NullException thrown when current keys do not match.

book

Article ID: 5854

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

When perfoming create SSOToken and decode SSOToken on Agent API, if the current keys do not match, PaddingException is thrown and does not proceed with last key process. As a result, AgentAPI fails to SSO and an error message below appears in Agent API log .

"AgentAPI decode ssoToken result : RETURN_CODE=[-1]"

Cause

Crypto-J which is Library of RSA in AgentAPI is designed to throw PaddingException if current keys do not match.

This issue may  occur under the condition where..

-Using FIPs Only mode.

-Using Agent API - CA SSO 12.0 SP03 or later version.

-Agent key rollover is configured

 

Environment

Agent API - CA SSO 12.0 SP03 or later version.

Resolution

This issue occurs due to the design of RSA in AgentAPI. 

It will be changed on AgentAPI side not to throw PaddingException even if current keys do not match.

However, the schedule for the change is not fixed yet.