ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Can not sign Assertion with ID


Article ID: 102905


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


We're running a Policy Server, and by Federation request, the signing
feature for assertion fails :

SAML transactions are failing:


1. [06/20/2018][19:54:53.844][19:54:53][14755][140230464100096][]
   not sign Assertion with ID: _19d016651fa5b40a5ad648c79e76b7e1ab4f
   Error: Caught an Exception calling signXMLDocument using
   IXMLSignature. nulljava.lang.NullPointerException

   at com.netegrity.smkeydatabase.api.XMLDocumentOpsImpl.signXMLDocument(Unknown Source)
   at com.netegrity.SAML2Security.DSigSigner.signSAMLEnveloped(Unknown Source)
   at com.netegrity.SAML2Security.DSigSigner.signSAMLEnveloped(Unknown Source)
   at com.netegrity.assertiongenerator.saml2.ProtocolBase.signOrEncryptAssertion(Unknown Source)
   at com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol.closeupProcess(Unknown Source)
   at com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20.postProcess(Unknown Source)
   at com.netegrity.assertiongenerator.AssertionGenerator.invoke(Unknown Source)
   at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(Unknown Source)


2. [06/20/2018][19:54:53.844][19:54:53][14755][140230464100096][]
   [][][][][][][][][][No Assertion is found to sign.][][][][][][][][][][][][][][][]

3. [06/20/2018][19:54:53.844][19:54:53][14755][140230464100096][]
   [][][][][][][][][][][][][][Total Assertions to Encrypt: 1][][][][][][][][][][][][][][][]

How can we fix this ?


We have seen this message : 

  Encrypting Assertion:0 Error in SAML2EncryptDecrypt encrypt -
  Marshalling Assertion failed. encrypt: Error encrypting XML
  Document. Error encrypting XML Document. Illegal key size or default

This error indicates that there could be some issues with Java JCE policy files. 


Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP


Apply the JCE files to the JDK installation that you've set with the
Policy Server :

JCE—Verify that JRE supports unlimited key strength in the Java
Cryptography Extension (JCE) package.

  For JDK 1.8_151 and later, perform the following steps: 
  Navigate to the jdk_home/jre/lib/security directory and open the file. 
  Uncomment the following line: 


  Save the file. 

  For the other previous versions of JDK, perform the following steps:

  Locate the JCE package for your operating system from the Oracle

  Download the unlimited JCE package for the Java version that is
  supported by CA Single Sign-On.

  Navigate to the jdk_home\jre\lib\security directory on your system
  and apply the patch to the following files:



  jdk_home specifies the location of the Java installation.