search cancel

NullException thrown when current keys do not match.


Article ID: 5854


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


When perfoming create SSOToken and decode SSOToken on Agent API, if the current keys do not match, PaddingException is thrown and does not proceed with last key process. As a result, AgentAPI fails to SSO and an error message below appears in Agent API log .

"AgentAPI decode ssoToken result : RETURN_CODE=[-1]"


Crypto-J which is Library of RSA in AgentAPI is designed to throw PaddingException if current keys do not match.

This issue may  occur under the condition where..

-Using FIPs Only mode.

-Using Agent API - CA SSO 12.0 SP03 or later version.

-Agent key rollover is configured



Agent API - CA SSO 12.0 SP03 or later version.


This issue occurs due to the design of RSA in AgentAPI. 

It will be changed on AgentAPI side not to throw PaddingException even if current keys do not match.

However, the schedule for the change is not fixed yet.