IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

User not getting redirected to junctioned backend application due to EAI authentication error in ISAM

  • 1.  User not getting redirected to junctioned backend application due to EAI authentication error in ISAM

    Posted Sun January 26, 2020 07:41 AM
    Hi Experts,

    I am facing some issue when trying to authenticate ISAM users through EAI application. After I enter username and password in text fields and click login, the application(test_sso) just loads for few seconds and then returns error: DPWWA1235E Could not read the response status line sent by a third-party server. Possible causes 3A non-spec HTTP headers 2C connection timeout 2C no data returned. This is not a problem with the WebSEAL server.


    EAI login


    EAI login error-


    I checked script logs and found that Query_String  arguments are not getting passed from test_sso.pl(EAI login app) to check_user.pl(trigger url). Or I think it could be due to some important configuration that I might have missed in the process.

    Below are the details of webseal configuration and EAI scripts:
    -------------------------------------------------
    For EAI, I have used perl scripts which are deployed on IIS server.
    I have made all the necessary changes in webseal configuration file to support EAI authentication mechanism.
    Below are the changes that I have done in webseal config file:
    [authentication-levels]
    ------------------------------
    level = unauthenticated
    level = password
    level = ext-auth-interface

    [eai-trigger-urls]
    -----------------------
    trigger = /eai/cgi-bin/check_user.pl


    [enable-local-response-redirect]
    ----------------------------------
    enable-local-response-redirect = yes

    local-response-redirect-uri = /eai/cgi-bin/test_sso.pl

    [local-response-macros]
    ------------------------
    macro = TAM_OP
    macro = USERNAME
    macro = METHOD
    macro = AUTHNLEVEL
    macro = ERROR_CODE
    macro = ERROR_TEXT

    [enable-redirects]
    --------------------------
    redirect = forms-auth
    redirect = ext-auth-interface

    And below are the EAI scripts that are deployed on IIS:

    test_sso.pl (EAI login form)
    #!C:\Perl64\bin\perl.exe

use CGI;                             
$last_login_failed = 0;
$error_txt = "";

# open file
open OF, ">>c:\\eailogs\\test_sso.out";

$qstring = $ENV{QUERY_STRING};
print OF "\n QUERY_STRING: $qstring";
print OF "\n";

# dump args
@arg_list = split('&',$qstring);
print OF "ARGS: $#arg_list \n";
for ($i=0; $i<=$#arg_list; $i++) {
	print OF "\n $i: $arg_list[$i]";
	($tmp1,$tmp2) = split('=',$arg_list[$i]);
	if ($tmp1 eq 'ERROR_CODE' && $tmp2 ne "0x00000000") {
		$last_login_failed = 1;
	}
	if ($last_login_failed && $tmp1 eq 'ERROR_TEXT') {
		$error_txt = $tmp2;
	}

}

close OF;
 

#generate simple html

print "Content-type: text/html\n\n";
print "<HTML>\n";
print "<HEAD>\n";
print "<title> SSO Test</title></head>\n";
print "<body>\n";
print "Start Simple Test<br>\n";
$str="Testing\n ";
print $str;
print "<BR>";
print "Simple Test Completed! \n\n";
print "<BR>";
if ($last_login_failed ) {
	## print "Try Again: LAST LOGIN ATTEPT FAILED!!! \n";
	print "Last Error: $error_txt";
}

# generate login html
print "<BR>";
print "<FORM METHOD=POST ACTION=\"../cgi-bin/check_user.pl\">";
print "<FONT SIZE=\"+2\">";
print "<TABLE BORDER=\"0\" WIDTH=\"400\">";
print "<TR>";
print "<TD ALIGN=\"LEFT\"><UL><LI>Username</LI></UL></TD>";
print "<TD><INPUT NAME=\"username\" SIZE=\"15\"></TD>";
print "</TR>";
print "<TR>";
print "<TD ALIGN=\"LEFT\"><UL><LI>Password</LI></UL></TD>";
print "<TD><INPUT TYPE=\"PASSWORD\" NAME=\"password\" SIZE=\"15\"></TD>";
print "</TR>";
print "</TABLE>";
print "</FONT>";
print "<INPUT TYPE=\"HIDDEN\" NAME=\"login-form-type\" VALUE=\"pwd\"></TD>";
print "<BR><INPUT TYPE=\"SUBMIT\" VALUE=\"Login\">";
print "</FORM>";
print "</BODY>";
print "</HTML>";
    check_user.pl (trigger url)
     
    #!C:\Perl64\bin\perl.exe
use CGI;
$last_login_failed = 0;
$error_txt = "";
# open file
open OF, ">>c:\\eailogs\\test_ck.out";

$qstring = $ENV{QUERY_STRING};
print OF "\n QUERY_STRING: $qstring";
print OF "\n";


# dump args
@arg_list = split('&',$qstring);
print OF "ARGS: $#arg_list \n";
for ($i=0; $i<=$#arg_list; $i++) {
	print OF "\n $i:  $arg_list[$i]";
	($tmp1,$tmp2) = split('=',$arg_list[$i]);
	if ($tmp1 eq 'ERROR_CODE' && $tmp2 ne "0x00000000") {
		$last_login_failed = 1;
	}
	if ($last_login_failed && $tmp1 eq 'ERROR_TEXT') {
		$error_txt = $tmp2;
	}
}

print OF "START STDIN: \n";
my @key; 
while (<STDIN>) {
	@key = split(/&/, $_);
	print OF " Key/Value pair for Username is $key[0] \n";
	print OF "  probably blank line ==>> $_ \n";
}

print OF "END STDIN: \n";
my @username = split(/=/, $key[0]);
print OF " (ext) User name after second split, hopefully not blank, $username[1] \n";
close OF;

# generate login header

# Pass identity in this header for users external to Access Manager
#print "am-eai-ext-user-id: $username[1]\n";

# Pass this header if user is present in Access Manager registry
print "am-eai-user-id: $username[1]\n";

print "am-eai-xattrs: eai-orig-user\n";
print "eai-orig-user: $username[1]\n";

print "Server: Apache-Coyote/1.1\n";
print "Content-Type: text/html;charset=utf-8\n";
print "Content-Length: 1048\n";
print "Date:.Thu, 20.Sept 2017 04:39:57.GMT\n";
print "Connection:.close\n";
print "\n";


    Thanks,
    Vishnu

    ------------------------------
    vishnu nautiyal
    ------------------------------


  • 2.  RE: User not getting redirected to junctioned backend application due to EAI authentication error in ISAM

    Posted Mon January 27, 2020 03:48 AM
    Hi Vishnu,

    Just for completeness... I take it you've configured [eai] eai-auth = both  (or http/https)?

    In your EAI authentication script check_user.pl, is there a specific reason you want to include the fixed Content-Length header?
    I'd suggest stripping that one out, and try again..

    print "Content-Length: 1048\n";


    You also configured [enable-redirects], did you specify any specific page were this redirect points to? e.g.:

    [acnt-mgt]
    login-redirect-page = https://www.isam.com


    Generally to troubleshoot this further (if the Content-Length tip did not work...), I'd recommend taking a set of pdweb traces, as this will help provide more detail on the HTTP messages exchanged between browser/WebSEAL/EAI-app

    Hope this helps.



    ------------------------------
    HANS VANDEWEGHE
    ------------------------------

    Original Message


  • 3.  RE: User not getting redirected to junctioned backend application due to EAI authentication error in ISAM

    Posted Mon January 27, 2020 09:10 AM
    Hi Hans,

    Thanks for the reply.

    As per your suggestion,  I removed the 'content-length' line from the check_user.pl and tried again but no luck.

    I also checked webseal pdweb trace and it showed me the same error(That I already mentioned in the original question): DPWWA1235E Could not read the response status line sent by a third-party server. Possible causes 3A non-spec HTTP headers 2C connection timeout 2C no data returned. This is not a problem with the WebSEAL server.

    I checked the log file that gets generated once the login form is submitted, values in the $qstring was showing empty in the below code line:
    $qstring = $ENV{QUERY_STRING};

    I think the user login data from test_sso.pl script is not getting passed to the Query_String of check_user.pl script due to which $qstring value in trigger url is showing empty.

    Do I have to enable some setting in webseal config for EAI so that http login data can be passed to trigger url and webseal or modify the EAI script?


    Thanks,
    Vishnu



    ------------------------------
    vishnu nautiyal
    ------------------------------

    Original Message