Proxy to backend server gave Noodle_GenericException

Document ID : KB000006072
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

Configure proxy rule to redirect the request to the backend https enabled application URL.

We are getting an error Noodle_GenericException at browser as below:

 

sps_error.png

 

 

Environment:
SPS: R12.52SP1CR6
Cause:

From SPS server.log or nohup.log, we can confirm trusted certificate found

ie:

[06/Mar/2017:11:08:14-985] [INFO] - Found trusted certificate: [
  Version: V1
  Serial Number: 1234567890000000000
  SignatureAlgorithm: SHA256withRSA (1.2.840.123456.1.1.11)
  Issuer Name: CN=SMSSO, OU=Support, O=CA, L=AUS, ST=AUS, C=AUS

  Validity From: Fri Mar 03 14:51:52 CST 2017
           To:   Thu Feb 21 14:51:52 CST 2019
  Subject Name: CN=my.smdemo.com, OU=Support, O=CA, L=AUS, ST=AUS, C=AUS

but later reported Internal error

[06/Mar/2017:11:08:15-016] [INFO] - ***Created and initialized encryption cipher
[06/Mar/2017:11:08:15-016] [INFO] - CipherAlg: AES/CBC/NoPadding
[06/Mar/2017:11:08:15-016] [INFO] - CipherKey: 12345..a53c46a643d66890e2dee0f43096632c1a6ae0bed0b7c288e91685a7c35
[06/Mar/2017:11:08:15-016] [INFO] - ***Created and initialized Mac
[06/Mar/2017:11:08:15-016] [INFO] - MacAlg: HmacSHA1
[06/Mar/2017:11:08:15-016] [INFO] - MacKey: 12345..3f8a49733025b5c9139dd9412c34606e8e1
[06/Mar/2017:11:08:15-016] [INFO] - Mac length used: 20
[06/Mar/2017:11:08:15-016] [INFO] - ***SEND Alert Fatal, Internal Error

Based on the flow in server log, SPS is able to find the trusted CA but get an error when it try to create and initialized encryption cipher. This is an indication JCE patch not apply causing the issue.

Resolution:

JRE need to have JCE patched

Reference:
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/installing/install-ca-siteminder-sps

Snippet from documentation:
@@@
JCE patches required -- The current Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction patches are required to use the Java cryptographic algorithms. To locate the JCE package for your operating platform, go to the Oracle website.
Apply the patches to the following files on your system:
local_policy.jar
US_export_policy.jar
These files are in the following directories:
Windows:jre_home\lib\security
UNIX:jre_home/lib/security

jre_home specifies the location of the Java Runtime Environment installation.
@@@

Additional Information:

Enable logging to debug SSL in SPS

For SPS the files to apply that debug setting are : 

Windows : proxy-engine/conf/SmSpsProxyEngine.properties

Unix  : proxy-engine/proxyserver.sh

Need to add the parameter -Djavax.net.debug=all to the java startup command.

Reference:

https://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.tec1860387.html