Cybersecurity
DevOps Cloud (ADM)
IT Operations Cloud
Summary
Configuring IDP server Response Headers fail to save returning "Error: Invalid data, Header Name Header Value"
Products
Access Manager (NAM)
Environment
Fresh installed Access Manager Version 5.0.3 Admin Console Server on RHEL 8.6
Backup from a Access Manager Version 5.0.3 on RHEL 7.9 has been restored
Situation
After upgrading from NAM 451 to 503 custom CSP headers configuration fails on trying to save / post returning: "Error: Invalid data, Header Name Header Value" when trying to save (POST)
This was working without any issues before upgrading
Using a fiddler / har to debug details about the posted data it looks like below:
---------------------------------------------------------------------------------------------
POST idpa.kgast.nam.com:8443/nps/rest/security/respheaders/SCCqm1qXX HTTP/1.1
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Accept-Language: de,de-DE;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Connection: keep-alive
Content-Length: 312
Content-Type: application/json
Cookie: JSESSIONID=58882DF5E39F81F078016F6D76466D71
Host: idpa.kgast.nam.com:8443
Origin: idpa.kgast.nam.com:8443
Referer: idpa.kgast.nam.com:8443/nps/servlet/frameservice
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36 Edg/111.0.1661.41
imanuasess: -6228700933277856793
sec-ch-ua: "Microsoft Edge";v="111", "Not(A:Brand";v="8", "Chromium";v="111"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
{"id":1613573077973,"name":"Content-Security-Policy","value":"frame-ancestors https://example1.com https://example2.org https://example3.org https://example4.org ","urlPatterns":".*/nidp/.*"}
---------------------------------------------------------------------------------------------
HTTP/1.1 400 Bad Request
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Authorization
Access-Control-Allow-Methods: GET, POST, DELETE, PUT, OPTIONS
Access-Control-Allow-Origin: *
Connection: close
Content-Length: 52
Content-Type: application/json
Date: Wed, 22 Mar 2023 16:01:48 GMT
Exclusion: roma/rest,nps/rest,nps/netiq/nam/oauth,nps/oauth/nam/clients,roma/javascript/jquery.min.js,nps/portal/modules/nids/javascripts/jquery.min.js
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-FRAME-OPTIONS: SAMEORIGIN
X-XSS-Protection: 1; mode=block
{"status":"Invalid data: Header Name, Header Value"}
--------------------------------------------------------------------------------
Read Full Knowledge Base Article for Cause and Resolution.
URL Name
KM000015677