Error: Tried out all the decrypt keys, decryption failed in WAOP
search cancel

Error: Tried out all the decrypt keys, decryption failed in WAOP

book

Article ID: 7425

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Agents (SiteMinder)

Issue/Introduction

 

When running a Web Agent Option Pack, this one cannot decrypt the zone SMSESSION cookie and reports:

Tried out all the decrypt keys, decryption failed..

FWStrace : 

[06/15/2017][13:26:23][5136][1880][a9efee5d-0c61ee25-d073ae80-0a1f4280-ca45bc0c-87][SSO.java][processRequest][Request to validate the session [CHECKPOINT = SSOSAML2_SESSIONCOOKIEVALIDATE_REQ]] 
[06/15/2017][13:26:23][5136][1880][a9efee5d-0c61ee25-d073ae80-0a1f4280-ca45bc0c-87][FWSBase.java][isValidSession][Checking for valid SESSION cookies.] 
[06/15/2017][13:26:23][5136][1880][a9efee5d-0c61ee25-d073ae80-0a1f4280-ca45bc0c-87][FWSBase.java][isValidSession][Found SESSION cookie: SMSESSION] 
[06/15/2017][13:26:23][5136][1880][a9efee5d-0c61ee25-d073ae80-0a1f4280-ca45bc0c-87][FWSBase.java][isValidSession][Trying to validate using SMSESSION cookie.] 
[06/15/2017][13:26:23][5136][1880][a9efee5d-0c61ee25-d073ae80-0a1f4280-ca45bc0c-87][FWSBase.java][isValidSession][Could not decryptSMSESSION cookie. Error message: Tried out all the decrypt keys, decryption failed..] 

It would be expected to see the following log line in the Policy Server log, but there's no such line showing a rollover of the keys:

[3372/3682724720][Thu Feb 16 2017 10:37:10][SmObjKeyManagement.cpp:400][INFO][sm-Server-04710] Key Roll over Request has been initiated automatically by Policy Server

 

Environment

 

There are 2 environments:

Web Agent 12.52SP1CR04 on IIS 7.5 64bit on Windows 2008R2;
Web Agent Option Pack 12.52SP1CR04 on Tomcat 7.0.63 with JDK 1.7.0_65 64bit on Windows 2008R2;

connected to :

1 Policy Store on SQL 2012 Always On in Compatibility 100 for 12.52 Policy Server;
1 Shared Key Store on SQL 2008;
1 Policy Server 12.52SP1CR04;

parallel environment:

2 Policy Servers 12SP3CR11
1 Policy Server 12SP3CR11 rolls the keys at 03:00 every morning;
1 Policy Store on SQL 2008 for 12SP3CR01 Policy Server

When a single Policy Server generates encryption keys in an environment with multiple Policy Servers that connect to disparate policy stores, but share a central key store, an additional registry setting is required.

This registry setting configures each Policy Server to poll the common key store and retrieve new encryption keys at regular intervals.

Cause

 

When a single Policy Server generates encryption keys in an environment with multiple Policy Servers that connect to disparate policy stores, but share a central key store, an additional registry setting is required.

This registry setting configures each Policy Server to poll the common key store and retrieve new encryption keys at regular intervals.

 

Resolution

 

Setting Policy Server 12.52SP1CR04 registry key to 1 solved the issue (1): 

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\ObjectStore\EnableKeyUpdate=1

 

Additional Information

 

(1)

    Manage the Session Ticket Key
     

Powered by Wolken Software