search cancel
MaxHeaderSize for Access Gateway
book
Article ID: 8032
calendar_today
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER
Issue/Introduction
Groups are being pulled into the HTTP Header. There are a large number of groups causing the HTTP Header to be very Large. The CA Gateway server is failing to process the requests.
Environment
CA Access Gateway: 12.8.x
Cause
CA Gateway is bundled with Tomcat and Apache Web Server. The Http Connector is not used between Tomcat and Apache, instead the AJP Connector is used. "maxHttpHeaderSize" is an valid attribute in the HTTP Connector, but not the AJP Connector.
The AJP Protocol is "Packet Oriented". There is no 'maxHttpHeaderSize' in the AJP protocol. Instead the AJP protocol is simply using the 'max_packet_size'. 'max_packet_size'doesn't limit an aspect of the packet, such as the HTTP Header. It is the entire packet. When large HTTP headers are involved, the entire packet size exceeds the default limit.
Resolution
worker.ajp13.max_packet_size needs to be increased
1) Logon to the CA Gateway host
2) Browse to the 'Server.conf' File
-> Default Path:
Windows: C:\Program Files\CA\secure-proxy\proxy-engine\conf\server.conf
UNIX: <Install_Dir>/CA/secure-proxy/proxy-engine/conf/server.conf
3) Locate the following section:
#'max_packet_size': This attribute sets the maximum AJP packet size in Bytes. The maximum value is 65536.
#This same value will be used as 'packetSize' attribute for AJP connector on the Tomcat side.
worker.ajp13.max_packet_size=16384
4) Modify the 'max_packet_size' value to accommodate the total size of the packets with the additional Header Data.
NOTE:The maximum value is 65536
5) Restart the CA Gateway server (Tomcat)
Additional Information
###### REFERENCE ######
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/access-gateway-configuration/configure-the-tomcat-settings-manually.html
https://tomcat.apache.org/tomcat-7.0-doc/config/http.html
https://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html
https://stackoverflow.com/questions/6837505/setting-max-http-header-size-with-ajp-tomcat-6-0
Feedback
thumb_up Yes
thumb_down No