Siteminder Error: Unknown client name ’%1s’ in hello message
search cancel

Siteminder Error: Unknown client name ’%1s’ in hello message

book

Article ID: 380071

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

The Siteminder Policy Server has the following errors in the 'smps.log' files:

=====================

[CServer.cpp:2023][ERROR][sm-Server-01060] Handshake error: Unknown client name '<host_name>' in hello message

[CServer.cpp:2135][ERROR][sm-Tunnel-00010] Bad security handshake attempt. Handshake error: 3160

[CServer.cpp:2156][ERROR][sm-Tunnel-00100] Handshake error: Bad hostname in hello message

[CServer.cpp:2311][ERROR][sm-Server-01070] Failed handshake with ::<TCPv6_IP>:<TCPv4_IP>:<TCP_Port>

=====================

Environment

PRODUCT: Siteminder
COMPONENT: Policy Server
VERSION: Any
OPERATING SYSTEM: Any

Cause

There is a client attempting to connect to the Policy Server with Host Name that does not match a Trusted Host object in the policy store.  This is most likely a Siteminder Web Agent or an Access Gateway Server.  

During the handshake process the web agent takes the value from the 'hostname='  and the value from the 'sharedsecret=' attributes and sends them to the policy server defined in the 'policyserver=' attribute of the 'SmHost.conf' file.

The Policy Server reads from the policy store to locate a Trusted Host object with the same name.  The shared secret stored within the Trusted Host object needs to match the shared secret being sent from the web agent.  If the combination of trusted host name and shared secret matches what is in the policy store, the policy server knows it can trust the web agent and proceeds to give it the Agent Configuration Object (ACO) as defined in the 'webagent.conf' and Host Configuration Object (HCO) as defined in the 'smhost.conf'.

In the case of the error, the host name being provided by the web agent doesn't match a trusted host object in the policy store.

Resolution

There are two possible solutions for this issue:

Option #1) Re-register the web agent with the Policy Server

WINDOWS

1) Log on to the Windows Web Agent server

2) Launch the Siteminder Web Agent Configuration Wizard.

3) Proceed through the prompts and complete an Agent Registration.

LINUX

1) Log on to the Linux Web Agent server

2) Browse to <Install_Dir>/CA/webagent/

3) Set the web agent environment variables

. ./ca_wa_env.sh

4) Run 'smreghost' to register the web agent

smreghost -i <policy_server_IP_address>:<port> -u <administrator_username> -p <administrator_password> -hn <Trusted_Host_Name> -hc <host_configuration_object>

NOTE: Separate each command argument from its value with a space. Surround any values that contain spaces with double quotes ("). 

5) Move the 'smhost.conf' file to <Install_Dir>/siteminder/webagent/config/

NOTE: the smhost.conf file will get created wherever the 'smreghost' command was run.  It will need to be moved into the <Install_Dir>/siteminder/webagent/config/ directory for the web agent.

Option #2) Disable the Web Agent on that host.

1) Logon to the host causing the error.

2) Edit the following file:

IIS: <Install_Dir>\CA\webagent\win64\bin\IIS\webagent.conf

Apache: <apache_Install_Dir>/httpd/conf/webagent.conf

Access Gateway: <Install_Dir>CA/secure-proxy/proxy-engine/conf/defaultagent/WebAgent.conf

3) Disable the web agent

EnableWebAgent="NO"

Additional Information