When trying to authenticate through SSO AuthAzWS from CA API Gateway the access gateway does not respond

Document ID : KB000108638
Last Modified Date : 31/07/2018
Show Technical Document Details
Issue:
When trying to authenticate through AuthAzWS from CA API gateway the access gateway does not respond .

When is done through a web browser directly it works Issue is happening in the access gateway.

working:
   browser -> Access Gateway/AuthAzWs
   SOAPUI -> Access Gateway/AuthAzWs   

not working : 
   SOAPUI -> API Gateway  ->   Access Gateway/AuthAzWs 


 
Environment:
Issue is happening in the access gateway. 

Access Gateway: Release: 12.8
OS: CENTOS 7

API Gateway 9.2 
 
Cause:

The normal sequence of events for Basic UN/PW Authentication is actually two requests and responses if using a browser : 
step1:
client - (sends request) -> server
client <-- 401 response) -  server
 
The browser/client can then response to the 401 (unauthorized) response. Usually it will pop ap a dialog box for the user to enter a UN/PW and then send a new request passing the original request and the IN?PW credentials : eg for Basic UN/PW :

step2:
client -- (re-send request this time with Authenticate header) -> server
client <-- (200 response page) -- server 

This two step process is often not convenient for webservice calls, so with webservices often a shortcut is used where pre-emptivly the Authenticate; header is sent with the first request. 
 
step1:
client -- (send request this time with Authenticate header) -> server
client <-- (200 response page) -- server 
 

For the CA SSO Access Gateway (formerly Secure Proxy Server).   When doing the browser two step process, the SSO Access Gateway on the first step, sets a cookie SMCHALLENGE=YES which then expects to see in the 2nd request - in addition to the Authenticate header.  

The CA SSO Access Gateway (formerly Secure Proxy Server) can do the shortened one step preemptive Basic authentication - but in additon to sending the Authenticate: header the cookie :  SMCHALLENGE=YES.  also needs to be sent. 

(The SMCHALLENGE cookie was introduced to CA SSO to stop some cases where failed Auth/Az would result in endless 302 redirect loop )
 
Resolution:

4) Fix API Gateway forward rule. 

We add the Cookie:SMCHALLENGE=YES header to the requests from the gateway 
User-added image
And then the request via API Gateway works. 


Note1:  In SSO SDK community the need for the SMCHALLENGE cookie it is fairly well know.   But in this case it was comparing the network trace from working to not working case where for me it clicked that this was the cause - so I've put in some notes on what we compared for testing.  

Probably best location for SMCHALLENGE=YES, describing how it is needed from SSO webservices is from here : 
Note2:  In the above soln we added the SMCHALLENGE cookie in the API Gateway  in the Route via HTTP assertion.   But we could also have added it to the client and had the API Gateway pass the cookie through to the backend from the original request. 
 
Additional Information:

The way to debug differences in a working / not-working senario - which often comes up when direct access works and when via a proxy the access does not work.   Is to compare the two requests as they are received aty the backend server.   In this case the requests were in cleartext, so just a tcpdump or wireshark trace will capture the relevant information. 

Our diagnostic process was as follows : 

1) Wireshark trace and compare. 
We captured the tcpdump on the SPS/ Access Gateway machine for the direct (success) and via Gateway (failure) cases and compare. 

We see that when direct SOAPUI sends request without credentials. A 401 response is received, with Set-Cookie SMCHALLENGE=YES 

And then SOAPUI sends second request this time with the credentials - and it also includes the Cookie: SMCHALLENGE=YES header. And the request is authenticated and returns correct result.. 

We see that via API Gateway, the Gateway preemtively sends the Authenticate: header - and this results in error returned from SPS/Ag. 

--- 

2) Simulate error in SOAPUI (direct) 

We change SOAPUI to pre-emtively send Authenticate: header (there is a setting when entering the auth UN/PW).   And we find direct request from SOAPUI then gives the same error that we get when we go via API Gateway. 


3) Simulate 2nd POST. 

We then work on SOAPUI to simulate the 2nd POST, the main issue is that 2nd POST contains the Cookie:SMCHALLENGE=YES header 

So we change SOAPUI to send SMCHALLENGE=YES cookie and to preemptively send Authenticate: header. 

And this works - so we have our soln to apply to request via API Gateway.