com.ca.siteminder.sdk.agentapi.tli.SmAgentTliException: Shared secret invalid
search cancel

com.ca.siteminder.sdk.agentapi.tli.SmAgentTliException: Shared secret invalid

book

Article ID: 274114

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

Siteminder Pure JAVA agent SDK  12.8 SP7 not starting with the following error -->  com.ca.siteminder.sdk.agentapi.tli.SmAgentTliException: Shared secret invalid.

 

15:10:33.091 [https-jsse-nio2-8082-exec-8] SMTRACE: SmAgentTcpTransport, newInstance, Using SmAgentTcpTransport class
15:10:33.091 [https-jsse-nio2-8082-exec-8] SMTRACE: SmAgentTcpTransport, SmAgentTcpTransport, Modifying nonblocking connection sleep time to 200
15:10:33.092 [https-jsse-nio2-8082-exec-8] SMTRACE: SmAgentTliSession, setup, Initiating TLI handshake
15:10:33.092 [https-jsse-nio2-8082-exec-8] SMTRACE: SmConfigAttribute, decrypt, Attempting to decrypt input = {RC2}Ib54TpzzvWF1nvU1mxALWXesn3VzC....
15:10:33.128 [https-jsse-nio2-8082-exec-8] SMERROR: SmServerConnection, handshake, Failed session setup.
com.ca.siteminder.sdk.agentapi.tli.SmAgentTliException: Shared secret invalid.
        at com.ca.siteminder.sdk.agentapi.tli.n.br(smagentapi_obfsc:233)
        at com.ca.siteminder.sdk.agentapi.connection.i.aQ(smagentapi_obfsc:328)
        at com.ca.siteminder.sdk.agentapi.connection.h.aH(smagentapi_obfsc:409)
        at com.ca.siteminder.sdk.agentapi.connection.h.h(smagentapi_obfsc:304)
        at com.ca.siteminder.sdk.agentapi.connection.h.an(smagentapi_obfsc:235)
        at com.ca.siteminder.sdk.agentapi.connection.c.an(smagentapi_obfsc:646)
        at com.ca.siteminder.sdk.agentapi.connection.a.a(smagentapi_obfsc:159)
        at com.ca.siteminder.sdk.agentapi.connection.a.b(smagentapi_obfsc:71)
        at com.ca.siteminder.sdk.agentapi.e.a(smagentapi_obfsc:129)
 
 
- If they use the compiled jar files on Windows server , the agent is able to connect.
So must be something specific to the server 

Environment

Release : 12.8.7

Resolution

Analysis:

Smjavaagentapi.jar  : It uses JNI calls to connect to PS [i.e. internally it uses cpp code ].
Smagentapi.jar: It is pure java

 
When we install SDK we have two smreghost.

1)     Smreghost  (cpp executable)
2)     Smreghost.sh  ( contains script to create Smhost.conf using smagentapi.jar file)


Smreghost is a cpp binary.  When we are using either cpp sdk or smjavaagentapi.jar we need to use smreghost to generate SmHost.conf file. 

** Case1: WA/CPP sdk/Java sdk with smjavaagentapi.jar
./smreghost  -i test.policyserverhost.com -u siteminder -p firewall -hn CppConfig -hc hostconfig -cf ONLY


** Case2: Tomcat applications where pure java sdk is used.
./smreghost  -i test.policyserverhost.com  -u siteminder -p firewall -hn PureJavaConfig -hc hostconfig -cf ONLY

On Linux, pure java sdk is not able to decode the shared secret created using CPP code hence the issue.


Conclusion:
Please make sure that the SmHost.conf is generated using smreghost.sh file

 
###############

The contents of smreghost.sh file is
 

export JAVA_HOME=
export SM_SMREGHOST_CLASSPATH=/home/vkis/sdkinstall/java/smagentapi.jar:/home/vkis/sdkinstall/java/bc-fips-1.0.2.3.jar:/home/vkis/sdkinstall/java/fipsmode.jar:/home/vkis/sdkinstall/java/smcrypto.jar
export PATH=$JAVA_HOME/bin:$PATH

java -classpath "$SM_SMREGHOST_CLASSPATH" com.ca.siteminder.sdk.agentapi.SmRegHost "$@"

# The caller needs the exit status from SmRegHost 

Powered by Wolken Software