Symantec Access Management

Hello, experts.

I try to achieve SSO between Custom JNI Agent R12.51 CR01 and CA WenAgent R12.51 CR01.

before, I succeded it. SSO between custom agent and CA WebAgent worked well.

but, after changing our user directory.

This single sign on became not to work.

When we request the URL protected by CA WebAgent with SMSESSION generated by custom agent.

CA WebAgent does not accept custom SMSESSION with "Unable to process SMSESSION Cookie" log.

Of course, CA WebAgent's ACO has the parameter of "AcceptTPCookie=yes".

In addition, custom JNI agent succeded to decode SMSESSION from CA WebAgent.

Then, I have two questions as below.

     1. Is there any overlooked view-point related this issue?

     2.I think "AgentAPI.doManagement" method rolls AgentKey over. Is it correct?

You asked :

1. Is there any overlooked view-point related this issue?

=>Are you using static agent keys or dynamic agent keys ? This issue seems to be due to mismatch of the agent keys between SDK agent and the normal Agent.

Also make sure that you have only one set of agent keys (4 agent keys ) and not duplicate set.

Also I can't see any reason why it would break (if it was working earlier) by just switching the user directory.

2.I think "AgentAPI.doManagement" method rolls AgentKey over. Is it correct?

=> No, doManagement() call doesn't rollover agent keys.. Remember agent keys are rolled over from Policy Server side not the agent side ...

This API call will fetch if there are any new set of agent keys , if there is any management commands like (flush user, flush realm , flush etc ) .

Thank you for your response Mr Shrestha.

Our situation was changed, the cause of this problem was proved.

so, I have two new questions.

These questions are written on bottom of this response.

1.

>Are you using static agent keys or dynamic agent keys ?

use dynamic agent keys. but never roll over.

>Also I can't see any reason why it would break (if it was working earlier) by just switching the user directory.

I thought so too.

but now, cause of this problem was proved.

Please see my response under "---------------".

2.

>No, doManagement() call doesn't rollover agent keys.. Remember agent keys are rolled over from Policy Server side >not the agent side ...

yeah, I see.

well, My understanding of how agent-key roll over works is as below.

  ①Do agent key roll over on policy server side.

　②WebAgent fetchs new agent keys from policy server using doManagement() method.

　③WebAgent replaces its agent keys

---------------

Situation was changed.

Actually, This problem was caused by RFC 2109.

That is, Custom agent created SMSESSION contains "=" character.

and then, WebApplication Server(Liferay) surrounds SMSESSION value by Double-Quatation.

for example,

  actual SMSESSION

      foiwejgwsui46nvsdoforu2390tnwovgs89tj3nnv9we8g==

  SMSESSION in WebApplication Response

     "foiwejgwsui46nvsdoforu2390tnwovgs89tj3nnv9we8g=="

Client did not send the former but the latter.

Therefore, CA WebAgent couldn't decrypt the latter SMSESSION.

I have two questions.

1

Can JNI custom agent or CA WebAgent be set as belows?

　　--JNI custom Agent

　　　　　Does not create SMSESSION contains "=" character.

　　--CA WebAgent

　　　　　Can interpret SMSESSION surrounded by Double-Quatation.

2.

I would like to confirm how to distinguish whether agent key roll over done or not.
I think following conditions are enough to judge agent keys roll over are done.

　①Return code of doManagement() is AgentAPI.YES

　②AttributeList from doManagement() contains following Attributes.

　　　・AgentAPI.AGENT_KEY_UPDATE_CURRENT
　　　・AgentAPI.AGENT_KEY_UPDATE_LAST
　　　・AgentAPI.AGENT_KEY_UPDATE_NEXT
　　　・AgentAPI.AGENT_KEY_UPDATE_PERSISTENT