000015054 - AxM Agent 4.9.1 for Apache 2.X: 'Token decryption failed' when using some browsers.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000015054
Applies ToRSA Access Manger 4.9.1 Agent for Apache 2.x
Apache Commons-HttpClient 3.1
IssueAxM Agent 4.9.1 for Apache 2.X: "Token decryption failed" when using some browsers.
Single sign on fails and sends the client back to the logon page for reauthentication.
The agent log at debug log level shows the following error messages:
2013-01-29 15:54:56 -0500 - [3856] - <Debug> - exception_type=TokenException, msg=(Token decryption failed)
2013-01-29 15:54:56 -0500 - [3856] - <Warning> - Unable to extract session information from token. Authorization server returned: 15
The agent log shows the cookie headers us commas as delimiters.
2013-01-29 15:54:56 -0500 - [3856] - <Debug> - Cookie headers:CTSESSION=AAAAAgABAEg6CabmDsGOwT1iWn0eo6lNXGQdTGDFAPBdgSkA7%2FWXGAd8hF%2FtAFuCXsVyL%2F3No%2BPXYCXNa362k07969MGy2LS9J9Acmk0wzU%3D, STGXAAJSESSIONID=000085E9ftiwWSKkWIMuxS2vN_j:16797ve03
The agent log shows the web browser as the Apache Http Commons HTTP client 3.1
2013-01-29 15:54:55 -0500 - [3856] - <Debug> - User-Agent: Jakarta Commons-HttpClient/3.1

The aserver log file shows the following error.  Note the extra comma in the log file after the token.
sequence_number:79356,2013-01-25 14:49:52:404 EST,messageID:1031,client_ip_address:10.10.10.10,client_port:35703,token:AAAAAgABAEgJUK0qNjdiJMIW2aBuRxhS+waA8wCyok8gOihSCIsYYtG51S5pXltMzuIF1t4sG52JqiDXK/1BwJq8+gi5/hvo8udmJ6zwBbw=,,result_code:0,result_action:User Token Failed,result_reason:Token error
CauseThe agent is unable to correctly parse the HTTP Cookie from the headers when they are delimited by commas.  The agent passes the comma to the aserver as part of the token, and thus the token cannot be decrypted.  
ResolutionThe Apache Commons Http Client 3.1 is no longer supported.  This client incorrectly delimits cookies using a comma instead of a semi-colon.  Upgrade to the Apache HttpComponents client (version 4.2 or the latest version).  This resolves the issue.
NotesSee RFC2109  or "draft-ietf-httpstate-cookie" which supersedes it for the requirements for delimiting cookies in the http cookie header.
Legacy Article IDa60607

Attachments

    Outcomes