Fails to Start After Enabling SSL with Special Characters in Password in CA Access Gateway (SPS)
search cancel

Fails to Start After Enabling SSL with Special Characters in Password in CA Access Gateway (SPS)

book

Article ID: 46380

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign-On SITEMINDER

Issue/Introduction

After enabling SSL for the Apache HTTPD component in SiteMinder CA Access Gateway (formerly Secure Proxy Server - SPS), the services fail to start. This issue occurs specifically when the SSL certificate key password contains special characters (such as the exclamation mark !).

Example Password: !abcd$#

Steps that lead to the failure:

  1. Generate a new RSA key and Certificate Signing Request (CSR) using OpenSSL.
  2. Update httpd-ssl.conf with the new SSLCertificateFile and SSLCertificateKeyFile paths.
  3. Run the configssl.bat –enable <password> command to encrypt the password.
  4. Attempt to restart the Access Gateway / SPS services.

Environment

CA Access Gateway (SPS) 12.8.x and above on Windows.

Cause

This issue is caused by the way the Windows Command Processor (cmd.exe) handles Delayed Variable Expansion.

When configssl.bat executes, the exclamation point (!) is interpreted by Windows as a delimiter for a variable rather than a literal character in the password (1)(2). This results in the password being truncated or incorrectly parsed before it is passed to the encryption utility, leading to an "Invalid Password" error or a corrupted ssl-password.conf file.

Resolution

To resolve this, you must modify the configssl.bat script to temporarily disable delayed expansion while the password utility is running.

  1. Navigate to the following directory:

    <SPS_INSTALL_HOME>\httpd\bin\

  2. Create a backup of configssl.bat.
  3. Open configssl.bat in a text editor (e.g., Notepad++).
  4. Locate the :encryptpwd section.
  5. Wrap the Java execution command with setlocal DisableDelayedExpansion and endlocal as shown below:

    Modified Script Snippet:

    Code snippet

    :encryptpwd
    :: Disable Delayed Expansion to handle special characters like '!'
    setlocal DisableDelayedExpansion
    "%SPS_JAVA_HOME%\bin\java.exe" -classpath "%NETE_SPS_ROOT%\Tomcat\lib\proxyutils.jar;%NETE_SPS_ROOT%\Tomcat\lib\smi18n.jar;%CA_SPS_CP_RESOURCES%" com.netegrity.util.SSLUtil %2
    endlocal
    goto done

  6. Save the file.
  7. Re-run the command:

    c:\> configssl.bat –enable <your_password>

  8. Restart the SiteMinder Access Gateway services.

Additional Information

  1. Enable and Disable Delayed Expansion, what does it do?

  2. Setlocal

Powered by Wolken Software