SDK Agent not able to connect the Policy Server 12.8SP07
search cancel

SDK Agent not able to connect the Policy Server 12.8SP07

book

Article ID: 266163

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

When running an SDK Custom Agent, when it tries to connect to the Policy Server, the SDK Custom Agent reports the error:

SiteMinderAdapter SiteMinderAdapter[219].createAgentApi(): GetConfig failed for '/opt/CA/agent/conf/SmHost.conf': FAILURE [-1]
2023-03-16 06:42:32,979 57 [ERROR] - - 92186158ms SiteMinderAdapter CacheFlushThread[77].run(): java.io.IOException: GetConfig failed for '/opt/CA/agent/conf/SmHost.conf': FAILURE [-1]

and the Policy Server reports the error:

[5235/140657244632832][Thu Mar 16 2023 06:31:34.495][CServer.cpp:2146][ERROR][sm-Tunnel-00050] Handshake error: Shared secret incorrect for this client

[5235/140657244632832][Thu Mar 16 2023 06:31:34.495][CServer.cpp:2311][ERROR][sm-Server-01070] Failed handshake with 10.0.0.1:35238

Environment

Policy Server 12.8SP7 on RedHat 7;
SDK 12.8SP7 on RedHat 7;

 

Resolution

Objective : To verify the connection between SDK Agent and the Policy Server.

Procedure:

Compile and run the sample SDK Custom Agent, and once the sample Agent works as expected, adapt the code of SDK Agent above to handle the connection the same way.

Compiling and running the Sample SDK Agent:

-> Install a JDK version;

-> Follow these steps to make the SDK Sample Agent work:  

Navigation to /opt/CA/sdk/etpki-install

# ./setup install caller=01010101 instdir=/opt/CA/etpki veryverbose

[CAPKI] Parameters: mode=install, caller=01010101, instdir=/opt/CA/etpki, env=none, verbose=true
[CAPKI] This installer contains CAPKI Version 5.3.0
[CAPKI] Using user specified install directory
[CAPKI] Installation directory: /opt/CA/etpki/CAPKI
[CAPKI] Checking for Permissions
[CAPKI] Dir /opt/CA/etpki/ does not exist to check permission
[CAPKI] Proper permissions are set for installation directory
[CAPKI] Disk space is available
[CAPKI] Existing Version RV=1

[...omitted for brevity...]

[CAPKI] Making entry for file CAPKI5/Linux/amd64/64/lib/libcaopenssl_ssl.so in files.dat file
[CAPKI] Making entry for file CAPKI5/Linux/amd64/64/capki/log/liblog_api.so in files.dat file
[CAPKI] Making entry for file CAPKI5/Linux/amd64/64/capki/log/_capki_log.cfg in files.dat file
[CAPKI] Making entry for file CAPKI5/Linux/amd64/64/uninstaller in files.dat file
[CAPKI] Updated installed files log: /opt/CA/etpki/CAPKI/CAPKI5/Linux/amd64/64/files.dat
[CAPKI] CAPKI Install Successful, return Value is 0

# export CAPKIHOME=/opt/CA/etpki/CAPKI
# export PATH=${PATH}:/opt/jdk8u275-b01/bin
# cd /opt/CA/sdk/samples/smjavaagentapi

Modify the java-build.sh:

javac -classpath ../../properties:../../java/smjavaagentapi.jar:../../java/smjavasdk2.jar JavaTestClient.java

to

javac -classpath ../../properties:../../java/smagentapi.jar:../../java/smcrypto.jar:../../java/bc-fips-1.0.2.3.jar JavaTestClient.java

Modify the configuration file smjsdksample.properties:

/opt/CA/sdk/properties/smjsdksample.properties:

PS_IP                          = 10.0.0.1
AGENT_NAME           = jsdk
AGENT_SECRET       = password
AGENT_IP                  = Ip_of_the_Agent
ADMIN_NAME            = SiteMinder
ADMIN_PWD              = xxxx
USER_NAME             = a_user_from_the_user_store
USER_PWD                               = xxxx
CHALLENGE_USER_NAME     = a_user_from_the_user_store
CHALLENGE_USER_PWD      = xxxx
LOGFILE_NAME                       = /opt/CA/sdk/samples/smjavaagentapi/smjsdksample.log
LOGGING_DETAIL                    = true

Modify the java-run.sh:

java $JVMMODE -Djava.library.path=../../bin -classpath .:../../properties:../../java/smjavasdk2.jar:../../java/smjavaagentapi.jar JavaTestClient

to

java $JVMMODE -Djava.library.path=../../bin -classpath .:../../properties:../../java/smagentapi.jar:../../java/smcrypto.jar:../../java/bc-fips-1.0.2.3.jar JavaTestClient

to

java $JVMMODE -Djava.library.path=../../bin -classpath .:../../properties:../../java/smagentapi.jar:../../java/smcrypto.jar:../../java/bc-fips-1.0.2.3.jar JavaTestClient

In AdminUI :

Create an agent of the name of jsdksample-agent; Domain to protect the Realm: /resfilter/private.html with Basic authentication scheme;

Register the SDK Agent:

# cd /opt/CA/sdk/samples/smjavaagentapi
# /opt/CA/sdk/bin/smreghost.sh -i 10.0.0.1 -hc jsdk -hn jsdk -u siteminder -p xxxx

Note : SDK agent registration should be successful.

Compile the Sample SDK Agent:

# ./java-build.sh

Run the Sample SDK Agent:

# ./java-run.sh

When the connection can be established with the Policy Server, then following output will be shown:

Welcome to the Interactive FTP Server

-------------------------------------

Do you want to connect through:

(1) 4.x Agent Interface

(2) 5.x Agent Interface(smreghost utility must be run before it)

-------------------------------------

Enter the Agent type(1/2) to connect:  2

>>>>>>>>>>>>>  SiteMinder Java Agent API Sample  <<<<<<<<<<<<<


++ Initialization ++

Agent Name...............................:      jsdksample-agent
______________________________________________________________


++ SetAgentInstanceInfo ++

DoManagement (SET_AGENT_INSTANCE_INFO)...:      1 (YES)
______________________________________________________________


++ DoManagement ++

DoManagement (GET_AGENT_COMMANDS)........:      1 (YES)
______________________________________________________________


++ IsProtected ++

Resource Name............................:      /resfilter/private.html
Action...................................:      GET
IsProtected..............................:      1 (Resource is Protected)
Realm Name...............................:      resfilter
Realm OID................................:      06-000a60f2-f97e-1450-9d23-0165c0a80000
______________________________________________________________

Powered by Wolken Software