search cancel

JavaAgent API unable to decode SMSESSION cookie

book

Article ID: 201970

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

12.52 apache regular web agent generates a smsession cookie, when passing it to 12.8 SDK agent (4.x agent configuration), SDK agent can not decode it.
However, the same SDK agent is able to generate its own cookie and decode it.  We can not use (accepttpcookie=yes) since there is no ACO on 4x agent side.
Both agents are connected to the exact same policy server.  SDK agent is connected to policy server with initialization success.

The only error you get is:
Decode SSO Token.........................:      -1 (FAILURE)

If java debug is turned on:

16:45:48.834 [main] SMTRACE: SmAgentApiManagementImpl, decrypt, Input = EipPJHaMNgTeEmVV0....UYx8ndHMc
16:45:48.837 [main] SMERROR: LegacyAgentApiAdapter, decodeSSOToken, Failed: Reason: -1
com.ca.siteminder.sdk.agentapi.management.SmAgentApiManagementException: Failed to decrypt an SSO token.
        at com.ca.siteminder.sdk.agentapi.management.b.a(smagentapi_obfsc:834)
        at com.ca.siteminder.sdk.agentapi.e.a(smagentapi_obfsc:656)
        at com.ca.siteminder.sdk.agentapi.a.decodeSSOToken(smagentapi_obfsc:1762)
        at netegrity.siteminder.javaagent.AgentAPI.decodeSSOToken(smagentapi_obfsc:1586)
        at JavaTestClient.main(JavaTestClient.java:357)
Decode SSO Token.........................:      -1 (FAILURE)

 

Cause

12.8 SDK out of box kit does not have proper pure java agent api examples.

Environment

Release : 12.8

Component : SITEMINDER -SDK

Resolution

First of all, 12.52 web agent,  SDK agent, and policy server should be running on exact same FIPS mode.

Default JavaTestClient.java packaged was NOT using pure java compiler, it was using JNI Agent API.
On top of that, with pure java compiler, there are a few additional jars required in order for this to be fully functional.
Two changes to be made:

1. java-build.sh
javac -classpath ../../properties:../../java/smagentapi.jar:../../java/smjavasdk2.jar:../../java/smcrypto.jar:../../java/bc-fips-1.0.1.jar JavaTestClient.java
 
2. java-run.sh
....
java $JVMMODE -Djava.library.path=../../bin64 -classpath .:../../properties:../../java/smjavasdk2.jar:../../java/smagentapi.jar:../../java/smcrypto.jar:../../java/bc-fips-1.0.1.jar JavaTestClient
With above changes, you should be able to decode regular agent smsession
 
To log additional tracing information to debug problems when using the Pure Java Agent API, add the following parameter to the JVM:
  com.ca.siteminder.sdk.agentapi.enableDebug=true
Example:
 java -Dcom.ca.siteminder.sdk.agentapi.enableDebug=true myClas
Note: This parameter is not applicable for the JNI-based Agent API.
 
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/programming/sdks/programming-in-java.html
 

Additional Information

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/programming/sdks/programming-in-java.html