The Policy Server IP Address that the Policy Server name is a fully qualified domain name
That the Agent encryption mode is compatible with the encryption mode used by the Policy Server
Note: The following FIPS/AES encryption modes are not compatible:
- This product in COMPAT mode with Policy Server in ONLY mode

Run the configuration wizard again to correct these settings.

Exception from System.loadLibrary(smjavaagentapi) java.lang.UnsatisfiedLinkError: no smjavaagentapi in java.library.path

Reason:

This message appears in the Web AS default trace file if the Java Agent API file is not present in the system path.

Action:

Check the configuration of your CA SSO Login Module.

More information:

Configure SiteMinderLoginModule

smwebas.home property not set

Reason:

This message appears in the Web AS default trace file when the smwebas.home property is not set.

Action:

Use the Web AS Configuration Tool to ensure the smwebas.home property is set correctly.

java.lang.ClassNotFoundException: com.netegrity.siteminder.sap.webas.jaas.SiteMinderLoginModule.

Reason:

The Web AS default trace file contains this message for any of the following reasons:

The SiteMinderLoginModule.sca library was not deployed.
The SiteMinderLoginModule.sca library was deployed incorrectly.
No reference to the SiteMinderLoginModule.sca library exists in the ClassLoaders property of the Security Provider service.

Action:

Check the deployment of the SiteMinderLoginModule.sca library.

no JDecrypt in java.library.path

Reason:

The Web AS default trace file contains this message when the JDecrypt.dll is not present in the system path.

Action:

Copy the JDecrypt library

From

<agent_install_drectory>\sapwebas\bin

To:

<sap_home>\<SID>\<instance>\j2ee\os_libs

More information:

Configure SiteMinderLoginModule

javaagent_api_init

Reason:

This message appears in the CA SSO Agent for SAP log file if the Java Agent API file is not present in the system path.

Action:

Copy the Java Agent API (smjavaagentapi) library

From

<agent_install_directory>\sapwebas\bin

To:

<sap_home>\<SID>\<instance>\j2ee\os_libs

Invalid Entries in the Configuration File

Reason:

Agent configuration details are missing or are incorrect.

Action:

Run the Agent Configuration Wizard again and correct the errors.

Return code from doManagement Error

Reason:

This message can occur for any of the following reasons:

The Agent configuration contains an incorrect IP address or fully qualified domain name for the Policy Server.
The Policy server is not running.
A communication problem exists between the Policy Server and the CA SSO Login Module.
Policy Server closes the connection if the handshake is not completed within 10 seconds (Handshake timeout). The smps.log file contains the following message:
```
Closing accepted connection for session connection idle too long before handshake
```

Action:

Do the following tasks:

Verify that the IP address of the Policy Server is correct in the Agent configuration.
Start the Policy Server.
Verify the communication between the Policy Server and the CA SSO Login Module.
In the Policy Server, set the value of the registry key AcceptTimeout to 60 seconds at the following location:
```
HKEY_LOCAL_MACHINE/Software/Netegrity/SiteMinder/CurrentVersion/PolicyServer/
```
Valid for 12.51 CR 06 Policy Server onwards

Valid for 12.52 SP1 CR 02 Policy Server onwards
Restart the Policy Server and SAP instance.

Policy server IP address or ports are invalid

Reason:

The following items in the Agent configuration differ from those stored on the Policy Server:

Invalid IP address
Invalid accounting, authentication, or authorization ports

Action:

Run the Agent Configuration Wizard again. Ensure that you specify the Policy Server IP address and ports correctly.

WAS Usernames Do Not Match

Reason:

The following reasons can cause this error:

An attempted session hijack occurred, where a WASUSERNAME header was manually sent to the browser.
The User attribute passed in the WASUSERNAME Policy Server response for the resource mentioned in the Agent configuration does not match with the one given for the resource currently being accessed.

Action:

Check the WASUSERNAME response in the following realms:

Validation realm
Application realm

The user attribute passed must match in both realms.

More information:

Configure CA SSO Policies

SiteMinderSessionID header not found or empty - Aborting...

Reason:

One of the following HTTP headers was not available to the CA SSO Login module:

SMSERVERSESSIONID
SM_SERVERSESSIONID

Action:

Check the following items:

The configuration of the Web Agent on the proxy Web Server
The value of the DisableSessionVars Agent parameter must be set to no (in the Agent Configuration Object)

CA SSO Session Spec Header Not Found or Empty

Reason:

One of the following HTTP headers was not available to the CA SSO Login module:

SMSERVERSESSIONSPEC
SM_SERVERSESSIONSPEC

Action:

Check the following items:

The configuration of the Web Agent on the proxy Web Server
The value of the DisableSessionVars Agent parameter (must be set to no)

Resource not protected by CA SSO

Reason:

The resource listed in the Agent configuration is not protected in the Policy Server.

Action:

Verify that you have completed all the steps for configuring CA SSO policies.

More information:

Configure CA SSO Policies

CA SSO Session Is Invalid

Reason:

Validation of the Tier 2 CA SSO session can fail when any of the following events occur:

The timeout for the session expires.
The session user does not have the proper access permissions.

Action:

Check the following items:

The session timeout values
The permissions of the user associated with the invalid session.

CA SSO login module authentication failed. Redirecting to the error page...

Reason:

The user was denied access by the CA SSO login module, and was redirected to the error page.

The user is redirected to the absolute URL of the Error page, which is the ErrorURL parameter that is specified during Agent configuration.

If the URL of the Error page is not displayed and the “Page cannot be displayed” message appears in the browser, check the ErrorURL parameter that is specified during Agent configuration.

If the ErrorURL parameter is not specified during configuration, the log file of this product can issue an additional message:

"CA SSO login module authentication failed. No Error URL configured, sending error message..."

Action:

Verify that the values in the Agent configuration file are correct. If you still get this error, contact CA Technical Support.

Overall login stack authentication failed. Sending error message...

Reason:

A login using the CA SSO module succeeded, but another login module in the stack failed.

Action:

Check the other login modules in the stack. Especially those using the following flags:

REQUISITE
REQUIRED

FEDPROFILE Cookie not found - Aborting…

Reason:

The CA SSO Login Module did not receive the FEDPROFILE cookie from CA Federation.

Action:

Verify the following items:

The cookie settings are enabled in the browser.
CA Federation is creating the FEDPROFILE cookie.

FEDPROFILE cookie set to LOGGEDOFF

Reason:

The user completed a single logout (SLO) transaction from CA Federation.

Action:

The FEDPROFILE cookie is not valid. Authentication of the user to the SAP Web AS fails.

Invalid entries for Fed Connector in Config file

Reason:

The following settings are not configured correctly:

Federation Security Zone
Federation password

Action:

Verify the following items:

The Federation Security Zone is provided correctly (not empty).
The Federation password is not empty and verify that it is AES encrypted.