CA API Gateway is unable to authenticate users with SMSESSION against CA SiteMinder Policy Server

Document ID : KB000095900
Last Modified Date : 15/05/2018
Show Technical Document Details
Issue:
Recently CA API Gateway is upgraded to version 9.3 and after that our API Gateway engineers are seeing the following errors on the Gateway.
WARNING                          10102    CA Single Sign-On Authenticate Against CA Single Sign-On assertion: Unable to authenticate user using SSO Token:I2kO3+……………zlxoa40NiN9
 
It's not happening continuously but our API Gateway people are seeing significant amount of errors.
Environment:
SiteMinder policy Server version: 12.52 SP1 CR06
Operating System: RHEL 6.9 x86 64
CA API Gateway version : 9.3
 
Cause:
The custom SSO agent used by API Gateway checks the timoeuts in the session, If the timeout for IDLE is set to zero its fails to validate rejecting the SMESSION
 
Resolution:
 Support reproduced and confirm workaround below,
If "Idle Timeout" or "Maximum Timeout" for the siteminder REALM is not enabled (or even if they set to 0), we see Au or Az failures. If they are not enabled at siteminder, these values are set to 0. So when gateway is checking for the IdleTimeout, it always fails which is leading to Au/Az failures even though the session is just created/valid.
 
The code fix will be included in 9.3 CR3  (bugid: DE343361)
PRs request:
9.2 CR8 : Released march 2018
9.3 CR2 : Scheduled for release end of May