Ujwol Shrestha

Tech Tip : CA Single Sign-On :Policy Server::Encrypted Active Response

Blog Post created by Ujwol Shrestha Employee on Sep 13, 2016


In this guide we will write a sample Active Response which will use AES encryption algorithm to encrypt the USERDN and return an encrypted USERDN to the client.


Step 1: Create an active response as shown below :

Step 2 : Configure the Active Response with either OnAuthAccept or OnAccessAccept rule.


Step 3 : Compile the attached sample ActiveResponseSample.java &  ActiveResponseDecryptor.java classes by running java-build.bat (windows) /java-build.sh (unix).

Note: Prior to running you will need to update the path to the JDK install directory in the JAVA_HOME variable by editing the java-build.bat (windows) /java-build.sh (unix) files.


Step 4. Once compiled, copy the ActiveResponseSample.class and copy it to the <Policy server>/config/properties directory.


Note: This "properties" directory is by default in the classpath of Policy server so you don't need to modify JVMOptions.txt.

If you choose to deploy the class in any other directory, then you will need to add the path to that directory as a classpath in the JVMOptions.txt file.



1. Access the resource which is configured to return the active response. Copy the value of the encrypted response returned (using the server side scripting which prints all the HTTP headers)  :

2. Next, decrpyt the encrypted response header using the attached sample ActiveResponseDecryptor class by running java-run.bat (windows) /java-run.sh (unix)