Layer7 Access Management

Tech Tip : CA Single Sign-On : Web Agent Option Pack reports error : "Tried out all the decrypt keys, decryption failed"

  • 1.  Tech Tip : CA Single Sign-On : Web Agent Option Pack reports error : "Tried out all the decrypt keys, decryption failed"

    Posted 07-14-2017 04:52 AM

    Issue:


    I'm running a Web Agent Option Pack, this one cannot decrypt the zone

    SMSESSION cookie and reports :

     

    FWStrace :

     

    [06/15/2017][13:26:23][5136][1880][a9efee5d-0c61ee25-d073ae80-0a1f4280-ca45bc0c-87]

    [SSO.java][processRequest][Request to validate the session

    [CHECKPOINT = SSOSAML2_SESSIONCOOKIEVALIDATE_REQ]]

    [06/15/2017][13:26:23][5136][1880][a9efee5d-0c61ee25-d073ae80-0a1f4280-ca45bc0c-87]

    [FWSBase.java][isValidSession][Checking for valid SESSION cookies.]

    [06/15/2017][13:26:23][5136][1880][a9efee5d-0c61ee25-d073ae80-0a1f4280-ca45bc0c-87]

    [FWSBase.java][isValidSession][Found SESSION cookie: SMSESSION]

    [06/15/2017][13:26:23][5136][1880][a9efee5d-0c61ee25-d073ae80-0a1f4280-ca45bc0c-87]

    [FWSBase.java][isValidSession][Trying to validate using SMSESSION cookie.]

    [06/15/2017][13:26:23][5136][1880][a9efee5d-0c61ee25-d073ae80-0a1f4280-ca45bc0c-87]

    [FWSBase.java][isValidSession][Could not decryptSMSESSION cookie. Error message:

    Tried out all the decrypt keys, decryption failed..]

     

    I would expect to see the following log line in the Policy Server

    12.52SP1CR04 log, but I don't find it :

     

    [3372/3682724720][Thu Feb 16 2017 10:37:10][SmObjKeyManagement.cpp:400][INFO]

    [sm-Server-04710] Key Roll over Request has been initiated automatically by Policy Server

     

    How can I solve it ?

     

    Environment:

     

    There is 2 environments:

    Web Agent 12.52SP1CR04 on IIS 7.5 64bit on Windows 2008R2;

    Web Agent Option Pack 12.52SP1CR04 on Tomcat 7.0.63 with JDK 1.7.0_65 64bit on Windows 2008R2;

     

    connected to : 1 Policy Store on SQL 2012 Always On in Compatibility 100 for 12.52 Policy Server

     

    1 Shared Key Store on SQL 2008;

    1 Policy Server 12.52SP1CR04;

     

    parallel environment:

     

    2 Policy Servers 12SP3CR11 > 1 Policy Server 12SP3CR11 rolls the keys at 03:00 every morning;

    1 Policy Store on SQL 2008 for 12SP3CR01 Policy Server

     

    Resolution:

     

    When a single Policy Server generates encryption keys in an environment with multiple Policy Servers that connect to disparate policy stores, but share a central key store, an additional registry setting is required. This registry setting configures each Policy Server to poll the common key store and retrieve new encryption keys at a regular interval

     

    Setting Policy Server 12.52SP1CR04 registry key to 1 solved the issue :

     

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\ObjectStore\EnableKeyUpdate= 1

     

    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/administrating/manage-encryption-keys/manage-the-session-ticket-key#ManagetheSessionTicketKey-SettheEnableKeyUpdateRegistryKey

    KB : TEC1385152