CA SiteMinder® Federation Standalone Guide › Troubleshooting › System Performance Troubleshooting › Proxy Engine Hangs and Stops Processing Requests

Proxy Engine Hangs and Stops Processing Requests

Symptom:

After processing requests for several days, CA SiteMinder® Federation Standalone's built-in proxy engine hangs.

Solution:

Modify tuning parameters in the proxy engine's server.conf for the connection between Apache web server (HTTP listener) and the proxy engine (Tomcat servlet engine).

The parameters you modify are used by the component mod_jk, which acts as the Tomcat connector to enable communication between the Apache web server and Tomcat using the Apache JServ protocol (AJP).

To modify the server.conf file

1. Navigate to the following directory:

   federation_install_dir/secure-proxy/proxy-engine/conf

2. Open the server.conf file in an editor.
3. Modify the following parameters

   worker.ajp13.reply_timeout

   Specifies the maximum time, in milliseconds, that can elapse between any two packets received from the proxy engine. After this timeout expires, the connection between the Apache server (HTTP listener) and the proxy engine is dropped. A value of 0 indicates that the proxy engine will wait indefinitely until a response is received.

   To ensure that the connection does not wait indefinitely for a response from the proxy engine, increase this value.

   Default: 0

   worker.ajp13.retries

   Indicates the maximum number of times that the mod_jk component sends a connection request to the proxy engine in case of a communication error. After the number of retries has been met and there is no response from the proxy engine, the connection is dropped.

   Increase this value for more retry attempts for a connection request.

   Default: 2

4. Save the server.conf file.

Resolving Signature Verification Failures

A malicious user can commit an XML signature wrapping attack by changing the content of a document without invalidating the signature. By default, software controls for the Policy Server and Web Agent Option Pack are set to defend against signature wrapping attacks. However, a third-party product can issue an XML document in a way that does not conform to XML specifications. As a result, the default signature checks can result in a signature verification failure.

Signature verification failures occur for the following reasons:

• A duplicate ID element is in the XML document and the signature references this duplicate ID. Duplicate ID attributes are not permitted.
• The XML signature does not reference the expected parent element, and a signature wrapping vulnerability is logged.

If a federation transaction fails, examine the smtracedefault.log file and the fwstrace.log file for a signature verification failure. These errors can indicate that the received XML document is not conforming to XML standards. As a workaround, you can disable the default Policy Server and Web Agent protection against signature wrapping attacks.

Important! If you disable the protection against signature vulnerabilities, determine another way to protect against these attacks.

To disable the XML signature wrapping checks:

1. Navigate to the xsw.properties file. The file exists in different locations for the Policy Server and the Web Agent.
   • For error messages in the Policy Server smtracedefault.log file, go to siteminder_home/config/properties
   • For error messages in the Web Agent fwstrace.log, go to

     web_agent_option_pack_ home/affwebservices/web-INF/classes.

     Note: If the web agent option pack is installed on the same system as the web agent, the file resides in the web_agent_home directory.

2. Change the following xsw.properties settings to true:
   • DisableXSWCheck=true (Policy Server setting only)
   • DisableUniqueIDCheck=true (Policy Server and Web Agent Option Pack setting)

     Note: The value of the DisableUniqueIDCheck setting must be the same for the Policy Server and the Web Agent Option Pack.

3. Save the file.