Symantec Access Management

 View Only
  • 1.  Which webagent timeouts to use in case of PUSH notification

    Posted Oct 01, 2019 04:20 AM
    ​Hi,
    We want to introduce push notification to our websites.

    We build a custom authentication scheme for this in which the authenticate method have to wait until the push notification is answered on the smartphone. This can take I some time (e.g. 2 minutes). The verification proces of a user (user, otp validation by the answered push)  takes a while. 
    By now, for some reason, the user is sent back to the login page. The result of OTP validation by the answered PUSH isn't handled anymore.
    I think because some timeout values are to low.
    Can anybody advice me which timeouts (webagent, host, policyserver) I must use to make this work.
    There are many timeout which can be set, RequestTimeout, AgentWaitTimeout, ...

    Any help would be appreciated.

    Regards
    Edwin


  • 2.  RE: Which webagent timeouts to use in case of PUSH notification
    Best Answer

    Broadcom Employee
    Posted Oct 01, 2019 04:39 AM
    Hello Edwin,

    The agentwaititme parameter is not relevant to the use case you described.

    You can try increasing the requesttimeout in your HCO and smhost.conf and check if it resolves your issue:

    Use the RequestTimeout parameter to specify the number of seconds that the trusted host should wait before deciding that a Policy Server is unavailable. This setting allows you to optimize the response time of the Web server.

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/policy-server-configuration/agents-and-agent-groups/trusted-hosts-for-web-agents.html

    Thank you

    Osarobo




  • 3.  RE: Which webagent timeouts to use in case of PUSH notification

    Posted Oct 07, 2019 08:08 AM
    Hi Osarobo,
    The RequestTimeout works fine for me. Thanx.
    Can you tell me also what I should change within my policy server to make it possible for 20 users to log in with PUSH notification at he SAME time.
    At this moment 15 requests are handled successfully but the others result in a authentication failure.

    Regards,
    Edwin



  • 4.  RE: Which webagent timeouts to use in case of PUSH notification

    Broadcom Employee
    Posted Oct 07, 2019 08:30 AM
    Hello Edwin,

    Have you tried increasing the requesttimeout further in your hco?

    Request Timeout
    Use the RequestTimeout parameter to specify the number of seconds that the trusted host should wait before deciding that a Policy Server is unavailable. This setting allows you to optimize the response time of the Web server.
    The default value is 60 seconds.
    If the Policy Server is busy due to heavy traffic or a slow network connection, you may want to increase the RequestTimeout value.

    If it still doesn't work, you can enable the policy server profiler with all the components and data fields added and reproduce the issue. This might show us what us happening during the errors and what might be done to improve the performance.

    Thanks

    Osarobo





  • 5.  RE: Which webagent timeouts to use in case of PUSH notification

    Broadcom Employee
    Posted Oct 08, 2019 03:08 PM
    FYI, RequestTimeout too high can raise security concern. What is your MaxThreads setting on the Policy Server? Would like to suggest that you check if there are any other intermediate devices that are causing the request timeouts. Also, as Osarobo mentioned, if all immediate efforts fail, you can create logs and traces for your use case, and open a Support ticket.
    Thanks. - Vijay


  • 6.  RE: Which webagent timeouts to use in case of PUSH notification

    Posted Oct 11, 2019 04:37 AM
    Hi Vijay,
    I have increased to 300 (5 minutes). What kind of security concerns you are talking about? I see no other ways to have the agent wait for an authentication request taking a long time, because the user has to response on the push notication (which can take a longer time then validating an OTP entered in the login page - the user must be able to get his smartphone - start the app etc etc)
    I also increased the Maxthreads up to 20.

    Can you tell me what kind of logs you want, because I cannot find any errors in the smps.log/smdefaulttrace.log/webagent.log/trace.log - (btw. the webagent used is part of the ca access gateway).

    Thanks,
    Edwin