In another installment of the troubleshooting IAM system issues series, this week we have a post about fixing failed web services calls that use a cookieless session scheme. As always, we present the reported issue, what we found during troubleshooting, and how the problem was remedied.
| Issue | CA Access Gateway (CAG): Cookieless Web Service Calls Failing |
| Symptoms | Web service calls through the CAG were being rejected by the CAG web agent. |
| Troubleshooting | We asked the customer to search the smaccess.log on their policy servers for the failed web service requests. They were able to see successful authentications (AuthAccept) for the resource and those were immediately followed by failed authorizations (AzReject). We had them provide a copy of the server.conf and the web agent log from the CAG. We reviewed the server.conf and didn’t find any configuration issues with the session scheme definition or the virtual host session scheme configuration. The session scheme definition correctly had ‘accepts_smsession_cookies’ set to ‘false’, which is required for this type of configuration. Additionally, the virtual host for the web service had its ‘defaultsessionscheme’ set to ‘ssl_id’. |
| Condition | The web service client does not support cookies of any type. |
| Cause | A review of the CAG web agent log revealed that the web agent was configured to require smsession cookies for resource access. |
| Remedy | The customer set the ‘RequireCookies’ attribute to no in the web agent configuration (ACO) for the CAG and restarted the CAG service. The client was then able to successfully access the resource without presenting the SMSESSION cookie. |
As always, we hope that you have found this information useful. If you need IAM assistance, reach out to SIS today and we would be happy to assist you. And subscribe to our newsletter to be notified about the posting of future articles and other SIS news.
