Symantec Access Management

 View Only

CA Security Tuesday Tip: CA Identity Manager - on FIPS Mode in ra.xml

  • 1.  CA Security Tuesday Tip: CA Identity Manager - on FIPS Mode in ra.xml

    Broadcom Employee
    Posted Feb 01, 2015 08:32 PM

    The following may not be well explained in the documentation:

     

    ra.xml is the file that's used to hold the connection parameters between Identity Manager and Site Minder. One of these parameters is: FIPS_Mode (where the value can be 'True' or 'False').

    Some customers seem to have thought this relates to the Policy Server's FIPS Mode since this file mainly holds info about the policy server.

     

    However, this parameter in fact indicates whether Identity Manager is installed in FIPS Mode or not. Further, based on this value then IDM will know how to decrypt the Password and Shared Secret in this file when connecting with Site Minder. In other words, this parameter is being read by Identity Manager. Based on its value IDM will then use the proper decryption of these other params in order to establish the connection.

     

    If there is a mismatch between this value and the actual encryption of these other params in the file you will see a Agent API -1 error (see below):

     

    [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (ServerService

    Thread Pool -- 69) IJ000604: Throwable while attempting to get a new

    connection: null: javax.resource.spi.EISSystemException: Cannot connect to

    policy server: Failed to init Agent API: -1

    at

    com.netegrity.ra.policyserver.impl.PSManagedConnectionFactory.createManagedC

    onnection(PSManagedConnectionFactory.java:325)

    [ims.jar:]

    at

     

     

    Yours,

     

    Sagi Gabay,

    CA Technologies.