Layer 7 Access Management

One Time Password  in Siteminder 

02-17-2015 07:28 AM

Does anyone has any idea about  implementing one time password with SiteMinder. When user tries to authenticate using SiteMinder, after 1'st authentication, OTP should be generated and shared with user over email or mobile. Then after OTP verification user should be allowed to login. Any help would be appreciated .


Thanks in Advance

Hi Vasu,


CA SiteMinder doesn't support two factor authentication (authentication chaining) out of the box. However, this could be achieved using custom authentication scheme.

Alternatively, you can also contact your CA account manager to engage CA Services to discuss your requirement and they should be able to provide a custom solution based on your need.

Please, note CA Services engagement is chargeable.



Ujwol Shrestha

Hi verma.vasu

I believe this can be done with Arcot. In Siteminder 12.52, we have Arcot came with Siteminder. Some earlier documentation between Arcot and Siteminder can be found here Arcot_SiteMinder_integration_TB.pdf. I don't have much knowledge on Arcot side but I know the OTP is one of the function in Arcot. yonli02 can you provide some insight?



SiteMinder 12.52 does not come with a full version of Advanced Authentication(aka - Arcot). A limited version is included which provides the new 'Session Assurance' functionality. The full version of Advanced Authentication can be integrated with SiteMinder to provide the OTP functionality described in the original post here.


As Bill mentioned, Siteminder does not come with full version of Advanced authentication. I have get some input from my colleague who familiar with Arcot. In order to achieve OTP, a set of Arcot products (AuthMinder, Arcot Adapter) need to be installed and integrate it with SiteMinder before OTP can be used. AuthMinder and Arcot Adapter are not in Siteminder R12.52. Hope this helps.

Hi Ujwol,


Thansk for your inputs. Can you please share some information about developing custom authentication scheme. Any link or documentation help would be appreciated,




Hi Vasu,



You can refer to the following section in the CA SiteMinder Bookshelf for the detailed steps on how to create and configure custom authentication scheme :

Programming GuidesProgramming Guide for JavaAuthentication and Authorization APIs


Here is a direct link for the same from our r12.5 Admin guide :

Authentication and Authorization APIs


To develop custom authentication itself, you will need to install Siteminder SDK. It comes with samples for most of the custom modules including authentication and authorization.

Once you have installed SDK , you can find the sample code for custom authentication schema in the following directory :

$SDK Installed Directory$\samples\javaauthapi\

I have attached the same here for your quick reference.


Please note, this sample is a basic authentication scheme to get you started with the custom authentication scheme and doesn't take into account any OTP scenario (or any other complex sceneario for that matter).

CA support will not be able to assist you in implementing a custom authentication scheme for your requirement. If you need any further assistance you will have to reach out to CA Services.


Hope this helps.



Ujwol Shrestha

Hi Ujwol,


Thanks for providing the information. I tried the sample code, but after deploying the code into the SM policy server and creating the authentication scheme, when I try to access any resouce proctect using the custom made authentication scheme, Internal server Error 500 is returned.

From smtrace log:

[14:41:37][Starting IsProtected processing.][][/servicecentre][]
[14:41:37][Resource is protected by realm.][][/servicecentre][]
[14:41:37][** Status: Error. Reject s9/r3 : internal error - failed to obtain scheme credentials for scheme 'CIDSiteminder'][][][]
[14:41:37][Leave function CSm_Az_Message::IsProtected, Failed to obtain scheme credentials.][][][]




Hi Vasu,


Did you use the custom authentication scheme sample that I provided earlier ?

That error indicates that the SiteMinder was not able to invoke "query" method from your custom authentication scheme class or it didn't receive the desired response.

This method is invoked to retrieve following basic information about custom authentication scheme :


-scheme version

-scheme description

-scheme credential type (e.g basic/html etc)


If you are already using the sample class that I provided, then could you please explain what steps did you perform to create the custom authentication scheme ?

Also if possible, please upload smps.log and smtracedefault.log.



Ujwol Shrestha

Hi Ujwol ,


I follwed this particluar Link to configure the authentication scheme using the sample provided by you.  I'm attaching the required logs.



Hi Vasu,


I think I know what the problem is. There is small flaw in the instruction provided. I have replied to the original thread but for your easy reference I am attaching my reply here as well :



Hello All,


For those of you who are getting following error "Reject s3/r7 : internal error - failed to obtain scheme credentials for scheme'" I think I know what the problem is.


It is most likely that in step(1) above java-build.bat/ didn't execute successfully.

If you view the java-build.bat, all it is doing is compiling as below :


"javac -classpath .;..\..\java\SmJavaApi.jar"


As you could see above it is expecting "SmJavaApi.jar" to be in the classpath. But when you move this batch file from it's default location , it is possible that it will no more be able to locate this SmJavaApi.jar file.

To confirm this try running this batch file from a command prompt then you would see some errors like below :


"C:\Custom Auth\mycustomclass - Copy\com\netegrity\sdk\javaauthapi>javac -classpath .;..\..\java\SmJavaApi.jar" error: package com.netegrity.policyserver.smapi does not


import com.netegrity.policyserver.smapi.*;





To fix this , you will need to specify the full path to the SmJavaApi.jar file in the batch file.


You can find this jar file in :

$Siteminder SDK Installed Directory$\java\SmJavaApi.jar

$Policy Server Installed Directory$\bin\jars\SmJavaApi.jar


So your batch file should look something like this :

javac -classpath .;C:\Program Files (x86)\CA\sdk\java\SmJavaApi.jar


To confirm, if the batch is executing successfully, you need to check if the "AuthApiSample.class" class file is created or not in the folder.


Hope this helps.



Ujwol Shrestha


Hi Ujwol,

I tried this approach also. Still getting the internal server 500 error.


[07/17/2014][10:59:40.422][10:59:40][4264][1916][Sm_Az_Message.cpp:793][CSm_Az_Message::FormatAttribute][s4/r4][apache_agent][][][][Headers][][][][][][][][][][][][][][Reject s4/r4 : internal error - failed to obtain scheme credentials for scheme 'MyCustom Authentication'][Send response attribute 158, data size is 104][]

[07/17/2014][10:59:40.422][10:59:40][4264][1916][Sm_Az_Message.cpp:793][CSm_Az_Message::FormatAttribute][s4/r4][apache_agent][][][][Headers][][][][][][][][][][][][][][][Send response attribute 146, data size is 0][]

[07/17/2014][10:59:40.422][10:59:40][4264][1916][Sm_Az_Message.cpp:793][CSm_Az_Message::FormatAttribute][s4/r4][apache_agent][][][][Headers][][][][][][][][][][][][][][][Send response attribute 147, data size is 0][]

[07/17/2014][10:59:40.422][10:59:40][4264][1916][Sm_Az_Message.cpp:563][CSm_Az_Message::ProcessMessage][s4/r4][apache_agent][][][][Headers][][][][][][][][][][][][][][][** Status: Error. Reject s4/r4 : internal error - failed to obtain scheme credentials for scheme 'MyCustom Authentication'][]

[07/17/2014][10:59:40.422][10:59:40][4264][1916][Sm_Az_Message.cpp:567][CSm_Az_Message::SendReply][][][][][][][][][][][][][][][][][][][][][Leave function CSm_Az_Message::SendReply][]

[07/17/2014][10:59:40.422][10:59:40][4264][1916][IsProtected.cpp:212][CSm_Az_Message::IsProtected][s4/r4][][][][][][][][][][][][][Reject s4/r4 : internal error - failed to obtain scheme credentials for scheme 'MyCustom Authentication'][][][][][][][Leave function CSm_Az_Message::IsProtected, Failed to obtain scheme credentials.][]

[07/17/2014][10:59:40.422][10:59:40][4264][1916][Sm_Az_Message.cpp:371][CSm_Az_Message::ProcessMessage][][][][][][][][][][][][][364][][][][][][][][Leave function CSm_Az_Message::ProcessMessage][].


Content from my .bat file.


javac -classpath .;C:\smjar\SmJavaApi.jar





Ok, can you answer few more questions for me ?


  • Was the class file AuthApiSample.class created after running the batch file ?
    Does the jar file contains the class file ? (You can extract and see )
  • Did you restart Policy server
  • Please share your JVMOptions.txt
  • When defining custom authentication scheme in Admin UI what value did you use for parameter ?

Hi Ujwol ,


Class file was created after running the batch file and the jar does contain the class file. After editing the JVMOption.txt , the Policy Server was restarted. I attaching the JVMOption.txt file and screen shot of custom authentication scheme.




You have included the jar file in the "bootclasspath" instead of "classpath".


-Xbootclasspath --> You included the custom authentication jar here.


-Djava.class.path --> The jar needs to be included here..


I have now corrected the JVMOptions.txt.

Please use this, restart your policy server and test again.


Hope this helps.


Ujwol Shrestha

This document was generated from the following discussion: One Time Password  in Siteminder

0 Favorited
5 Files
zip file   35K   1 version
Uploaded - 05-29-2019
zip file   2K   1 version
Uploaded - 05-29-2019
jpg file
Authentication Scheme.jpg   93K   1 version
Uploaded - 05-29-2019
zip file   514B   1 version
Uploaded - 05-29-2019
zip file   517B   1 version
Uploaded - 05-29-2019

Tags and Keywords

Related Entries and Links

No Related Resource entered.