In addition to the AcceptTPCookie mentioned by Alan, we had to do the following in our FIPS Only environment (using API GW RHEL VM); without it there were issues with verifying the tokens.
- Log into the Gateway
- Go to /opt/SecureSpan/Gateway/runtime/etc/profile.d
- Edit the file siteminder-env.sh
- add the following above the line “CAPKIHOME=${CAROOT}/CAPKI”
CA_SM_PS_FIPS140=ONLY
- add the following after the LD_LIBRARY_PATH CAPKIHOME
CA_SM_PS_FIPS140
- Restart the Gateway
-------
File section should look like this
CA_SM_PS_FIPS140=ONLY
CAPKIHOME=${CAROOT}/CAPKI
export CAROOT LD_LIBRARY_PATH CAPKIHOME CA_SM_PS_FIPS140
=====
Also make sure the SSO Zone is all setup to match. If you use a separate SSO Zone between them it can cause failures as well since API Gateway defaults (like a normal agent) to the SM zone. I assumed it was "SM" zone though since you reference SMSESSION, but just in case .