Store. Because I ran into the same issue last year. It is fixed in R12.52 SP1 CR06 and R12.6. I cannot give the support case number here. But it is a bug in R12.52 SP1 CR04 Policy Store schema which causes Variable Responses to break.

This was my initial testing as part of my investigation last year.

I tested a Variable and added it as a response in R12.52 SP1 CR02 and it works.

I pointed a R12.52 SP1 CR04 Policy Server to R12.52 SP1 CR02 Policy Store and it works.

But pointing a R12.52 SP1 CR04 Policy Server to R12.52 SP1 CR04 Policy Store and it breaks.

Bottemline : Do not try using variables response in R12.52 SP1 CR04 OOB, it won't work. There is a fix for only R12.52 SP1 CR04 version which was provided in Jan 2017, you may need to raise a CA Support Case and request for that fix. So my recommendation would be if you need to use variables, upgrade Policy Server and Policy Store to R12.52 SP1 CR06 version.

EXAMPLES

Hi!  Do you know if it is possible to concatenate two "Request Context" variables, e.g. Server and Resource into a single response attribute, either via header or cookie response attribute?   The Request Context Variables are working for us, but I can only set each request context variable to a single response. I can't figure out how to add them to a single cookie.

Also,  I think there may be a bug (version 12.7) where the Request Context variable with the Action property is not working correctly.  When we get the cookie in the response it appears to be the result of the authorization result, not the HTTP Verb per the documentation:

Thanks!

Dave

Hi HubertDennis

Interestingly, it worked for me with r12.52 SP1 CR04. I did what Ujwol suggested. I put a stupid rule in the Policy Expression. The only options available were equality and relational operators. So I selected a equality check between the same two variables! This seems to have evaluated the variable and my response gets set.

TEST_VARIABLE==TEST_VARIABLE

Does the bug affect non-static variables? Maybe for FORM post variables?

Regards,

Anand.

The bug affects if you used variables directly in responses.

CA SSO does allow variables directly to be used in RESPONSE. See above screenshot. The bug is here in CR04.

If it works via Expression, then you may choose to continue. This is a workaround, but it comes at a price.

The overhead is more based on the solution we are trying to achieve. It is OK since your variable is a STATIC one. However if your Variable itself has processing logic and you intend to use the variable in response, then you cannot in CR04. Instead now you have to create a expression and call your variable in the expression. Policy Server evaluates Expression and triggers the Variable. So you added one more hop / processing. Thus it is really up-to what you are trying to achieve.

Hope it helps clear the air !

Yes, this is what I usually do or you can use not equal to "" expression 

I could not make it work.

When I add the expression to a rule, user is no longer authorized.

Trace log shows:

[Active expression 'GetActiveAttr;smjavaapi;JavaActiveExpression;com.netegrity.scriptevaluation.scriptactiveexpression.ActiveScript (CallSan45==CallSan45)' failed with error 'Resolution failed for variable: CallSan45'][][][][][][][Leave function CSmActiveExprLibrary::GetActiveValue]

I also tried the expression as CallSan45==CallSan45 but no lucky.

Any tips?

Twist in the tale. Works in 12.6 without adding anything to the Policy Expression.

Curiouser and Curiouser.

I wish I could mark two correct answers.

Regards,

Anand.

Good to know that from 12.52SP1CR6 and 12.6 onwards Variables can be used directly in Response.

However, I do not think it was a bug.

There are several tickets raised earlier prior with engineering where they said this was as per the product design.

So, a feature that's perfectly configurable and it's not working is "working as design"? It does not make sense. Or it's a feature and works or it's not supported and/or not a feature.

We're having the same issue in a customer running 12.52 SP1 CR5, we're going to upgrade to CR7 in the coming weeks to check if that works.

Thanks.

Using Variables in Response directly works in ....

• R12.52 SP1 CR02. Tested and confirmed.
• R12.52 SP1 CR06 and above. As suggested by the fix to be shipped in R12.52 SP1 CR06.
• R12.6. Tested and confirmed.

It does not work in

• R12.52 SP1 CR04. Tested and confirmed.
• R12.52 SP1 CR05. Possibly broken here as well. Since the fix was supposed to be delivered in R12.52 SP1 CR06.

So as we could see it used to work, but got broken and is now fixed.

We can always request a DEV fix via a CA Support Case in R12.52 SP1 CR05 to test OR wait until upgrade is completed to R12.52 SP1 CR07.

Regards

Hubert

I've finished the upgrade to CR7 and I still have the problem:

[Active expression 'GetActiveAttr;smjavaapi;JavaActiveExpression;com.netegrity.scriptevaluation.scriptactiveexpression.ActiveVariable CallSan45' failed with error 'Could not resolve parameter: "CallSan45"'][][Leave function CSmActiveExprLibrary::GetActiveValue]

Just to make sure, I followed the steps on the upgrade guide and also I replaced the netegrity.dxc schema from Policy Store with the new one provided on the CR7 installation.

Just to let you know. I've upgraded to CR8 and now it's working fine.

So, CR05 and CR07 did not work for me. CR08 is working fine.

Regards.