Handshake error when using SM Test Tool from a different box

book

Article ID: 16721

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

After having installed SDK and trying to use the SM Test Tool included
to do some tests for a custom authentication scheme from the same
box. The host registration was done correctly (using smreghost and
generating a SmHost.conf), the following error when trying to connect
to the Policy Server, using the SmHost.conf from registration :

  "Cannot obtain host configuration information using specified
   SmHost.conf file"

The smps.log show the following:

  [25/12/2017][14:29:55][1234][1092][CServer.cpp:2058][CAgentMessageHandler::DoWork]
  [10.10.10.10][63940][New connection attempt from client host]
  
  [25/12/2017][14:29:55][1234][1092][CServer.cpp:1842][GetSecretFunc]
  [Getting current secret for the Agent testtoolhost]
  
  [25/12/2017][14:29:55][1234][1092][CServer.cpp:1899][GetSecretFunc]
  [Getting previous secret for the Agent testtoolhost]
  
  [25/12/2017][14:29:55][1234][1092][CServer.cpp:1905][GetSecretFunc]
  [Error while fetching previous secret for the Agent testtoolhost]
  
  [25/12/2017][14:29:55][1234][1092][CServer.cpp:1948]
  [LogMessage:ERROR: Bad security handshake attempt. Handshake error: 3154]
  
  [25/12/2017][14:29:55][1234][1092][CServer.cpp:1959]
  [LogMessage:ERROR: Handshake error: Shared secret incorrect for this client]
  
  [25/12/2017][14:29:55][1234][1092][CServer.cpp:2121]
  [LogMessage:ERROR: Failed handshake with 10.10.10.10:63940]
  
  [25/12/2017][14:29:55][1234][1092][CServer.cpp:2127][CAgentMessageHandler::DoWork]
  [10.10.10.10][63940]
  [Handshake error with trusted host testtoolhost with IP 10.10.10.10 on Port No 63940]
  
  [25/12/2017][14:29:55][1234][1092][CServer.cpp:3054]
  [CAgentMessageHandler::HandleClose][10.10.10.10][63940][Ending client session #215758]

When testing from the Policy Server SM Test Tool using the same
SmHost.conf, it works.

 

Environment

 

SDK R12.52 SP1

 

Resolution

 

This error happens because the SDK installer does not install
automatically any CAPKI libraries which are needed when using the SM
Test Tool. It works in the Policy Server, as this one installs the
CAPKI libraries, so this will work in any machine where an installed a
component which installs the CAPKI libraries, like the Web Agent or
Access Gateway(SPS). The following location can be checked for SDK
(1).

In order to solve this, install the CAPKI (formerly ETPKI) libraries
manually by using the installer included in the SDK path:

  <SDK_install_path>/etpki-install       (for 32 bit)
  <SDK_install_path>/etpki-install-64    (for 64 bit)

Here, run the setup tool included as follows :

  setup install caller=smtesttool instdir=<install_path>

Where install_path will be the installation directory for the CAPKI
libraries. Optionally, specify the verbose parameter so some output
files will show up to warn when the process is finished, as the setup
tool is a silent installer.

For Linux, optionally the following parameter to enable setting
environment variables for the specified users:

  env=<none|user|all>    

  none: do not set environment variables (default; it may require root
privileges depending on the installation directory)

  user: current user only ($HOME/.profile)

  all : all users (for using this, login must be root).
  Note:
  
  If /etc/profile should not be updated as part of CAPKI installation
  (with env=all option), then Update_Profile=0 should be set in the
  environment before the installation of CAPKI.
  


After the command is triggered, a tmp folder is created in the
destination path that will appear until the installation finishes. A
log file in the Windows temp folder (%TEMP%/capki_install.log) or for
Linux in the /tmp folder (/tmp/capki_install.log). When finished, for
Windows a restart of the machine is needed so the new registry entries
set are loaded.

 

Additional Information

 

(1)

    Known Issues for the SDK
      Installation of ETPKI Libraries
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/release-notes/known-issues/known-issues-for-the-sdk.html