search cancel

CAAPI Gateway -"Authenticate Against CA Single Sign-On Assertion" is not working

book

Article ID: 190188

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway

Issue/Introduction

We are using CA Single Sign On & CA API Gateway to enable federated based SSO for one of the vendor hosted applications. But for some reason, the "Authenticate Against CA Single Sign-On" API Gateway assertion is unable to authenticate / validate the SMSESSION. 

"Unable to authenticate user using SSO Token"

I have checked the policy server logs but I couldn't find any errors in the smps.log & smtracedefault.log. 

Environment

Release : 9.3

Component : API GTW ENTERPRISE MANAGER

Cause

Encryption type difference between COMPAT mode {RC2} and FIPS Only {AES}  - SSO term is MIGRATE mode 

Issue occurs when in MIGRATION mode , which is a cross between FIPS (FIPS 140-2 is a US government computer security standard {AES}) and COMPAT (BSAFE crypto.jar from RSA Security {RC2})

Gateway(GW) in migration mode with SSO SDK version specified does not handle MIX encryption for agent keys  

IN migration mode GW sets up trusted host in FIPS mode {AES}
The SPS agent is in MIgration Mode 

[Tue Feb 25 2020 08:12:36] FIPS 140 Cryptographic Mode is migration.
Creates SMSESSION 
Keys are stored in the keys store as COMPAT mode {RC2}

Resolution

Update SSO SDK on gateway to CA_SSO_SDK_Compact_v12.52.01.09.L7P

[[email protected] install_config_info]# more ca-sdk-version.info
ProductName=CA SiteMinder SDK
FullVersion=12.52.109.2614
Location=/opt/CA/sdk

This version does a second pass to read the SMSESSION cookie first uses {RC2} then {AES}

Additional Information


Error request failure "Unable to authenticate user using SSO Token" can occur for a number of different reasons.  This KB covers one of them 

Steps to check if this KB applies 

First get the version of SSO SDK used by Gateway if it’s version 12.52.104.2032 this KB could apply 

/opt/CA/sdk/install_config_info/ca-sdk-version.info

[[email protected] install_config_info]# more ca-sdk-version.info
ProductName=CA SiteMinder SDK
FullVersion=12.52.104.2032
Location=/opt/CA/sdk


Second turn on higher debug SSO log if reason logged is “Unable to decode ssotoken + 44wWzOEChx…….UZyMq”   this KB could apply
 
Set ssg log severity threshold to FINE in log sink properties window 

In the clusterwide properties for log.level can you add the siteminder line - need to see the reason SSO Token failed 

com.l7tech.level = FINE
com.ca.siteminder.level = FINE

Look for the following error if decode ssotoken this KB could apply

2020-04-20T19:52:34.515+0000 FINE    320 com.ca.siteminder.SiteMinderLowLevelAgent: Unable to decode ssotoken + 44wWzOEChx…….UZyMq