ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Error : ERP Agent Bad security handshake attempt intermittent

book

Article ID: 227467

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) SITEMINDER

Issue/Introduction

 

When initializing the ERP Agent for SAP, this one cannot connect
intermittently to the Policy Server. The Policy Server reports error :

    [2757/140476646450944][Tue Oct 12 2021 09:39:48][CServer.cpp:2121][ERROR]
    [sm-Tunnel-00010] Bad security handshake attempt. Handshake error: 3154
    
    [2757/140476646450944][Tue Oct 12 2021 09:39:48][CServer.cpp:2132][ERROR]
    [sm-Tunnel-00050] Handshake error: Shared secret incorrect for this client
    
    [2757/140476646450944][Tue Oct 12 2021 09:39:48][CServer.cpp:2293][ERROR]
    [sm-Server-01070] Failed handshake with 10.0.0.1:26386

 

Cause

 

It seems that the SAP engine doesn't take the CAPKIHOME config. The
ERP Agent can't get a connection to the Policy Server, as it hasn't
the configuration to reach the CAPKI libraries to handle encryption of
the connection with the Policy Server.

Still the CAPKIHOME env variable is missing.

std_server0.out

  started at  : Tue Oct 19 11:12:58 2021

  680.636: [GC (Allocation Failure) 680.645: [ParNew: 1178767K->174720K(1223040K), 
  2.5298077 secs] 1466367K->545712K(4019584K), 2.5382294 secs] 
  [Times: user=1.36 sys=0.18 real=2.54 secs] 

  Please check atleast one of the following conditions are met.
          *) Set CAPKIHOME environment variable. 

          *) Pass valid second parameter to etpki_lib_init function. Ex: 
             if the second parameter is /a/b/c/[lib]cryptocme2.[dll][so][sl], 
             it is assumed that /a/b/c has all the required CAPKI shared libraries 

But the SAP Server seems to overlook the configuration you brought.
SECUDIR is seen instead of CAPKIHOME :

sapstart.log

  Starting at 2021/10/19 11:12:36
  Startup Profile: "/usr/mysap/SERVER/SYS/profile/SAP_PROFILE"

  Setup Environment Variables
  ---------------------------
  (208126) SETENV DIR_LIBRARY=/usr/mysap/SERVER/J30/exe
  (208126) SETENV LD_LIBRARY_PATH=/usr/mysap/SERVER/J30/exe:/usr/mysap/SERVER/J30/exe:/usr/mysap/SERVER/SYS/exe/run:/usr/mysap/SERVER/SYS/exe/uc/linuxx86_64
  (208126) SETENV SHLIB_PATH=/usr/mysap/SERVER/J30/exe:
  (208126) SETENV LIBPATH=/usr/mysap/SERVER/J30/exe:
  (208126) SETENV PATH=/usr/mysap/SERVER/J30/exe:/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/usr/mysap/SERVER/SYS/exe/uc/linuxx86_64:/usr/mysap/SERVER/SYS/exe/run:/usr/sap/home/jedadm
  (208126) SETENV DB2_CLI_DRIVER_INSTALL_PATH=/usr/mysap/SERVER/J30/exe/db6_clidriver
  (208126) SETENV SECUDIR=/usr/mysap/SERVER/J30/sec

SAP_PROFILE :

  SETENV_00 = DIR_LIBRARY=$(DIR_LIBRARY)
  SETENV_01 = LD_LIBRARY_PATH=$(DIR_LIBRARY):%(LD_LIBRARY_PATH)
  SETENV_02 = SHLIB_PATH=$(DIR_LIBRARY):%(SHLIB_PATH)
  SETENV_03 = LIBPATH=$(DIR_LIBRARY):%(LIBPATH)
  SETENV_04 = PATH=$(DIR_EXECUTABLE):%(PATH)
  SETENV_05 = DB2_CLI_DRIVER_INSTALL_PATH=$(DIR_EXECUTABLE)/db6_clidriver
  SETENV_06 = CAPKIHOME=/mysaphome/siteminder/webasagent/sapwebas/CAPKI

So the ERP Agent reports it can't connect :

security_00.0.log

  #2.0#2021 10 19 11:25:23:958#+0200#Info#/System/Security#

  ##ca.com~SiteMinderLoginModule#C0000A0B4AAD002D0000000000032DBB#304935450000000004
  #sap.com/irj#com.netegrity.siteminder.sap.webas.jaas.SiteMinderLoginModule#Guest#0
  ##CF3E107D30BC11EC9502506B8DF4C0A3#cf3e107d30bc11ec9502506b8df4c0a3##0
  #Thread[HTTP Worker [@52971258],5,Dedicated_Application_Thread]#Plain##

          Application Server:SiteMinder WebAS Agent
          Product Version:12.51 , 
          Product Label:211, 
          Product Update:0000  #

  #2.0#2021 10 19 11:25:24:125#+0200#Fatal#/System/Security#
  ##ca.com~SiteMinderLoginModule#C0000A0B4AAD002D0000000100032DBB#304935450000000004
  #sap.com/irj#com.netegrity.siteminder.sap.webas.jaas.AgentConnectionHandler.initialize()
  #Guest#0##CF3E107D30BC11EC9502506B8DF4C0A3#cf3e107d30bc11ec9502506b8df4c0a3##0
  #Thread[HTTP Worker [@52971258],5,Dedicated_Application_Thread]#Plain##
  GetConfig method returned error. Check agentName & SmHost.conf file path is correct#

  #2.0#2021 10 19 11:25:24:128#+0200#Info#/System/Security#
  ##ca.com~SiteMinderLoginModule#C0000A0B4AAD002D0000000300032DBB#304935450000000004
  #sap.com/irj#com.netegrity.siteminder.sap.webas.jaas.AgentConnectionHandler.initialize()
  #Guest#0##CF3E107D30BC11EC9502506B8DF4C0A3#cf3e107d30bc11ec9502506b8df4c0a3##0
  #Thread[HTTP Worker [@52971258],5,Dedicated_Application_Thread]#Plain##
  Return code from init():  -1#

  #2.0#2021 10 19 11:25:24:128#+0200#Fatal#/System/Security#
  ##ca.com~SiteMinderLoginModule#C0000A0B4AAD002D0000000400032DBB#304935450000000004
  #sap.com/irj#com.netegrity.siteminder.sap.webas.jaas.AgentConnectionHandler.initialize()
  #Guest#0##CF3E107D30BC11EC9502506B8DF4C0A3#cf3e107d30bc11ec9502506b8df4c0a3##0
  #Thread[HTTP Worker [@52971258],5,Dedicated_Application_Thread]#Plain##
  Agent initialization failed#

The Policy Server receives the connection requests, but there's a
problem with the shared secret, so the connection can't complete :

smps.log :

  [2233/139891304294144][Tue Oct 19 2021 11:25:24][CServer.cpp:2121][ERROR]
  [sm-Tunnel-00010] Bad security handshake attempt. Handshake error: 3154

  [2233/139891304294144][Tue Oct 19 2021 11:25:24][CServer.cpp:2132][ERROR]
  [sm-Tunnel-00050] Handshake error: Shared secret incorrect for this client

  [2233/139891304294144][Tue Oct 19 2021 11:25:24][CServer.cpp:2293][ERROR]
  [sm-Server-01070] Failed handshake with 10.0.0.1:14330

smtracedefault.log :

  [10/19/2021][11:25:24.124][11:25:24][2233][139890993895168][CServer.cpp:1956]
  [CAgentMessageHandler::HandleInput][][][][][][][][][][][][][][][10.0.0.1][14330]
  [][][][]
  [Enqueuing a High Priority Message, from IP 10.0.0.1 with Port No 14330. Current count is 1]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [10/19/2021][11:25:24.124][11:25:24][2233][139891304294144][CServer.cpp:1514][ThreadPool::Run]
  [][][][][][][][][][][][][][][10.0.0.1][14330][][][][]
  [Dequeuing a High Priority message, from IP 10.0.0.1 with Port No 14330. Current count is 0]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][00:00:00.000075][][][][]

  [10/19/2021][11:25:24.124][11:25:24][2233][139891304294144][CServer.cpp:2231]
  [CAgentMessageHandler::DoWork][][][][][][][][][][][][][][][10.0.0.1][14330][]
  [][][][New connection attempt from client host][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][]
 
  [10/19/2021][11:25:24.124][11:25:24][2233][139891304294144][CServer.cpp:1997]
  [GetSecretFunc][][][][][][][][][][][][][][][][][][][][]
  [Getting current secret for the Agent mysapagent][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][]

  [10/19/2021][11:25:24.124][11:25:24][2233][139891304294144][SmObjCache.cpp:781]
  [CSmObjCache::Lookup][][][][][][][][][][][][][][][][][][][][][Look up a cached object.]
  [][][][][][][][][][][][][][][][][][24-0004f542-1233-1137-84a5-4b230a0b0000][][][]
  [][][][][][][][][][][][][][][][][]
 
  [10/19/2021][11:25:24.124][11:25:24][2233][139891304294144][CServer.cpp:2072]
  [GetSecretFunc][][][][][][][][][][][][][][][][][][][][]
  [Getting previous secret for the Agent mysapagent][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][]

  [10/19/2021][11:25:24.124][11:25:24][2233][139891304294144][CServer.cpp:2078]
  [GetSecretFunc][][][][][][][][][][][][][][][][][][][][]
  [Error while fetching previous secret for the Agent mysapagent][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

  [10/19/2021][11:25:24.129][11:25:24][2233][139891304294144][CServer.cpp:2121][][]
  [][][][][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Tunnel-00010] 
  Bad security handshake attempt. Handshake error: 3154][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][]

  [10/19/2021][11:25:24.129][11:25:24][2233][139891304294144][CServer.cpp:2132][][]
  [][][][][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Tunnel-00050] 
  Handshake error: Shared secret incorrect for this client][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][][][][][][][][][]

  [10/19/2021][11:25:24.129][11:25:24][2233][139891304294144][CServer.cpp:2293][][]
  [][][][][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Server-01070] 
  Failed handshake with 10.0.0.1:14330][][][][][][][][][][][][][][][][][][][][]
  [][][][][][][][][][][][][][][][][][]

  [10/19/2021][11:25:24.129][11:25:24][2233][139891304294144][CServer.cpp:2299]
  [CAgentMessageHandler::DoWork][][][][][][][][][][][][][][][10.0.0.1][14330]
  [][][][][Handshake error with trusted host mysapagent with IP 10.0.0.1 on Port No 14330]
  [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

 

Environment

 

  - ERP Agent 12.51 on SAP 7.50 on RedHat 7;
     (ca-erp-webas-12.51-rhas30-x86-64.bin);

     SAP and ERP Agent IP 10.0.0.1;
 
     smwebas.home = /mysaphome/siteminder/webagent/sapwebas/conf/

  - Policy Server 12.8SP4 on RedHat 7;
      Policy Server on 10.0.0.2 on RedHat;
    
      JDK jdk8u265-b01;

 

Resolution


- Get in touch with SAP vendor support to understand the reason why
  the configuration brought for the CAPKIHOME is not taken by the SAP
  server at start time;