search cancel

Error: unable to decode SMSESSION cookie in Pure JavaAgent API

book

Article ID: 201970

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

12.52 Apache regular Web Agent generates a SMSESSION cookie, when passing it to 12.8 SDK Agent (4. x agent configuration), SDK Agent can not decode it.

However, the same SDK Agent can generate its cookie and decode it. accepttpcookie set to yes can not be used since there is no ACO on the 4x Agent side.

Both Agents are connected to the same Policy Server. The SDK Agent is connected to Policy Server with initialization success.

The only error seen is:

   Decode SSO Token.........................:      -1 (FAILURE)

When java debug is turned on:

  16:45:48.834 [main] SMTRACE: SmAgentApiManagementImpl, decrypt, Input = EipPJHaMNgTeEmVV0....UYx8ndHMc
  16:45:48.837 [main] SMERROR: LegacyAgentApiAdapter, decodeSSOToken, Failed: Reason: -1
  com.ca.siteminder.sdk.agentapi.management.SmAgentApiManagementException: Failed to decrypt an SSO token.
   at com.ca.siteminder.sdk.agentapi.management.b.a(smagentapi_obfsc:834)
   at com.ca.siteminder.sdk.agentapi.e.a(smagentapi_obfsc:656)
   at com.ca.siteminder.sdk.agentapi.a.decodeSSOToken(smagentapi_obfsc:1762)
   at netegrity.siteminder.javaagent.AgentAPI.decodeSSOToken(smagentapi_obfsc:1586)
   at JavaTestClient.main(JavaTestClient.java:357)
  Decode SSO Token.........................:      -1 (FAILURE)

Cause

 

Out-of-the-box 12.8 SDK kit does not have proper Pure Java Agent API examples.

 

Environment

 

SDK 12.8

 

Resolution

 

First of all, 12.52 Web Agent, SDK Agent, and Policy Server should be running on the same FIPS mode.

Default JavaTestClient.java packaged was NOT using Pure Java Compiler, it was using JNI Agent API.

On top of that, with Pure Java Compiler, there are a few additional jars required for this to be fully functional.

Two changes to be made:

1. java-build.sh

   javac -classpath ../../properties:../../java/smagentapi.jar:../../java/smjavasdk2.jar:../../java/smcrypto.jar:../../java/bc-fips-1.0.1.jar JavaTestClient.java
 
2. java-run.sh

   ....
   java $JVMMODE -Djava.library.path=../../bin64 -classpath .:../../properties:../../java/smjavasdk2.jar:../../java/smagentapi.jar:../../java/smcrypto.jar:../../java/bc-fips-1.0.1.jar JavaTestClient

With the above changes, the Java Agent should be able to decode the regular Web Agent SMSESSION.

 
To log additional tracing information to debug problems when using the Pure Java Agent API, add the following parameter to the JVM (1):

   com.ca.siteminder.sdk.agentapi.enableDebug=true

Example:

   java -Dcom.ca.siteminder.sdk.agentapi.enableDebug=true myClass

Note: This parameter is not applicable for the JNI-based Agent API.

 

Additional Information

 

(1)

    Programming in Java