Symantec Access Management

 View Only

Tech Tip : CA Single Sign-On : Failed Handshake between Webagent and Policy Server.

  • 1.  Tech Tip : CA Single Sign-On : Failed Handshake between Webagent and Policy Server.

    Broadcom Employee
    Posted Oct 04, 2018 05:08 AM

    Introduction:

     

    We have already successfully running webagent and suddenly it reports following error in webserver log.

    [Error] SiteMinder Agent Unable to load SiteMinder host configuration object or host configuration file.
    Path to the SiteMinder host configuration File is Empty.

    Policy Server smps.log shows failed handshake errors:

    [1860/2604][Mon Jul 18 2016 13:59:03][CServer.cpp:1959][ERROR][sm-Tunnel-00050] Handshake error: Shared secret incorrect for this client
    [1860/2604][Mon Jul 18 2016 13:59:03][CServer.cpp:2121][ERROR][sm-Server-01070] Failed handshake with 155.35.245.129:49184

     

    Question:

     

    What are the reason of a Failed Handshake between Webagent and Policy Server (need to re-register the Agent)?

     

    Environment:

     

    All Unix environments

     

    Answer:

     

    On all non-Windows platforms, the agent code used to encrypt and decrypt the shared secret uses a key that is derived from a hard coded value combined with the results of
    calling gethostid() on the platform in question. gethostid() is a standard C Library function that returns a 32-bit long value.

    Different UNIX system implements this function differently. For e.g Linux, AIX and solaris , the system implementation for the gethostid() C library function is not the same.

    As such, SiteMinder web agent might not be able to decrypt the shared secret generated in one UNIX system when moved to other system.

    Not only that, if the host ID of the same system changes (due to change in IP, hostname, mac address etc ) , the webagent will not be able to decrypt the shared secret which was
    originally generated on the same system, in which case you need to re-register the trusted host.

     

    Additional Information:

     

    gethostid Linux Man Page : http://linux.die.net/man/2/gethostid

     

    This has been incorporated into the documentation. Please visit
    docops.ca.com for your version for updated information

     

    KB : KB000021905