000013464 - 4.8 Agent for Apache fails to set user properties in the http headers after idle timeout with CERTIFICATE authentication

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013464
Applies To
RSA Access Manager 4.8 Agent for Apache 2.2

RSA Access Manager 4.9.1 Agent for Apache 2.2
IssueRSA Access Manager agent for Apache fails to set user properties in the http headers after idle timeout with CERTIFICATE authentication
When configured to export RSA Access Manger user properties in the http header the agent sets them correctly during the inital authentication but fails to set them when the user authenticates after an idle timeout.
The Agent log file shows that the users session has become idle.
2012-02-14 11:12:39 -0800 - [1420] - <Security> - Session has idled out
At debug log level the following log file entries are missing from the agent log file during the authentication after an idle timeout.

2012-02-14 11:10:23 -0800 - [1420] - <Debug> - Setting header: email, value: user@rsa.com
2012-02-14 11:10:23 -0800 - [1420] - <Info> - Setting headers for user: user1, auth: 4, webserver: test
CauseHotfix 4.8.0.23 changed the behaviour of the agent to prevent it from setting http headers when the user was not authenticated.  Forms based authentication types that do an http redirect after an idle timeout will correctly set the user properties in the http header when the user is authenticated after idle timeout.  When the agent is configured for CERTIFICATE based authentication the agent authenticates the user on the initial http request without a redirect.  The agent fails to set the http headers in this instance because the request occurs while the user is considered unauthenticated.
ResolutionThis issue has been resolved in hotfix 4.8.0.52 for the RSA Access Manager 4.8 Agent for Apache 2.2 on RedHat Linux.  The agent now correctly sets user properties in the http headers when the user is authenticated after an idle timeout.  Contact RSA Customer Support to request this hotfix or the latest cumulative hotfix for your web server and platform. 
This issue has been resolved in hotfix 4.9.1.14 for the RSA Access Manager 4.9.1 Agent for Apache 2.2 on RedHat Linux.  The agent now correctly sets user properties in the http headers when the user is authenticated after an idle timeout.  Contact RSA Customer Support to request this hotfix or the latest cumulative hotfix for your web server and platform. 
WorkaroundCustomer has applied RSA Access Manager 4.8 Agent hotfix 4.8.0.23 or later and is using CERTIFICATE authentication type.
Legacy Article IDa57757

Attachments

    Outcomes