Hi Ralf,
Changing the java.security file did indeed do the trick.
Thanks for the quick and accurate solution to my problem.
Recommend to fix the A2A client such that it will work with the same
Java as required by TCF.
Best regards
Claus
On 21/01/2025 17.59, Ralf Prigl via Broadcom wrote:
> Hello Claus, Yes, this has been seen before. The A2A client depends on
> an old Java library (jar file) for password decryption that was signed
> by a... -posted to the "Symantec Privileged Access Management" community
> Broadcom <https: community.broadcom.com>
>
>
> Symantec Privileged Access Management
> <https: community.broadcom.com communities community-home digestviewer?communitykey=3e91a086-c7b2-4bd0-9f8d-3493ed834111>
>
>
> Post New Message
> <mailto:
broadcom-layer7privilegedaccessmanagement@connectedcommunity.org>
>
> Re: Using A2A client and Java returns "null" when fetching the
> password
> <https: community.broadcom.com discussion using-a2a-client-and-java-returns-null-when-fetching-the-password#bm6e9cfc74-1223-42e5-ba70-019489b942af>
>
> Reply to Group
> <mailto:
broadcom_layer7privilegedaccessmanagement_6e9cfc74-1223-42e5-ba70-019489b942af@connectedcommunity.org?subject=re:></mailto:
broadcom_layer7privilegedaccessmanagement_6e9cfc74-1223-42e5-ba70-019489b942af@connectedcommunity.org?subject=re:>
> Using A2A client and Java returns "null" when fetching the password>
> Reply to Sender
> <https: community.broadcom.com communities all-discussions postreply?messagekey=6e9cfc74-1223-42e5-ba70-019489b942af&ListKey=53837868-2626-4581-a98b-9e12120afebe&SenderKey=2c2c8426-ae96-4200-b910-8c90525714c2>
>
>
> Ralf Prigl <https: community.broadcom.com people prira01>
> Jan 21, 2025 11:58 AM
> Ralf Prigl <https: community.broadcom.com people prira01>
>
> Hello Claus, Yes, this has been seen before. The A2A client depends on
> an old Java library (jar file) for password decryption that was signed
> by a SHA1 certificate. There have been problems with dependencies that
> have prevented us from updating that jar file so far. Some recent JRE
> versions don't allow such jar files to be loaded via option "SHA1
> denyAfter 2019-01-01" in the "disabledAlgorithms" list in
> (conf\)java.security, such as:
>
> jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
> DSA keySize < 1024, include jdk.disabled.namedCurves, \
> SHA1 denyAfter 2019-01-01
>
> Removing this option from the list should allow the library to be
> loaded. At this point we don't know which PAM release will contain an
> updated library that doesn't have this problem.
>
> *Reply to Group Online
> <https: community.broadcom.com communities all-discussions postreply?messagekey=6e9cfc74-1223-42e5-ba70-019489b942af&ListKey=53837868-2626-4581-a98b-9e12120afebe>*
> *Reply to Group via Email
> <mailto:
broadcom_layer7privilegedaccessmanagement_6e9cfc74-1223-42e5-ba70-019489b942af@connectedcommunity.org?subject=re:></mailto:
broadcom_layer7privilegedaccessmanagement_6e9cfc74-1223-42e5-ba70-019489b942af@connectedcommunity.org?subject=re:>
> Using A2A client and Java returns "null" when fetching the password>*
> *View Thread
> <https: community.broadcom.com discussion using-a2a-client-and-java-returns-null-when-fetching-the-password#bm6e9cfc74-1223-42e5-ba70-019489b942af>*
> *Recommend
> <https: community.broadcom.com:443 discussion using-a2a-client-and-java-returns-null-when-fetching-the-password?messagekey=6e9cfc74-1223-42e5-ba70-019489b942af&cmd=rate&cmdarg=add#bm6e9cfc74-1223-42e5-ba70-019489b942af>*
> *Forward
> <https: community.broadcom.com communities all-discussions forwardmessages?messagekey=6e9cfc74-1223-42e5-ba70-019489b942af&ListKey=53837868-2626-4581-a98b-9e12120afebe>*
> *Flag as Inappropriate
> <https: community.broadcom.com discussion using-a2a-client-and-java-returns-null-when-fetching-the-password?markappropriate=6e9cfc74-1223-42e5-ba70-019489b942af#bm6e9cfc74-1223-42e5-ba70-019489b942af>*
>
> -------------------------------------------
> Original Message:
> Sent: Jan 20, 2025 03:39 PM
> From: Claus Rasmussen
> Subject: Using A2A client and Java returns "null" when fetching the
> password
>
> Have a simple Java program which fetches the credentials for an alias
> using the method retrieveCredentials(alias). The return status is
> "400" (OK) and the method userId() returns the username for the
> alias. However, the method getPassword() returns "null" instead of the
> password.
>
> Using the program cspmclient will return the password correctly.
>
> I am using PAM 4.2 and Java 17. A2A calls are made from within a
> custom connector which requires Java 17.
>
> Anybody seen this behavior before?
>
>
>
> ------------------------------
> Claus Rasmussen
> ------------------------------
>
>
>
>
> You are receiving this notification because you followed the 'Using
> A2A client and Java returns "null" when fetching the password' message
> thread. If you do not wish to follow this, please click here
> <https: community.broadcom.com higherlogic common unfollow.aspx?userkey=aeb7b7bc-489b-4e9f-9a8f-019251e6915e&sKey=KeyRemoved&ItemKey=a5052984-4a42-4120-8e6b-019485705d11>.
>
>
> Update your email preferences
> <https: community.broadcom.com go.aspx?c=Preferences§ion=email>
> to choose the types of email you receive
>
> Unsubscribe from all participation emails
> <https: community.broadcom.com higherlogic egroups unsubscribe.aspx?userkey=aeb7b7bc-489b-4e9f-9a8f-019251e6915e&sKey=KeyRemoved&mClass=Social>
>
Original Message:
Sent: 1/21/2025 11:58:00 AM
From: Ralf Prigl
Subject: RE: Using A2A client and Java returns "null" when fetching the password
Hello Claus, Yes, this has been seen before. The A2A client depends on an old Java library (jar file) for password decryption that was signed by a SHA1 certificate. There have been problems with dependencies that have prevented us from updating that jar file so far. Some recent JRE versions don't allow such jar files to be loaded via option "SHA1 denyAfter 2019-01-01" in the "disabledAlgorithms" list in (conf\)java.security, such as:
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
DSA keySize < 1024, include jdk.disabled.namedCurves, \
SHA1 denyAfter 2019-01-01
Removing this option from the list should allow the library to be loaded. At this point we don't know which PAM release will contain an updated library that doesn't have this problem.
Original Message:
Sent: Jan 20, 2025 03:39 PM
From: Claus Rasmussen
Subject: Using A2A client and Java returns "null" when fetching the password
Have a simple Java program which fetches the credentials for an alias using the method retrieveCredentials(alias). The return status is "400" (OK) and the method userId() returns the username for the alias. However, the method getPassword() returns "null" instead of the password.
Using the program cspmclient will return the password correctly.
I am using PAM 4.2 and Java 17. A2A calls are made from within a custom connector which requires Java 17.
Anybody seen this behavior before?
------------------------------
Claus Rasmussen
------------------------------
</https:></https:></https:></https:></https:></https:></https:></https:></https:></https:></https:></https:></mailto:broadcom-layer7privilegedaccessmanagement@connectedcommunity.org></https:></https:>