By Yongmin Chen and Soumyajit Roy
ISAM EAI (external authentication interface) allows a remote service to handle the authentication process for WebSEAL, WebSEAL creates authenticated session with the user identity information returned by the external authentication interface service.
With EAI ISAM supports changing of session timeout as covered in following ISAM KC document References 1)
Following are some commonly seen problems when implementing it in EAI service, and how to trouble shoot and fix them. (In following example, a very short session lifetime 100 seconds is used.)
Problem 1): EAI service is changed to return following headers in EAI response
am_eai_xattr_session_lifetime: 1567991987
am_eai_xattr_session_inactive_timeout: 100
am-eai-xattrs: am_eai_xattr_session_inactive_timeout, am_eai_xattr_session_lifetime
During runtime test, error page as shown in Diagram 1 is shown from WebSEAL.
Cause: this is due to there’s a space in between the 2 attributes for eai header ‘am-eai-xattrs’, e.g. ‘am_eai_xattr_session_inactive_timeout, am_eai_xattr_session_lifetime’, WebSEAL does not allow any space before and after the comma delimiter.
Problem 2): EAI service is changed to return following headers in EAI response
am_eai_xattr_session_lifetime: 1567991987
am_eai_xattr_session_inactive_timeout: 100
am-eai-xattrs: am_eai_xattr_session_inactive_timeout,am_eai_xattr_session_lifetime
(The space in bwtween the 2 attribute names were removed ‘am_eai_xattr_session_inactive_timeout,am_eai_xattr_session_lifetime’)
From runtime test, the WebSEAL session life time is not changed with this settings, this change does not take effect.
Cause: this is due to the EAI service returns ‘am-eai-pac header’ in the EAI response, when WebSEAL receives both am-eai-pac header and other extended attribute headers, the extended headers will be ignored, it only uses ‘am-eai-pac’ header to get the PAC constructed by EAI service to create authenticated session.
Problem 3): EAI service is changed to return following attributes in extended attributes of the pac token:
am_eai_xattr_session_lifetime: 1567991987
am_eai_xattr_session_inactive_timeout: 100
and following header in EAI response
am-eai-xattrs: am_eai_xattr_session_inactive_timeout,am_eai_xattr_session_lifetime
In runtime flow, error page as shown in Diagram 1) is thrown from WebSEAL
Cause: This is due to WebSEAL receives eai response header ‘am-eai-xattrs’ and tries to validate it, and it does not find the specified extended attribute headers hence throws the error page. There are 2 ways to fix this, either remove ‘am-eai-xattrs’ header from EAI response; or add extended attributes in the eai response header.
After removing the ‘am-eai-xattrs’ response header and add the extended attributes only to the PAC token constructed by EAI service, the ISAM session timeout starts working as expected.
How to trace WebSEAL for troubleshooting:
Set the tracing level to 9 for:
- pdweb.snoop.jct : References 2)
- pdweb.wns.authn: References 3)
Look for the following string in the pdweb.wns.authn trace log: "Leaving getEAISessionInactivityTimeout()" and ""Leaving getEAISessionCacheLifetime()". If it says that it is leaving with 'no new session lifetime' then it is not working. Otherwise you will get a message with the new timeout details for the session. Following is an example:
2019-09-10-03:59:32.112+01:00I----- thread(823) trace.pdweb.wns.authn:9 /home/webseal/20180807-2238/src/pdweb/webseald/credscache/WSCredsCacheEntry.cpp:1341: [10.124.154.125] WSCredsCacheEntry::getCredsNoCopy = 0x01f8ec30
2019-09-10-03:59:32.112+01:00I----- thread(167) trace.pdweb.wns.authn:8 /home/webseal/20180807-2238/src/pdweb/webseald/authn/framework/authn-cred.cpp:897: [10.124.154.125] Exiting getEAISessionCacheLifetime() with return code: 1
2019-09-10-03:59:32.112+01:00I----- thread(167) trace.pdweb.wns.authn:9 /home/webseal/20180807-2238/src/pdweb/webseald/credscache/WSCredsCacheEntry.cpp:2726: [10.124.154.125] WSCredsCacheEntry::setLifetimeTimeout = 1568084472 (1)
2019-09-10-03:59:32.112+01:00I----- thread(167) trace.pdweb.wns.authn:9 /home/webseal/20180807-2238/src/pdweb/webseald/authn/framework/authn-cred.cpp:1212: [10.124.154.125] lifetime value updated to 1568084472
2019-09-10-03:59:32.112+01:00I----- thread(167) trace.pdweb.wns.authn:8 /home/webseal/20180807-2238/src/pdweb/webseald/authn/framework/authn-cred.cpp:931: [10.124.154.125] Entering getEAISessionInactivityTimeout() with argument creds: 31534560
2019-09-10-03:59:32.112+01:00I----- thread(167) trace.pdweb.wns.authn:8 /home/webseal/20180807-2238/src/pdweb/webseald/authn/framework/authn-cred.cpp:964: [10.124.154.125] Leaving getEAISessionInactivityTimeout() with a inactivity timeout of 100 seconds
2019-09-10-03:59:32.112+01:00I----- thread(167) trace.pdweb.wns.authn:8 /home/webseal/20180807-2238/src/pdweb/webseald/authn/framework/authn-cred.cpp:977: [10.124.154.125] Exiting getEAISessionInactivityTimeout() with return code: 1
Diagrams:
References:
- Setting a client-specific session cache entry lifetime value: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.4/com.ibm.isam.doc/wrp_config/task/tsk_set_client_sess_lifetime_val.html#tsk_set_client_sess_lifetime_val
- Traces data that is sent between WebSEAL and junctions: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.3/com.ibm.isam.doc/trouble/concept/con_pdweb_snoop.html
- Trace components that are common to all Security Access Manager servers: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.3.1/com.ibm.isam.doc/trouble/reference/ref_avl_trc_cmpt.html