Issue decoding SMSession Token in Cognos with Siteminder SDK Agent

Document ID : KB000008744
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

We're running Cognos application server, and this one has an embedded

SDK C Agent. But when this SDK C Agent receives an SMSESSION cookie

from a front end IIS Web Agent, it cannot decode properly the Session

data at it reports error :

 

CAM-AAA-0165 The SiteMinder agent API function call to 'Sm_AgentApi_DecodeSSOToken()' 

failed with error code 'SM_AGENTAPI_FAILURE

 

CAM-AAA-0161 Unable to decode SSO token

 

Why is this happening and how can we solve it ?

 

Environment:
SDK Agent 12.5x, 12.6, 12.7Windows or Linux/UnixNote: This KB may apply to many other versions of Web Agent, Policy Server, SDK Agent, and Cognos.
Cause:

Policy Server runs in FIPS Only Mode, and it has version 12.51

 

smps.log 

 

[4615/4151736016][Tue Nov 21 2017 17:29:43][CServer.cpp:4017][INFO][sm-Server-04450] 

Policy Server employing only FIPS-140 cryptographic algorithms.

 

In that case, the Environment Variable CA_SM_PS_FIPS140 needs to be

set to to Only for the SDK C Agent to be able to decode session data.

 

 

 

Resolution:

You need to have the SDK Agent running in the same FIPS Mode as the Web Agent and Policy Server. Since the Web Agent is running in FIPS_ONLY, the SDK Agent will need an Environment Variable to know what FIPS Mode it should be in.

 

Set an Environment Variable for you OS with

Name: CA_SM_PS_FIPS140

Value: ONLY

 

Examples

 

Linux:

export CA_SM_PS_FIPS140=ONLY

 

Windows:

Untitled.png

Additional Information:

From 12.51 Documentation, if the Policy Server runs FIPS only, you 

need to set an environment variable on the SDK C Agent side : 

 

Running C Sample Program with a 4.x Agent Requires Setting an Environment Variable 156186 

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/release-notes/cumulative-releases/defects-fixed-in-12-51 

 

Setting the environment variable for FIPs only is required for 

running the SmAgentAPI 'C' Samples for the 4x Agent connection to 

work. Make sure that this environment variable is set as follows: 

 

export CA_SM_PS_FIPS140=ONLY.