Could not decryptSMSESSION cookie. Error message: Tried out all the decrypt keys, decryption failed..
Article ID: 386305
Updated On:
Products
CA API Gateway
Issue/Introduction
- The Federated application flow is accessed through Apache (Aapche Siteminder agent 12.52 SP1 CR11) --> WAOP (12.52 SP1 CR11)
- In this application FED flow, Siteminder is acting as the IDP
- CA API Gateway 10.1
Description of the flow as indicated below :
1) user access the Portal through APIGW where authentication gets completed and an SMSESION cookie gets generated
2) User then from the portal click on download button to trigger the Application FED IDP flow
* From previous analysis by our Support Engineers, it looks like the SMSESSION cookie generated by the APIGW is getting rejected with the following
[12/17/2024][14:02:24][19304][658487040][5cf248b7-8ee35add-693d467c-8428763d-9d822a7d-e8e][FWSBase.java][isValidSession][Could not decryptSMSESSION cookie. Error message: Tried out all the decrypt keys, decryption failed..]
3) once rejected , The FWS IDP flow sends the user to the redirect.jsp (Auth URL) to get challanged and get a new SMSESSION cookie
4) since the SMSESSION cookie from APIGW is still in the browser, Auth is skipped and SSO is used on the Front end Agent and request is passed again to FWS where once again
cookie is rejected and user is sent back to Auth URL redirect.jsp and this continue on and on till the Request suddenly works ....
since APIGW 10.1 is used to create the Siteminder cookie , we would like to confirm the following
- Need to confirm if the Custom agent code is using the "Do management" Call to check for the updates on the policy server ?
Cause
the root cause is related to federated OptionPack on SSO , is not gateway issue.
Resolution
SSO SDK has admin thread that does DO management and would get new keys, APIM also does init on isProtect which also gets the keys .
This how API Gateway works , for this case the root cause is related to federated OptionPack on SSO.
Feedback
Yes
No
Powered by
