Tech Tip – Encrypted Active Response


How to securely send CA SSO generated response headers to the backend application.
That is how can CA SSO send an encrypted response header which only the trusted backend application can decrypt.

1) This will ensure that there is no tampering of CA SSO response headers in between.
2) This will also potentially remove the need to install the application server agents and just have a central CA Access Gateway server protecting all the backend web/app servers.

In this guide, we will write a sample Active Response which will use AES encryption algorithm to encrypt the USERDN and return an encrypted USERDN response header to the backend.


Step 1: Create an active response as shown below :

Step 2 : Configure the Active Response with either OnAuthAccept or OnAccessAccept rule.

Step 3 : Compile the attached sample & classes by running java-build.bat (windows) / (unix).

Note: Prior to running you will need to update the path to the JDK install directory in the JAVA_HOME variable by editing the java-build.bat (windows) / (unix) files.

Step 4. Once compiled, copy the ActiveResponseSample.class and copy it to the <Policy server>/config/properties directory.

Note: This “properties” directory is by default in the classpath of Policy server so you don’t need to modify JVMOptions.txt.

If you choose to deploy the class in any other directory, then you will need to add the path to that directory as a classpath in the JVMOptions.txt file.



1. Access the resource which is configured to return the active response. Copy the value of the encrypted response returned (using the server side scripting which prints all the HTTP headers)  :

2. Next, decrpyt the encrypted response header using the attached sample ActiveResponseDecryptor class by running java-run.bat (windows) / (unix)



Leave a Reply