What is the impact of setting FccCompatMode to yes in the Web Agent
ACO ?
The impact is that switching the FCCCOMPATMODE value from no to yes
will allow compatibility with your 4.x Agent if you have
still. But it will potentially create problems :
- It will break some password services;
- It will break some functionalities in the OpenID Authentication
Scheme;
- It will remove the SMTRYNO cookie;
- It will brake the protection level feature;
- It will brake the tracking session domain feature;
But it will allow the following :
- It will produce the FORMCRED cookie :
- It will allow you to run Policy Server with the CA Adapter;
- It will allow compatibility between 4.x agent and the other
versions above;
- It will allow to run compatibility with Web Agent running on
Domino Web Server;
Having the FCCCOMPATMODE set to yes :
- It will break some password services,
Password change behavior when FCCCOMPATMODE is set to Yes
On a POST to an FCC the FCC will generate a number of cookies. This
includes the FORMSCRED cookie which is created when FCCCompatMode
is set to the value YES.
This cookie represents the old way of doing forms login and should
be considered deprecated. The functionality only exists today to
provide backwards compatibility with older SiteMinder
installations.
https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=8386
- It will break some functionalities in the OpenID Authentication
Scheme :
OpenID Authentication Scheme
Disable the FCCCompatMode Parameter
Agents use an FCCCompatMode configuration parameter for backward
compatibility with older versions of the product. For newer
versions of the product (such as r12.5), this parameter must be
disabled for better security when using certain features.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/policy-server-configuration/authentication-schemes/openid-authentication-scheme.html
- It will remove the SMTRYNO cookie :
SMTRYNO cookie not set if FCCCompatMode =YES and Login page is posting to an FCC
When you have a login page (ASP or JSP) that is posting to the
login.fcc and a Webagent with FCCCompatMode = Yes the SMTRYNO
cookie is not generated.
With FCCCompatMode = No SMTRYNO cookie is correctly generated.
The SMTRYNO cookie could be useful to track authentication
attempts.
https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=49556
SMTRYNO Cookie Not Generating
SMTRYNO cookie is not being generated. The login.fcc file
contains @smretries=6.
Make sure FCCCompatMode is not enabled. This Agent Configuration
Object parameter defaults to no when not explicitly set.
https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=109851
- It will brake the protection level feature :
Authentication Scheme Protection Level Ignored When Changing The TARGET Parameter of Login FCC
Using a lower authentication scheme protection level set of
credentials, we are able to obtain a higher session level only by
tampering the target.
https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=117253
- It will brake the tracking session domain feature;
Tracksessiondomain parameter in ACO and use FQDN as the cookie domain
Run the agent in Normal Mode(FccCompatMode=No) if you want to use the cookie domain as same as hostname.
https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=40655
- It will produce the FORMCRED cookie :
What is FORMCRED cookie ?
On a POST to an FCC the FCC will generate a number of
cookies. This includes the FORMSCRED cookie which is created when
FCCCompatMode is set to the value YES. This cookies represents the
old way of doing forms login and should be considered deprecated.
The functionality only exists today to provide backwards
compatibility with older SiteMinder installations. The FORMCRED
cookie is generated from the USERNAME and PASSWORD variables. In
the default mode (FCCCOmpatMode="NO"), The FCC will log the user
in directly and on successful authentication redirect the user
back to the TARGET url with a SMSESSION cookie using SSO instead
of FORMCRED credentials to access the TARGET.
https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=46283
- It will allow you to run Policy Server with the CA Adapter :
Arcot Auth Scheme not returning to Target after Authentication
For CA Single Sign-On Policy Server to work with Adapter there are
certain Agent configuration object parameters need to be
configured else we will see the above behavior.
FCCCompatMode Yes
https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=109017
Configuring CA Single Sign-On Policy Server
To configure CA Single Sign-On Policy Server to integrate with CA
Adapter, perform the following steps (on the system hosting CA
Single Sign-On Policy Server).
| Parameter | Value |
|---------------+-------|
| FCCCompatMode | Yes |
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/advanced-authentication/9-1/installing/ca-adapter-installation/configuring-ca-single-sign-on-policy-server.html
- It will allow compatibility between 4.x agent and the other
versions above :
Use FCCs and NTCs in a Mixed Environment
FCC Compatibility Mode Use FCC Compatibility Mode to help FCCs and
NTCs to operate with 4.x Web Agents. Enable the FCCCompatMode agent
configuration parameter (FCCCompatMode="Yes") to enable an r5.x, r6.x,
or the current version of the FCC/NTC can serve up forms for resources
that are protected by 4.x agents or third-party applications.
For traditional Web Agents, the FCCCompatMode parameter is enabled
by default. Framework Agents have the FCCCompatMode parameter
disabled by default.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/web-agent-configuration/forms-authentication/using-credential-collectors-between-4-x-type-and-newer-type-agents.html
- It will allow to run compatibility with Web Agent running on
Domino Web Server :
Framework and Traditional Agent Architectures
Traditional agents are installed on the following web servers:
Domino (all supported versions)
Framework Agents are installed on the following web servers:
Microsoft Internet Information Services (IIS) 7.0, 7.5
Apache 2.0.54, 2.2.x, and other Apache 2.0-based servers, such as
the IBM HTTP Server and the HP Apache server
Oracle iPlanet Web Server versions 6.1 and above
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/web-agent-configuration/web-agents-overview/framework-and-traditional-agent-architectures.html