Web Agent Option Pack reports error : "Tried out all the decrypt keys, decryption failed"

Document ID:  TEC1385152
Last Modified Date:  07/14/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details


  • CA Single Sign-On


  • CA Single Sign-On:Release:12.52 SP1



  I'm running a Web Agent Option Pack, this one cannot decrypt the zone

  SMSESSION cookie and reports :


  FWStrace : 



   [SSO.java][processRequest][Request to validate the session



   [FWSBase.java][isValidSession][Checking for valid SESSION cookies.] 


   [FWSBase.java][isValidSession][Found SESSION cookie: SMSESSION] 


   [FWSBase.java][isValidSession][Trying to validate using SMSESSION cookie.] 


   [FWSBase.java][isValidSession][Could not decryptSMSESSION cookie. Error message:

   Tried out all the decrypt keys, decryption failed..] 


  I would expect to see the following log line in the Policy Server

  12.52SP1CR04 log, but I don't find it :


  [3372/3682724720][Thu Feb 16 2017 10:37:10][SmObjKeyManagement.cpp:400][INFO]

   [sm-Server-04710] Key Roll over Request has been initiated automatically by Policy Server 


How can I solve it ?


There is 2 environments: Web Agent 12.52SP1CR04 on IIS 7.5 64bit on Windows 2008R2; Web Agent Option Pack 12.52SP1CR04 on Tomcat 7.0.63 with JDK 1.7.0_65 64bit on Windows 2008R2; connected to : 1 Policy Store on SQL 2012 Always On in Compatibility 100 for 12.52 Policy Server 1 Shared Key Store on SQL 2008; 1 Policy Server 12.52SP1CR04; parallel environment: 2 Policy Servers 12SP3CR11 > 1 Policy Server 12SP3CR11 rolls the keys at 03:00 every morning; 1 Policy Store on SQL 2008 for 12SP3CR01 Policy Server

When a single Policy Server generates encryption keys in an environment with multiple Policy Servers that connect to disparate policy stores, but share a central key store, an additional registry setting is required. This registry setting configures each Policy Server to poll the common key store and retrieve new encryption keys at a regular interval


Setting Policy Server 12.52SP1CR04 registry key to 1 solved the issue : 


HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netegrity\SiteMinder\CurrentVersion\ObjectStore\EnableKeyUpdate= 1





Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255


Not what you were looking for?

Search Again >

Product Information

Support by Product >


Join a Community >

Chat with CA

Just give us some brief information and we'll connect you to the right CA ExpertCA sales representative.

Our hours of availability are 8AM - 5PM CST.

All Fields Required


We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile

  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.

    Rate Your Chat Experience.


agent is typing