SAP WebAS agent 12.0 encrypted shared secret requirement

book

Article ID: 40510

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Issue: 

CA Single Sign-On Agent for SAP WebAS logs "The Shared Secret has not been encrypted with FIPS Compliant AES Algorithm" and will not connect to the policy server.

Environment:  

Applies to all supported platforms for the 12.0 Agent for SAP WebAS.  Supported platforms and versions are listed in the SAP WebAS ERP agent platform support matrix located at:

https://support.ca.com/phpdocs/7/5262/5262_session_ERP_system.pdf

Cause: 

In the 12.0 version of this agent, the agent code no longer supports the 4x agent shared secret value as plain text, or a non FIPS compliant encrypted string.

Resolution/Workaround:

In order for the 12.0 SAP WebAS ERP Agent to be able to connect successfully to the policy server, the 4x agent shared secret string must be encrypted using NPSEncrypt with the –fips switch.  An example of how to encrypt a shared secret value of “passphrase” correctly is as follows:

NPSEncrypt –fips passphrase

The resulting encrypted value will begin with [NDSEnc-AES] indicating that it is a FIPS compliant shared secret.

Environment

Release:
Component: SMSSW