And we are experiencing the following lines repeatedly in RPX log
87 2019-03-19-18:44:41.806+01:00I----- 0x38B9A426 webseald ERROR wns session WSRemoteCache.cpp 2924 0x7fca32df8700 -- DPWNS1062E An attempt to update a session failed with error code 0x38a0a13e.
88 2019-03-19-18:46:05.270+01:00I----- 0x38B9A426 webseald ERROR wns session WSRemoteCache.cpp 2924 0x7fca4183e700 -- DPWNS1062E An attempt to update a session failed with error code 0x38a0a13e.
89 2019-03-19-18:50:09.392+01:00I----- 0x38AD50C9 webseald ERROR wiv azn WSCredsCacheEntry.cpp 994 0x7fca406fa700 -- DPWIV0201E The azn-api function 'azn_creds_get_attr_value_string(tagvalue_max_concurrent_web_sessions)' returned 0x150000
90 2019-03-19-18:53:02.482+01:00I----- 0x38AD50C9 webseald ERROR wiv azn WSCredsCacheEntry.cpp 994 0x7fca407fe700 -- DPWIV0201E The azn-api function 'azn_creds_get_attr_value_string(tagvalue_max_concurrent_web_sessions)' returned 0x150000
91 2019-03-19-19:21:49.044+01:00I----- 0x38B9A427 webseald ERROR wns session WSRemoteCache.cpp 3201 0x7fca54a4e700 -- DPWNS1063E An attempt to delete a session failed with error code 0x38a0a13e.
92 2019-03-19-19:21:49.044+01:00I----- 0x38B9A41B webseald ERROR wns session WSRemoteCache.cpp 2228 0x7fca54a4e700 -- DPWNS1051E Addition or update of a session cache entry failed.
------------------------------
Shanmugarajan M
------------------------------
Original Message:
Sent: 03-21-2019 08:31 AM
From: Shanmugarajan M
Subject: max-concurrent-web-session policy not enforced
Hi Jon
The profile name I can see in the RPX node's PoC is "Access Manager Username and extended attributes".
In the authz server i have added the below stanza so that we would get the max sessions value to webseal but that didnt help
[credential-policy-attributes]
AZN_POLICY_MAX_CONCURRENT_WEB_SESSIONS = tagvalue_max_concurrent_web_sessions
I have tried to modify the junction object to set the below attribute to HTTP-Tag-value , that also didnt help
object modify /WebSEAL/member/sps set attribute HTTP-Tag-Value AZN_POLICY_MAX_CONCURRENT_WEB_SESSIONS = tagvalue_max_concurrent_web_sessions
------------------------------
Shanmugarajan M
Original Message:
Sent: 03-21-2019 07:04 AM
From: Jon Harry
Subject: max-concurrent-web-session policy not enforced
Shanmugarajan,
Can you confirm which PoC Profile you have configured for AAC/Federation configuration?
If you are (as we suspect) using the "Access Manager Credential" profile, is there a particular reason for this? If you change to use the "Non-Access Manager User" profile then you should get the tagvalue_max_concurrent_web_sessions attribute (and other useful attributes) without any other customization.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: 03-21-2019 06:45 AM
From: Shanmugarajan M
Subject: max-concurrent-web-session policy not enforced
Can you please tell me , how to add that attribute ?(tagvalue_max_concurrent_web_sessions)
------------------------------
Shanmugarajan M
Original Message:
Sent: 03-21-2019 02:36 AM
From: Kristof Goossens
Subject: max-concurrent-web-session policy not enforced
Hi Scott,
I am actually quite interested in the name of this (and by extension all) parameter that should be added to the PAC in case you do want to send back the PAC to WebSEAL.
Do you know where I can find documentation on that? I found some info in the WebSEAL administration guide, but was not able to find back the parameter for this specific setting.
Thx in advance
------------------------------
Kristof Goossens
Original Message:
Sent: 03-20-2019 06:26 AM
From: Scott Exton
Subject: max-concurrent-web-session policy not enforced
It sounds like you have the federation component configured to send back a PAC (or credential) to WebSEAL. In this instance WebSEAL does not create the credential itself but instead uses the credential which has been supplied. This means that the credential is probably missing the attribute which tells WebSEAL how many concurrent sessions are allowed. The easiest fix is to change the federation configuration so that it returns the itemised credential information to WebSEAL so that WebSEAL can generate the credential itself.
Scott A. ExtonSenior Software Engineer
Chief Programmer - IBM Security Access ManagerIBM Master Inventor
|
Phone: 61-7-5552-4008 E-mail: scotte@au1.ibm.com | L11 & L7 Seabank Southport, QLD 4215 Australia |
Original Message------
We have the distribution session deployed and enabled on reverse proxy nodes
dsess-enabled = yes
enforce-max-sessions-policy = yes
prompt-for-displacement = yes
dsess-cluster-name = dsess
[dsess-cluster] server = 9,http://127.0.0.1:2035/DSess/services/DSess
but reverse proxy not enforces this policy
policy get max-concurrent-web-sessions "displace"
we have 2 reverse proxies configured for the same domain. One is federated to TFIM with seperate authorization server while the other one is not federated. This policy is not being enforced for TFIM federated Reverse proxy where as this policy is enforced and working good for other reverse proxy which does the authorization by itself.
------------------------------
Shanmugarajan M
------------------------------