search cancel

Error: unable to decode SMSESSION cookie in Pure JavaAgent API


Article ID: 201970


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER



12.52 Apache regular Web Agent generates a SMSESSION cookie, when passing it to 12.8 SDK Agent (4. x agent configuration), SDK Agent can not decode it.

However, the same SDK Agent can generate its cookie and decode it. accepttpcookie set to yes can not be used since there is no ACO on the 4x Agent side.

Both Agents are connected to the same Policy Server. The SDK Agent is connected to Policy Server with initialization success.

The only error seen is:

   Decode SSO Token.........................:      -1 (FAILURE)

When java debug is turned on:

  16:45:48.834 [main] SMTRACE: SmAgentApiManagementImpl, decrypt, Input = EipPJHaMNgTeEmVV0....UYx8ndHMc
  16:45:48.837 [main] SMERROR: LegacyAgentApiAdapter, decodeSSOToken, Failed: Reason: -1 Failed to decrypt an SSO token.
   at netegrity.siteminder.javaagent.AgentAPI.decodeSSOToken(smagentapi_obfsc:1586)
   at JavaTestClient.main(
  Decode SSO Token.........................:      -1 (FAILURE)



SDK 12.8




Out-of-the-box 12.8 SDK kit does not have proper Pure Java Agent API examples.




First of all, 12.52 Web Agent, SDK Agent, and Policy Server should be running on the same FIPS mode.

Default packaged was NOT using Pure Java Compiler, it was using JNI Agent API.

On top of that, with Pure Java Compiler, there are a few additional jars required for this to be fully functional.

Two changes to be made:


   javac -classpath ../../properties:../../java/smagentapi.jar:../../java/smjavasdk2.jar:../../java/smcrypto.jar:../../java/bc-fips-1.0.1.jar

   java $JVMMODE -Djava.library.path=../../bin64 -classpath .:../../properties:../../java/smjavasdk2.jar:../../java/smagentapi.jar:../../java/smcrypto.jar:../../java/bc-fips-1.0.1.jar JavaTestClient

With the above changes, the Java Agent should be able to decode the regular Web Agent SMSESSION.

To log additional tracing information to debug problems when using the Pure Java Agent API, add the following parameter to the JVM (1):


   java myClass

Note: This parameter is not applicable for the JNI-based Agent API.


Additional Information



    Programming in Java