Symantec Access Management

Tech Tip : CA Single Sign-On :Policy Server:How to configure Open Format Cookie and consume it

By Ujwol posted 09-08-2016 03:37 AM



In this guide we will discuss how to configure Policy server to send an Open Format Cookie as a response header.

We will also discuss how to write a simple java client program to consume (decrypt) the OFC cookie sent by Policy server.

This can be used for Agent less single sign-on.


  • Policy Server : R12.5+,
  • OS : ANY


On Policy Server:

1. Create a Web Agent Response that Generates an Open Format Cookie as below :

For detailed instruction refer to : How to Create a Web Agent Response That Generates an Open Format Cookie - CA Single Sign-On - 12.52 SP1 - CA Technologie…

Note : From the following screen make a note of following two configurations as these will be needed on the client side  :

  • Encryption Key
  • Encryption Algorithm

2. Add the OFC Cookie Response configured in step (2) to either OnAuthAccept or OnAccessAccept rule.

3. Add rule to Policy.


On the Client side

Modify the attached  as below :

1. Depending upon which Encryption Algorithm is used while configuring OFC cookie response , edit the following variables appropriately :

If using AES Algorithm :

public static final String DEFAULT_ALGORITHM = AES_ALGORITHM;

If using DES Algorithm:



2. In the decrypt() method, update the byte array KEY variable to match the Encryption Key as defined in the Admin UI.

Follow the below steps to convert the string formatted Encryption Key to Byte Array

Step 1 : Copy the value of EncryptionKey from Admin UI==>OFC Cookie Response e.g. : B4578127007497EF8A655E4986D4F63C (see above screenshot)
Step 2  Add space every two characters:
B4 57 81 27 00 74 97 EF 8A 65 5E 49 86 D4 F6 3C
Step 3  Append (byte)0x in front of every two character pairs : (byte)0xB4 (byte)0x57 (byte)0x81 (byte)0x27 (byte)0x00 (byte)0x74 (byte)0x97 (byte)0xEF (byte)0x8A (byte)0x65 (byte)0x5E (byte)0x49 (byte)0x86 (byte)0xD4 (byte)0xF6 (byte)0x3C
Step 4 Separate each two character pair using comma: (byte)0xB4,(byte)0x57,(byte)0x81,(byte)0x27,(byte)0x00,(byte)0x74,(byte)0x97,(byte)0xEF,(byte)0x8A,(byte)0x65,(byte)0x5E,(byte)0x49,(byte)0x86,(byte)0xD4,(byte)0xF6,(byte)0x3C

3. Compile the class. Note; the jre/lib should be in the class path.

4. Ensure that the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files patch have been applied to the JRE that is being used.


1. Access the protected resource which is configured to return the OFC cookie response and copy the cookie value returned using some script which displays all the response headers :

2. Run the  SampleOFCConsumer class and provide the OFC Cookie value as the input parameter :


Additional Information:




10-04-2016 02:53 AM

Hi All,


This has been worked out . Here is a tech tip : Tech Tip : CA Single Sign-On :Policy Server:How to decrypt Federation Open Format Cookie (Java) 




09-26-2016 12:10 PM

Hi Billy,


I tried this but wasn't able to decrypt Federation OFC cookie myself. We will need to know the Initizialation vector that is being used.


Can you open a support case for this?

I will continue to check if I find anything in the meanwhile.




09-22-2016 11:21 AM

Just checking back in. Were you able to get additional information?

09-19-2016 08:45 PM

09-13-2016 02:19 PM

Thanks Chris for the details.  Let me work this out with one of Federation SME. I will update the finding shortly,

09-13-2016 09:42 AM

There's not much to configure on the Partnership really. There's a few sections to provide things like the "provisioning server", encryption method, and a password (no key is provided here like in the web agent response example) and how to pass the information (Cookie, Cookie POST, or Header).

In our case:

Delivery Option: Open-format Cookie Post

Provisioning Server URL: https://ourstuff.domain/profile/

Encryption Transformation: AES128/CBC/PKCS5Padding

Encryption Password: [ourpassword]


There's no "key" or anything. So trying to figure out how to decrypt the cookie in this scenario. It gets generated and sent in the POST, just can't seem to get it where we can actually read it O_o.

09-12-2016 12:24 AM

Hi @Billy Blevins,


I am not sure how OFC cookie is used in federation. 
How do you define the OFC cookie response ? Have you matched the init vectors?




09-12-2016 12:22 AM

Hi Jean-Baptiste Jean-Jacques,


This is true. The reason being the Initialization vector used for encryption here is NOT random.

This means that , for any given input , the result of encryption is always going to be the same.


For the different user, (different username) , this is definitely going to be different value.

If you want it to be random, I suggest selecting multiple "well defined attributes", which will result in different encrypted OFC cookie for different user.




09-09-2016 12:13 PM

Thanks. This is very helpful. I have very little CA knowledge. I don't work with this stuff directly, but I need to consume/decrypt an OFC client-side. The problem is that on the federated side (which we're using), there is only an encryption password and not an encryption key. Thus far, trying to use the password has not worked for me even if we make that password a 128-bit hex string. Any ideas on what I might need to do?

09-08-2016 09:30 AM

Once again Ujwol, thanks for all the great help that you provide to this community! It is truly appreciated. 


I have this working in my POC environment but one thing I noticed is the OFC value is always the same for the same user. I have not tried to authenticate with a different user and compare the values.


Wouldn't it make more sense to add have a different salt every time?

09-08-2016 03:41 AM

Jean-Baptiste Jean-Jacques this might be of your interest.