Issue:
We're running CA Access Gateway (SPS), when user access a resource
protected with Openid Connect, at the first request the user is
redirected, as explained in the documentation, to the authentication
page that protects / Affwebservices / secure / secureRedirect. But
after entering the authentication data, he receives an error.
FWSTrace.log
[05/23/2018][08:54:55][7228][1900][][FWSConfigurationManager.java][initializeResourceDirectory][Cannot
set resource path used to display error messages; Likely caused by
uninitialized NETE_WA_ROOT environment variable]
[05/23/2018][09:13:29][7228][5572][610c7b97-d9ab1f07-19230f43-76119b33-7e7a2c6e-0c][AuthorizationService.java][processAuthentication][Not using secure authentication URL.]
[05/23/2018][09:13:29][7228][5572][610c7b97-d9ab1f07-19230f43-76119b33-7e7a2c6e-0c][SecureRedirect.java][doGet][Transaction
with ID: 610c7b97-d9ab1f07-19230f43-76119b33-7e7a2c6e-0c
failed. Reason: SERE_GET_EXCEPTION]
[05/23/2018][09:13:29][7228][5572][610c7b97-d9ab1f07-19230f43-76119b33-7e7a2c6e-0c][SecureRedirect.java][doGet][Exception
caught in class
com.netegrity.affiliateminder.webservices.SecureRedirect, method
doGet: com.netegrity.siteminder.agentcommon.utils.k: .]Failed to
decrypt
How can we solve that ?
Environment:
Policy server 12.8 on Windows 2016 R2;
SPS (Access Gateway) 12.8 on Windows 2016 R2;
Resolution:
- Make sure that the CA Access Gateway (SPS) JDK has the JCE patches
set;
Install CA Access Gateway
https://docops.ca.com/ca-single-sign-on/12-8/en/installing/install-ca-access-gateway
- Make sure that "Use Secure Authentication URL" is checked :
According to that communities, the authentication url should be secure :
CA SSO OpenID Connect Provider - Agentless SSO
"08/13/2018,05:36:17,9588,139832797722368,7bfd74c8-44c979a3-f3eb70aa-
74aa44e4-0ec02973-02,AuthorizationService.java,processAuthentication,Not
using secure authentication URL.
above line seems to be the root cause. I believe its needed to
enable the option to have secure auth url for OIDC implementation,
thereby the decryption failure"
https://communities.ca.com/thread/241778229-ca-sso-openid-connect-provider-agentless-sso
Check also :
OpenID Connect Provider with CA Single Sign On 12.8- PoC
https://communities.ca.com/thread/241813952-openid-connect-provider-with-ca-single-sign-on-128-poc
- Make sure that the Environment variable NETE_WA_ROOT is set properly
before starting the CA Access Gateway (SPS);
KB : KB000097690