Use the smpwservices.fcc instead of the default login.fcc

1. Verify from where the login fcc environment is being loaded.
   e.g,

From the WebAgentTrce logs:

[Localized Path = C:\Program Files\CA\webagent\win64\samples/forms_en-US/login_en-US.fcc, working locale = en-US]

2. Go to the location C:\Program Files\CA\webagent\win64\samples/forms_en-US/

3. Take backup of login_en-US.fcc

4. Take backup of login_en-US.unauth

5. Find smpwservices_en-US.fcc file duplicate it and rename it to login_en-US.fcc.

6. Duplicate the newly created login_en-US.fcc and rename it to login_en-US.unauth. Both login_en-US.fcc and login_en-US.unauth files have same data.

7. Go to PolicyServer, Polcies > Passwrod > Password Policies. Modify

8. Change the Redirection URL to /siteminderagent/forms/login.fcc. And click Submit.

9. On PolicyServer, got registry: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\PolicyServer
10. Find the registry DisallowUsernameInURL, if not present create one. Select (DWORD 32-bit Value).

Set the value to 1.

11. Restart the Policy Server Services.

This will still show the SMAuthReason in the URL. If you are OK with it. You can stop here. If not, follow next steps.

If it is still consider vulnerable and may give hint with SMAuthReason code. And do not want to see the SMAuthReason, please continue.

12. Modify the ACO to use SecureURL
    
13. Restart the Agent.