Symantec Access Management

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

Tech Tip : CA Single Sign-On : Apache Reverse Proxy Web Agent doesn't process the WebAppClientResponse

  • 1.  Tech Tip : CA Single Sign-On : Apache Reverse Proxy Web Agent doesn't process the WebAppClientResponse

    Broadcom Employee
    Posted Aug 14, 2017 06:57 AM

    Issue:


    We're running Web Agent on Apache Reverse Proxy, and when the

    LoadModule libmod_sm24.so line to is set at the end of the

    LoadModule list, then the WebAppClientResponse is not completely

    processed and the request is sent to the backend server instead of

    processing the file from the WebAppClientResponse.

     

    The strace command reports the processing to open a connection to the

    backend server :

     

    the WebAppClientResponse response file code is :

     

    {

    "reason": "$$Reason$$",

    "url": "$$URL$$"

    }

     

    and the thread open a connection after reading this file :

     

    13:35:49 open("/www/web/siteminder_custom_response.json", O_RDONLY) = 12

    13:35:49 fstat(12, {st_mode=S_IFREG|0644, st_size=49, ...}) = 0

    13:35:49 read(12, "{\n \"reason\": \"$$Reason$$\",\n \"u"..., 49) = 49

     

    13:35:49 bind(12, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 0

    13:35:49 getsockname(12, {sa_family=AF_NETLINK, pid=38726, groups=00000000}, [12]) = 0

    13:35:49 sendto(12, "\24\0\0\0\26\0\1\3\225 ^Y\0\0\0\0\0\0\0\0", 20, 0,

    {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 20

    13:35:49 recvmsg(12, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[

    {"8\0\0\0\24\0\2\0\225 ^YF\227\0\0\2\10\200\376\1\0\0\0\10\0\1\0\177\0\0\1"..., 4096}],

    msg_controllen=0, msg_flags=0}, 0) = 172

     

    We would expect the Web Agent to read the WebAppClientResponse

    response file and give the code to the browser as per this strace

    snippet :

     

    The WebAppClientResponse response file code :

     

    <web20>

    <siteminderreason>$$reason$$</siteminderreason>

    <siteminderredirecturl>$$url$$</siteminderredirecturl>

    </web20>

     

    and the thread should write a header like this one :

     

    06:57:10 open("/var/www/html/siteminder_custom_response.json", O_RDONLY) = 15

    06:57:10 fstat(15, {st_mode=S_IFREG|055, st_size=121, ...}) = 0

    06:57:10 read(15, "<web20>\n<siteminderreason>$$reas"..., 121) = 121

     

    06:57:10 writev(12, [{"HTTP/1.1 200 OK\r\nDate: Thu, 06 J"..., 137},

    {"<web20>\n<siteminderreason>Challe"..., 113}], 2) = 250

    06:57:10 write(10, "130.119.150.229 - - [06/Jul/2017"..., 88) = 88

    06:57:10 shutdown(12, 1 /* send */) = 0

     

    Environment:

     

    Web Agent 12.52SP1CR05 64bit On Apache 2.4 64bit on RedHat 6 64bit;

    Policy Server : 12.52SP2CR01 on Windows 2012 R2;

     

    Resolution:

     

    This issue will be fixed in Web Agent 12.52SP1CR09.

     

    You can also workaround the issue by setting LoadModule for

    sm_module at the very top of the LoadModule list in the httpd.conf

    like this :

     

    LoadModule sm_module "/opt/CA/webagent/bin/libmod_sm24.so"

    SmInitFile "/opt/apache2.4/conf/WebAgent.conf"

    LoadModule authn_file_module modules/mod_authn_file.so

    #LoadModule authn_dbm_module modules/mod_authn_dbm.so

    #LoadModule authn_anon_module modules/mod_authn_anon.so

     

    [...]

    KB :