search cancel

Issue decoding SMSession Token in Cognos with Siteminder SDK Agent

book

Article ID: 8744

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

We're running Cognos application server, and this one has an embedded

SDK C Agent. But when this SDK C Agent receives an SMSESSION cookie

from a front end IIS Web Agent, it cannot decode properly the Session

data at it reports error :

 

CAM-AAA-0165 The SiteMinder agent API function call to 'Sm_AgentApi_DecodeSSOToken()' 

failed with error code 'SM_AGENTAPI_FAILURE

 

CAM-AAA-0161 Unable to decode SSO token

 

Why is this happening and how can we solve it ?

 

Cause

Policy Server runs in FIPS Only Mode, and it has version 12.51

 

smps.log 

 

[4615/4151736016][Tue Nov 21 2017 17:29:43][CServer.cpp:4017][INFO][sm-Server-04450] 

Policy Server employing only FIPS-140 cryptographic algorithms.

 

In that case, the Environment Variable CA_SM_PS_FIPS140 needs to be

set to to Only for the SDK C Agent to be able to decode session data.

 

 

 

Environment

SDK Agent 12.5x, 12.6, 12.7Windows or Linux/UnixNote: This KB may apply to many other versions of Web Agent, Policy Server, SDK Agent, and Cognos.

Resolution

You need to have the SDK Agent running in the same FIPS Mode as the Web Agent and Policy Server. Since the Web Agent is running in FIPS_ONLY, the SDK Agent will need an Environment Variable to know what FIPS Mode it should be in.

 

Set an Environment Variable for you OS with

Name: CA_SM_PS_FIPS140

Value: ONLY

 

Examples

 

Linux:

export CA_SM_PS_FIPS140=ONLY

 

Windows:

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AK9CAAW" alt="Untitled.png" width="412" height="476">

Additional Information

From 12.51 Documentation, if the Policy Server runs FIPS only, you 

need to set an environment variable on the SDK C Agent side : 

 

Running C Sample Program with a 4.x Agent Requires Setting an Environment Variable 156186 

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-51 

 

Setting the environment variable for FIPs only is required for 

running the SmAgentAPI 'C' Samples for the 4x Agent connection to 

work. Make sure that this environment variable is set as follows: 

 

export CA_SM_PS_FIPS140=ONLY. 

 

 

Attachments

1558700727570000008744_sktwi1f5rjvs16p63.png get_app