csamconfigedit error FIPS_check_incore_fingerprint fingerprint does not match
search cancel

csamconfigedit error FIPS_check_incore_fingerprint fingerprint does not match

book

Article ID: 431878

calendar_today

Updated On:

Products

CA Client Automation - IT Client Manager CA Client Automation

Issue/Introduction

csamconfig command returns following error :

14629640:error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match:.\fips\fips.c:232:
Wed Mar  4 15:48:53.764:13692 CSAM_SSL_load_libraries:ERROR: could not load ssl symbols. Check ETPKI installation
Wed Mar  4 15:48:53.773:13692 ReadConfigFile: error reading config: C:\Program Files (x86)\CA\SC\Csam\SockAdapter\\cfg\APPF-GLOBAL - error:2D0A0086:FIPS routines:func(160):reason(134)
Wed Mar  4 15:48:53.774:13692 ReadConfigFile: error reading config: C:\Program Files (x86)\CA\SC\Csam\SockAdapter\\cfg\APPF-GLOBAL - error:2D0A0086:FIPS routines:func(160):reason(134)

Environment

Client Automation - All Versions

Cause

This error occurs if the file C:\Program Files (x86)\CA\SC\CAPKI\CAPKI\CAPKI5\Windows\x86\32\lib\libcaopenssl_crypto.dll is not loaded at memory address 0xFB00000

With Listdlls.exe tool (from sysinternals) it is possible to see the loaded memory address

Listdlls.exe | findstr /I "libcaopenssl_crypto.dll"

Example :
Good memory address :

Wrong memory address :

Resolution

This problem occurs if in Windows Security - App & Browser Control - Exploit Protection settings, the System Settings "Force randomization for images (Mandatory ASLR)" is set to On

 

If so add an exception for csamconfigedit.exe process.

  1. Go in Windows Security - App & Browser Control - Exploit Protection settings

  2. Click on "Program Settings" Tab and click on "Add program to customize" - Add by program name




  3. Enter csamconfigedit.exe and click add button



  4. In "Force randomization for images (Mandatory ASLR)", check "Override system settings" and select Off



  5. Click Apply

  6. csmaconfigedit.exe does not return any error.

 

Remark:
This solution could also be applied in command line with : 

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csamconfigedit.exe" /v "MitigationOptions" /t REG_BINARY /d 000200000000000000000000000000000000000000000000 /f

No reboot is needed after this modification.

Powered by Wolken Software