ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

SAP WebAS agent 12.0 encrypted shared secret requirement


Article ID: 40510


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On



CA Single Sign-On Agent for SAP WebAS logs "The Shared Secret has not been encrypted with FIPS Compliant AES Algorithm" and will not connect to the policy server.


Applies to all supported platforms for the 12.0 Agent for SAP WebAS.  Supported platforms and versions are listed in the SAP WebAS ERP agent platform support matrix located at:


In the 12.0 version of this agent, the agent code no longer supports the 4x agent shared secret value as plain text, or a non FIPS compliant encrypted string.


In order for the 12.0 SAP WebAS ERP Agent to be able to connect successfully to the policy server, the 4x agent shared secret string must be encrypted using NPSEncrypt with the –fips switch.  An example of how to encrypt a shared secret value of “passphrase” correctly is as follows:

NPSEncrypt –fips passphrase

The resulting encrypted value will begin with [NDSEnc-AES] indicating that it is a FIPS compliant shared secret.


Component: SMSSW