A security scan may return a flag for the following files on the r12.8.8.1 and Older Siteminder Access Gateway Server:

LINUX

/<Install_Dir>/CA/secure-proxy/agentframework/CAPKI/CAPKI5/Linux/amd64/64/lib/libcaopenssl_ssl.so
/<Install_Dir>/CA/secure-proxy/agentframework/CAPKI/CAPKI5/Linux/amd64/64/lib/libcaopenssl_crypto.so

WINDOWS

/<Install_Dir>\CA\secure-proxy\agentframework\CAPKI\CAPKI5\Windows\amd64\64\lib\libcaopenssl_ssl.dll
/<Install_Dir>\CA\secure-proxy\agentframework\CAPKI\CAPKI5\Windows\amd64\64\lib\libcaopenssl_crypto.dll

CAPKI (Previously known as ETPKI) is a C language-based Software Development Kit (SDK) that provides CA Development Community with features required to implement Information Security services in its products.  CAPKI is a wrapper on OpenSSL which is robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.

NOTE: Siteminder r12.9 Access Gateway Server uses CAPKI 6. 

PRODUCT: Symantec Siteminder

COMPONENT: Access Gateway Server

VERSION: r12.8.8.1 and Older

OPERATING SYSTEM:  Windows and Linux

CAPKI (Previously known as ETPKI) is a wrapper on OpenSSL. CAPKI 5.2.x is built with OpenSSL 1.0.2.

The Siteminder Access Gateway Server ships with the following versions of CAPKI:

Siteminder Policy Server r12.8.8.1 is shipped with CAPKI 5.2.14.0

Siteminder r12.8.7 and r12.8.8 are compiled with older versions of CAPKI built on older versions of OpenSSL 1.0.2

KB427910 (archived) delivered CAPKI 5.2.16
KB409256 (archived) delivered CAPKI 5.2.17

CAPKI 5.2.17 and older are compiled with versions of OpenSSL 1.0.2 which have vulnerabilities (CVE's) published.

Upgrade CAPKI to CAPKI 5.2.18 on the Siteminder Access Gateway using this KB.

CAPKI 5.2.18 has been compiled with OpenSSL 1.0.2zp.  

This solution applies to the following Siteminder Access Gateway Server versions:

• r12.8.8.1 and older

LINUX

1) Download "etpki-install_5_2_18_linux.zip" from this KB.

2) Copy  "etpki-install_5_2_18_linux.zip" to the Siteminder Access Gateway Server on Linux and decompress it.

3) Stop the Access Gateway Server

4) Change to the following directory:

/<Install_Dir>/CA/secure-proxy/agentframework/

5) Backup the '/CAPKI/' directory by renaming it '/CAPKI.BAK'

mv CAPKI CAPKI.BAK

6) Copy the '/etpki-install/' directory from "etpki-install_5_2_18_linux.zip" to /<Install_Dir>/CA/secure-proxy/agentframework/

7) Change to the following directory*:

/<Install_Dir>/CA/SharedComponents/

* This directory may not exist in your system

8) (If Exists) Backup the '/CAPKI/' directory by renaming it '/CAPKI.BAK'

mv CAPKI CAPKI.BAK

9) Modify the $CAPKIHOME variable in the environment variable script:

/<Install_Dir>/CA/secure-proxy/ca_sps_env.sh

CAPKIHOME=/<Install_Dir>/CA/SharedComponents/CAPKI
export CAPKIHOME

10) Run the updated Access Gateway Environment variable script.

cd /<Install_Dir>/CA/secure-proxy/

. ./ca_sps_env.sh

11) Change to the following directory:

/<Install_Dir>/CA/secure-proxy/agentframework/etpki-install/redist/

12) Ensure the user has execute permissions on the installation media (setup)

13) Run the following command:

./setup install caller=sps12

NOTE: This will create a new '/<Install_Dir>/CA/SharedComponents/CAPKI/CAPKI5/' directory

14) Start the Access Gateway Server

15) Validate Access Gateway Server functionality

16) Delete the following files:

/<Install_Dir>/CA/secure-proxy/agentframework/CAPKI.BAK

(If Exists) /<Install_Dir>/CA/SharedComponents/CAPKI.BAK

WINDOWS

1) Download "etpki-install_5_2_18_win64.zip" from this KB.

2) Copy  "etpki-install_5_2_18_win64.zip" to the Access Gateway Server on Windows and decompress it.

3) Stop the Access Gateway Server

4) Change to the following directory:

<Drive>:\<Install_Dir>\CA\secure-proxy\agentframework\ETPKI\

5) Backup the '\CAPKI\' directory by renaming it '\CAPKI.BAK\'

ren CAPKI CAPKI.BAK

6) Copy the '/etpki-install/' directory from "etpki-install_5_2_18_win64.zip" to <Drive>:\<Install_Dir>\CA\secure-proxy\agentframework\ETPKI\

7) Change to the following directory*:

<Drive>:\<Install_Dir>\CA\SC\

* This directory may not exist in your system

8) (If Exists) Backup the '\CAPKI\' directory by renaming it '\CAPKI.BAK\'

ren CAPKI CAPKI.BAK

9) Open a command prompt using cmd.exe as an administrator (Run As Administrator)

10) Change to the following directory:

<Drive>:\<Install_Dir>\CA\secure-proxy\agentframework\ETPKI\\etpki-install\redist\

11) Run the following command:

setup.exe install caller=sps12

NOTE: This will create a new '<Drive>:\<Install_Dir>\CA\SC\CAPKI\CAPKI5\' directory

12) Start the Access Gateway Server

13) Validate Access Gateway Server functionality

14) Delete the following files:

<Drive>:\<Install_Dir>\CA\secure-proxy\agentframework\ETPKI\CAPKI.BAK

(If Exists) <Drive>:\<Install_Dir>\CA\SC\CAPKI.BAK

KB 441112: Vulnerability in CAPKI 5.2.17 and older on Siteminder Web Agents

KB 441111: Vulnerability in CAPKI 5.2.17 and older on Siteminder Sharepoint Agent r12.8.x

KB 441109: Vulnerability in CAPKI 5.2.17 and older on Siteminder Policy Server r12.8.8.1 and older

KB 441106: Vulnerability in CAPKI 5.2.17 and older on Siteminder Access Gateway Server r12.8.8.1 and older

KB 440135: CAPKI 6.0.3 with OpenSSL 3.0.20 for R12.9 Policy Server

KB 441155: Vulnerability in CAPKI 6.0.2 and older on Siteminder Access Gateway Server 12.9

OpenSSL 1.0.2 Vulnerabilities

OpenSSL 1.0.2zp within CAPKI 5.2.18 remediates the following CVE's:

CVE-2026-28388
CVE-2026-28389
CVE-2026-28390
CVE-2025-68160
CVE-2025-69421
CVE-2025-22796
CVE-2025-9230
CVE-2024-13176
CVE-2024-9143
CVE-2024-5535
CVE-2024-0727
CVE-2023-5678
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-0465
CVE-2023-0466
CVE-2023-0464
CVE-2023-0286
CVE-2023-0215
CVE-2022-4304
CVE-2022-2068
CVE-2022-1292
CVE-2022-0778
CVE-2021-4160
CVE-2021-3712
CVE-2021-23841
CVE-2021-23840
CVE-2021-23839
CVE-2020-1971
CVE-2020-1968
CVE-2019-1551
CVE-2019-1563
CVE-2019-1547
CVE-2019-1552
CVE-2019-1559