CA Performance Center configured for SAML or LDAP GSSAPI SSO Integrations fails user log in at web UI post upgrade
After 2.3.2 or 2.3.3 CA Performance Center upgrade, when configured for SAML or LDAP GSSAPI SSO integrations, users are no longer able to log in to the web UI.
The caperfcenter_sso service runs but errors are seen in the SSOService.log or when trying to log in to the CA Performance Center (CAPC) web UI
With a SAML SSO Integration this error would be seen in the SSOService.log file:
ERROR | qtp1956653918-25 | 2014-06-16 00:16:01,923 | common.sso.saml2.SAML2Login | SAML2 Authentication failed.
Reason: SAML2 ServiceProviderEntityID is not set
The SSOService.log is found in:
By default it would be in:
Often with a LDAP GSSAPI Integration, there won't be a well formed error to point to the problem in the normal logs. In this scenario, SSO Config utility configuration and testing with the GSSAPI configuration will work without issue. But when the user attempts to log in to the CAPC web UI they will be faced with an "Unable to authenticate user." message and a failed log in attempt. This simple message will appear in the SSO logs as a simple authentication failure.
One way to see deeper messaging for the LDAP GSSAPI Integration is to enable debug in the configuration.jsp file found in $CAPC_HOME/CA/PerformanceCenter/sso/webapps/sso. By default it would be located in /opt/CA/PerformanceCenter/sso/webapps/sso. Within this file, edit the 'boolean troubleshoot' value from false to true and save the file. Restart the SSO service (service caperfcenter_sso restart) and test a users LDAP login via the SSO Config at the command line. Do we see this error?
DirContext.SECURITY_AUTHENTICATION = GSSAPI Connecting to the LDAP server using GSSAPI. Username: hoggan. Password: set Uncaught Exception:
java.lang.SecurityException: /configuration/ssoconfig_jaas.conf (No such file or directory)
The root cause behind both errors is the products inability to find its necessary configuration files within the SSO service.
To resolve this, the SSO_HOME environment variable must be setup correctly in the SSO service's wrapper.conf file. If that is not done, when this occurs it results in an SSO service that is unable to find SAML or LDAP GSSAPI configuration files and settings.
In the $CAPC_HOME/CA/PerformanceCenter/sso/conf/wrapper.conf file, find the line that states:
It may be set with no value, or an incorrect or old value. Ensure it is set to the correct value which is:
For example in a default install it would be set to:
After fixing the wrapper.conf file for the SSO Service, restart the service with the command:
service caperfcenter_sso restart
Once restarted, launch a fresh browser, clear the cache if necessary, and log in to the CAPC web UI should now be successful.
This issue is resolved with the 2.3.4 release of CAPC where the installer shall ensure this is set properly within the SSO Service wrapper.conf file.