A2A client Java sample Example.java reports null password
Article ID: 214729
Updated On:
Products
Issue/Introduction
You compiled and are trying to run the Java Example class on an Linux/AIX server. The output shows that the server returned code 400, suggesting that the call into PAM to retrieve the password succeeded, but the password shows as "null", similar to the following:
> ./run_java_sample.sh mypamaccountaliasStatus Code: 400UsedId: mypamaccountPassword: null
The same sample code works fine on another server, for which you defined an A2A mapping for the same target account, and the correct password is retrieved.
Environment
Affects A2A clients published with PAM 4.2.1 and below.
Cause
The Java version used on the Linux/AIX server was incompatible with the A2A client libraries, cspmclient.jar and cwjcafips.jar. Specifically the cwjcafips.jar file was signed with SHA1 and didn't pass signed JAR validation.
Resolution
Upgrade the A2A client to a version published with PAM 4.2.2 or newer. Since PAM 4.2.2 the cwjcafips.jar file is signed with a SHA-256 certificate. Note that any currently available A2A version is compatible with any current PAM release.
Alternatively, if your application allows it, use the JRE that the PAM A2A client installs. The Java executable would be $CSPM_CLIENT_HOME/cspmclient_thirdparty/java/bin/java.
Additional Information
Another possible workaround could be to edit the installed java's lib\security\java.security file, find parameter "jdk.jar.disabledAlgorithms" and remove SHA1 (typically "SHA1 denyAfter 2019-01-01") from the disabled algorithms list.
Feedback
