Policy server not able to connect with webservices instance

book

Article ID: 197525

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a SDK Custom Agent and when the Custom Agent tries to connect to
the Policy Server, the Policy Server reports error :

  [1321870/140395184142080][Mon Aug 10 2020
  17:02:51][CServer.cpp:2121][ERROR][sm-Tunnel-00010] Bad security
  handshake attempt. Handshake error: 3154

  [1321870/140395184142080][Mon Aug 10 2020
  17:02:51][CServer.cpp:2132][ERROR][sm-Tunnel-00050] Handshake error:
  Shared secret incorrect for this client

  [1321870/140395184142080][Mon Aug 10 2020
  17:02:51][CServer.cpp:2293][ERROR][sm-Server-01070] Failed handshake
  with 127.0.0.1:39769

How can we fix this ?

 

Cause

 

The Custom Agent seems to have problem to handle data from the
smhost.conf :

SystemOut.log

  2020-08-10 17:21:38,200 34 [TRACE] - - 1ms SiteMinderAdapter
  SiteMinderAdapter[578].getSmHostConfig(): smhost_config =
  '/opt/CA/sdkagent/conf/SmHost.conf'

  2020-08-10 17:21:38,200 34 [TRACE] - - 1ms SiteMinderAdapter
  SiteMinderAdapter[580].getSmHostConfig(): EXIT =
  /opt/CA/sdkagent/conf/SmHost.conf

  2020-08-10 17:21:38,203 34 [ERROR] - - 125ms SiteMinderAdapter
  SiteMinderAdapter[218].createAgentApi(): GetConfig failed for
  '/opt/CA/sdkagent/conf/SmHost.conf': FAILURE [-1]

  2020-08-10 17:21:38,204 34 [TRACE] - - 0ms SiteMinderAdapter
  SiteMinderAdapter[587].cleanup(): ENTER: ()

  2020-08-10 17:21:38,208 34 [TRACE] - - 5ms SiteMinderAdapter
  SiteMinderAdapter[596].cleanup(): EXIT = [void]

  2020-08-10 17:21:38,209 34 [TRACE] - - 133ms SiteMinderAdapter
  SiteMinderAdapter[220].createAgentApi(): EXCEPTION:
  IOException(nullGetConfig failed for
  '/opt/CA/sdkagent/conf/SmHost.conf': FAILURE [-1])

There a known issue in SDK 12.8 which is fixed in 12.8SP2 about
missing class used for shared secret and FIPS handling :

  Defects Fixed in 12.8.02

  SDK

    01184735, 01212552 DE383871 smagentapi.jar from SDK does not include
    the com.ca.siteminder.sdk.agentapi.Util

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/release-notes/service-packs/defects-fixed-in-12-8-02.html#concept.dita_3ed653d7ea138f8a8fc56e1c1cd65988d2e2c889_SDK

 

Environment

 

  Policy Server 12.8SP0 on RedHat 7;
  SDK 12.8SP0 on RedHat 7;

 

Resolution

 

  Upgrade the SDK to 12.8SP4 to fix this issue;