Problem with Pure Java Agent API and FIPS ONLY mode.

Document ID : KB000047983
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

With using Pure Java API and enabling FIPS ONLY mode as following, AgentAPI.isProtected resulted in an error. The program is based on SDK sample program "smjavaagentapi".

FIPS ONLY mode is enabled as following.
initDef.setCryptoOpMode( InitDef.CRYPTO_OP_F1402 );

Error messages observed:

  1. SMPS.log
    [Sm_Az_Message.cpp:209][ERROR] Bad s31/r2 request detected

  2. Smtracedefault.log
    [** Received agent request.][][][Sm_Az_Message.cpp:198][1507][15:12:27.739][CSm_Az_Message::ProcessMessage][][][][][s31/r2][][][][][][][][][][][][][][][][][][][][][][][][][][IsProtectedEx][][][][][][][][][][]

Solution:

The instantiation of ResourceContextDef has a problem with the agent name of the first argument which

is an empty string. Setting a specific agent name resolves the problem.


[Wrong]:
        ResourceContextDef resctxdef = new ResourceContextDef("", "", resource, "GET");
 
[Correct Example]:
        ResourceContextDef resctxdef = new ResourceContextDef("myagent", "", resource, "GET");

Java Agent API is referring to the Agent5x APIs only. The agent4x is not supported with the FIPS Only Policy Server as it was developed before FIPS.

Notes: JavaDoc states the constructor as following.


public ResourceContextDef(java.lang.String p_agent,
                          java.lang.String p_server,
                          java.lang.String p_resource,
                          java.lang.String p_action)
Creates a resource context with the specified parameters. 
Parameters: 
p_agent - The name of the agent associated with the resource. This parameter is used with affiliate agents and with v5.x agents and above. With 4.x agents, set this parameter to an empty string (""). 
p_server - The name of the server (used only in the log). 
p_resource - The resource to check -- for example, /inventory/. 
p_action - The action to check for -- for example, GET.