ARERR 9506 caused by HTTP 403 on udd.js when using Remedy AR System Mid Tier

Knowledge Article

ARERR 9506 caused by HTTP 403 on udd.js when using Remedy AR System Mid Tier
ARERR 9506 caused by HTTP 403 on udd.js when using Remedy AR System Mid Tier
Remedy AR System Server
AR System Mid Tier
Midtier 9.x, 19.x, 20.x
Symptoms:
  • ARERR 9506 displays when form is requested
  • Fiddler capture shows request for udd.js results in HTTP403
  • Fiddler capture shows the response to the LoginServlet call sets the HTTPOnly flag on all cookies including  MJUID
  • Fiddler capture shows the request for udd.js file is sent with the parameter ui=null
  • Detailed Midtier log shows the following:   >  Possible Cross-Origin request detected. Refusing request for udd.js
MJUID cookie has the HTTPOnly flag set so browser side scripts cannot set the ui parameter correctly
This knowledge article may contain information that does not apply to version 21.05 or later which runs in a container environment. Please refer to Article Number 000385088 for more information about troubleshooting BMC products in containers.

The request for udd.js fails because the ui parameter is null. The reason for this is that all cookies are set to be httponly. This causes problems as some cookies need to be set  and accessed by the clientcode, setting the flag does not allow this and the cookies cannot be accessed. In this particular case the MJUID cookie is affected.

This is a web server / reverse proxy configuration problem. From a security standpoint, only the session cookie (JSESSIONID) needs to be protected, Mid-Tier already automatically flags this cookie as httponly. You have to disable the httponly filter on your web server.


 
Remedy AR System Server
AR System Mid Tier
Midtier 9.x, 19.x, 20.x
Remedy AR System Server
AR System Mid Tier
Midtier 9.x, 19.x, 20.x
Attachment(s):