000032536 - Viewing, Downloading or Deleting an existing ASR fails with 'The request could not be handled' error in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Aug 4, 2020
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000032536
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle 
RSA Version/Condition:  7.0.0
 
IssueWhen attempting to View, Download or Delete an existing Aveksa Statistics Report (ASR) (Admin > System > Diagnostics tab), the options fail with:

User-added image
 
Request Error
The request could not be handled

 


User-added image


The aveksaServer.log file ($AVEKSA_HOME/wildfly/standalone/log/aveksaServer.log) reports the following security exception:
 
02/09/2016 14:56:45.574 ERROR (default task-59) [com.aveksa.gui.core.MainManager] 10.XXX.X.XX invalid request: 
https://hostname:port/aveksa/main?ReqType=Dialog&PageID=DownloadSystemReportDialogData&BreadcrumbLevel=0&Action=New&SYSTEM_REPORT_NAME=DEV+SYSTEM+ 1_Aveksa_Statistics_Report.20160208.130639
02/09/2016 14:56:45.583 INFO (NotificationConsumer:AdminException) [com.aveksa.server.workflow.notification.NotificationEngine] Starting method=run subTask=Processing Event NotificationEvent[WorkflowEvent[id = 152 creationDate = Tue Feb 09 14:56:45 CST 2016 eventState = New eventType = NewAdminExceptionEvent] notificationObjectId = 2611 notificationObjectType = AdminException]
02/09/2016 14:56:45.659 INFO (NotificationConsumer:AdminException) [com.aveksa.server.workflow.notification.NotificationEngine] Starting method=run subTask=Processing Event NotificationEvent[WorkflowEvent[id = 153 creationDate = Tue Feb 09 14:56:45 CST 2016 eventState = New eventType = NewAdminNotificationEvent] notificationObjectId = 2611 notificationObjectType = AdminException]
02/09/2016 14:56:48.142 ERROR (default task-60) [com.aveksa.gui.core.GuiFramework] Unsafe characters detected in URL parameters. Possible XSS attack.:
Login ID: abc123
Request: https://hostname:port/aveksa/main?
ReqType=Dialog&PageID=DownloadSystemReportDialogData&BreadcrumbLevel&Action&New&SYSTEM_REPORT_NAME=DEV+SYSTEM+1_Aveksa_Statistics_Report.20160208.130639
ReqType=Dialog&PageID=DownloadSystemReportDialogData&BreadcrumbLevel&Action&New&SYSTEM_REPORT_NAME=DEV+SYSTEM+1_Aveksa_Statistics_Report.20160208.130639
Invalid string: SYSTEM_REPORT_NAME
com.aveksa.server.core.SecurityException: Unsafe characters detected in URL parameters. Possible XSS attack.


Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the aveksaServer.log file for your specific deployment, if you are on a WildFly cluster or a non-WildFly platform. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.)
 
CauseThis is a known issue reported in engineering tickets ACM-55821 and ACM-61116.

RSA Identity Governance & Lifecycle 7.0 has additional protection against cross-site scripting (XSS) attacks as compared to previous versions. Because of this, special characters such as spaces are no longer allowed in the report name of the ASR.

This issue occurs if you are on RSA Identity Governance & Lifecycle 7.0 or higher and have an Environment Name defined with special characters such as spaces. Environment Names are defined by going to Admin > System > Settings tab > Edit > Environment > Name field. The default name of the ASR has no special characters. However, when an Environment Name is set for the system, the Environment Name is prefixed to the ASR name. If the Environment Name has special characters, than the ASR name has special characters and this failure occurs.

In the following example, the Environment Name has spaces: .

User-added image

Previously the Environment Name was VCD. Note in the example below, one report name has spaces (DEV SYSTEM 1) and one report does not (VCD). The report with spaces in the report name cannot be viewed, downloaded or deleted.

User-added image
 
ResolutionThis issue is resolved in the following RSA Identity Governance & Lifecycle versions and patch levels:
  • RSA Identity Governance & Lifecycle 7.0.0 P02
  • RSA Identity Governance & Lifecycle 7.0.1
The fix is to replace the spaces and/or special characters in the ASR name with underscores.
 
WorkaroundAs a workaround, ensure the Environment Name has no special characters and generate a new ASR.
  1. Modify/remove the Environment Name.

  1. In the user interface go to Admin > System > Settings tab.
  2. Choose Edit > Scroll down to Environment.
  3. Modify the Name to remove special characters or delete the contents of the Name field.

  1. Generate a new ASR.

  1. In the user interface go to Admin > System > Diagnostics tab > Create Report.
  2. Once the report has completed, try to View, Download, or Delete the report.

 

Attachments

    Outcomes