A2A is used by administrators to retrieve secrets from PAM. For some of the secrets, the raw output is provided when the -x is given rather than the XML output that is expected. When the same command is called without the -x switch for that same secret, a "failed to decrypt" error occurs.

Example:

> cspmclient.exe "BadSecret" -x
{
   "key1": "value1",
   "key2": "value2"
}

> cspmclient.exe "BadSecret"
wbAesDecryptFixedVarFIPS,Failed to decrypt, code: 0x806
408 null null, system error, signal: 11 caught, call Xceedium

The problem secrets had a space in their Secret Name, which caused the issue with the A2A client when parsing the data.

The issue is still occurring as of 4.3.1, engineering is working on a code fix for a future release. As a workaround, replace any spaces in the secret names with an underscore or dash.