Symantec Access Management

  • 1.  Tech Tip : CA Single Sign-On : SecureRedirect webapp error

    Broadcom Employee
    Posted May 25, 2018 07:21 AM

    Issue:


    We're running CA Access Gateway (SPS), when user access a resource
    protected with Openid Connect, at the first request the user is
    redirected, as explained in the documentation, to the authentication
    page that protects / Affwebservices / secure / secureRedirect. But
    after entering the authentication data, he receives an error.

     

    FWSTrace.log

     

    [05/23/2018][08:54:55][7228][1900][][FWSConfigurationManager.java][initializeResourceDirectory][Cannot
    set resource path used to display error messages; Likely caused by
    uninitialized NETE_WA_ROOT environment variable]

     

    [05/23/2018][09:13:29][7228][5572][610c7b97-d9ab1f07-19230f43-76119b33-7e7a2c6e-0c][AuthorizationService.java][processAuthentication][Not using secure authentication URL.] 

     

    [05/23/2018][09:13:29][7228][5572][610c7b97-d9ab1f07-19230f43-76119b33-7e7a2c6e-0c][SecureRedirect.java][doGet][Transaction
    with ID: 610c7b97-d9ab1f07-19230f43-76119b33-7e7a2c6e-0c
    failed. Reason: SERE_GET_EXCEPTION]

     

    [05/23/2018][09:13:29][7228][5572][610c7b97-d9ab1f07-19230f43-76119b33-7e7a2c6e-0c][SecureRedirect.java][doGet][Exception
    caught in class
    com.netegrity.affiliateminder.webservices.SecureRedirect, method
    doGet: com.netegrity.siteminder.agentcommon.utils.k: .]Failed to
    decrypt

     

    How can we solve that ?

    Environment:

     

    Policy server 12.8 on Windows 2016 R2;
    SPS (Access Gateway) 12.8 on Windows 2016 R2;

    Resolution:

     

    - Make sure that the CA Access Gateway (SPS) JDK has the JCE patches
      set;

     

      Install CA Access Gateway 
      https://docops.ca.com/ca-single-sign-on/12-8/en/installing/install-ca-access-gateway 

     


    - Make sure that "Use Secure Authentication URL" is checked :

     

      According to that communities, the authentication url should be secure : 

     

      CA SSO OpenID Connect Provider - Agentless SSO 

     

      "08/13/2018,05:36:17,9588,139832797722368,7bfd74c8-44c979a3-f3eb70aa- 
      74aa44e4-0ec02973-02,AuthorizationService.java,processAuthentication,Not 
      using secure authentication URL. 

     

      above line seems to be the root cause. I believe its needed to 
      enable the option to have secure auth url for OIDC implementation, 
      thereby the decryption failure" 

     

      https://communities.ca.com/thread/241778229-ca-sso-openid-connect-provider-agentless-sso 

     

      Check also : 

     

      OpenID Connect Provider with CA Single Sign On 12.8- PoC 
      https://communities.ca.com/thread/241813952-openid-connect-provider-with-ca-single-sign-on-128-poc 

     

    - Make sure that the Environment variable NETE_WA_ROOT is set properly 
      before starting the CA Access Gateway (SPS); 

     

    KB : KB000097690



  • 2.  Re: Tech Tip : CA Single Sign-On : SecureRedirect webapp error

    Broadcom Employee
    Posted Jul 19, 2018 12:59 AM

    Getting this issue (Failed to decrypt) (on 12.7  / Java 1.8.0_162 with crypto.policy=unlimited uncommented out) 

     

    Any ideas why I would still be getting this, with JCE Set appropriately?



  • 3.  Re: Tech Tip : CA Single Sign-On : SecureRedirect webapp error

    Broadcom Employee
    Posted Jul 30, 2018 04:22 AM

    Hi David,

     

     

    Do you have the same error messages chain ?

     

     

    - Cannot set resource path used to display error messages; Likely
    caused by uninitialized NETE_WA_ROOT environment variable

     

     

    - Transaction with ID:
    610c7b97-d9ab1f07-19230f43-76119b33-7e7a2c6e-0c failed. Reason:
    SERE_GET_EXCEPTION

     

     

    - Exception caught in class
    com.netegrity.affiliateminder.webservices.SecureRedirect, method
    doGet: com.netegrity.siteminder.agentcommon.utils.k: .]Failed to
    decrypt

     

     

    If not, what is the full log traces of the failing transaction ?

     

     

    "Failed to decrypt" may be caused by wrong keys being used by the WAOP
    pack or Agent. This may occur if the Key Store has more than 4 keys.

     

     

    Best Regards,
    Patrick