000014818 - AxM 4.8 agent and the arbitrary redirect to port 80 when a loadbalancer is used to rewrite to a different port. ACTSESSION cookie retains port 80.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014818
Applies ToAxM 4.8 agent for Apache for Linux
IssueAxM 4.8 agent arbitrarilly redirect to port 80 when a loadbalancer is used to rewrite to a different port.  ACTSESSION cookie retains port 80.

When a url with a scheme of http (implied port 80 - http://) is processed by the AxM agent, the agent generates the ACTSESSION cookie with port 80 explicitly included in the retained url. After authenticating , the agent redirects back to this url. This mismatch results in a failure at the load balancer.

CauseThis was determined not to be a bug, the ACTSESSION cookie has always included the port by design.  The behavior was changed via RSAs enhancement request process and a new parameter for the webagent.conf and a hotfix has been introduced to allow configuring this behavior or disabling the behavior. 

The readme includes the following addition to the webagent.conf

   # Indicates whether port number should be included in the retained url.  
   # This applies to both cookie based url retention and query-string  
   # based url retention.  
   #  
   # Allowed Values:  
   #    True   Port number would be excluded in retain url.  
   #    False Port number would be included in retain url.  
   #  
   # Default value :  
   #     False  
   #  
   #   cleartrust.agent.exclude_port_for_retained_url=False
  
 Note the instructions included for the setting are slightly ambiguous as written.  Setting this to true will exclude the port from being included in the retained url.  The default value of false will include the port in the ACTSESSION retained url cookie.  Add the above new configuration parameter to your existing Agent configuration file prior to following the Installation Instructions included in the hotfix.

Resolution

This has been corrected in the following hotfixes.  Hotfixes can be obtained by contacting customer support.  Please contact customer support to obtain the correct hotfix.

For the 4.7.1 agent, apply hotfix 4.7.1.3

For the 4.8 agent, apply hotfix 4.8.0.31

Legacy Article IDa47576

Attachments

    Outcomes