CA Single Sign On Secure Proxy Server (SiteMinder)AXIOMATICS POLICY SERVERCA Single Sign On SOA Security Manager (SiteMinder)CA Single Sign-On
Issue/Introduction
We're running a Policy Server, and by Federation request, the signing feature for assertion fails :
SAML transactions are failing:
smtracedefault.log:
1. [06/20/2018][19:54:53.844][19:54:53][14755][140230464100096][ProtocolBase.java] [SignOrEncryptAssertion][25fbad5f-ba854e77-6a22d699-93190504-19958bb1-5fd] [][][][][][][][][][][][][][][][][][][][Can not sign Assertion with ID: _19d016651fa5b40a5ad648c79e76b7e1ab4f Error: Caught an Exception calling signXMLDocument using IXMLSignature. nulljava.lang.NullPointerException
at com.netegrity.smkeydatabase.api.XMLDocumentOpsImpl.signXMLDocument(Unknown Source) at com.netegrity.SAML2Security.DSigSigner.signSAMLEnveloped(Unknown Source) at com.netegrity.SAML2Security.DSigSigner.signSAMLEnveloped(Unknown Source) at com.netegrity.assertiongenerator.saml2.ProtocolBase.signOrEncryptAssertion(Unknown Source) at com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol.closeupProcess(Unknown Source) at com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20.postProcess(Unknown Source) at com.netegrity.assertiongenerator.AssertionGenerator.invoke(Unknown Source) at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(Unknown Source)
][][][][][][][][][][][][][][][]
2. [06/20/2018][19:54:53.844][19:54:53][14755][140230464100096][AuthnRequestProtocol.java] [closeupProcess][25fbad5f-ba854e77-6a22d699-93190504-19958bb1-5fd][][][][][][][][][][] [][][][][][][][][][No Assertion is found to sign.][][][][][][][][][][][][][][][]
3. [06/20/2018][19:54:53.844][19:54:53][14755][140230464100096][ProtocolBase.java] [encryptAssertion][25fbad5f-ba854e77-6a22d699-93190504-19958bb1-5fd][][][][][][] [][][][][][][][][][][][][][Total Assertions to Encrypt: 1][][][][][][][][][][][][][][][]
How can we fix this ?
Cause
We have seen this message :
[06/20/2018][19:54:53.848][19:54:53][14755][140230464100096][ProtocolBase.java] [encryptAssertion][25fbad5f-ba854e77-6a22d699-93190504-19958bb1-5fd][][][][][] [][][][][][][][][][][][][][][Error Encrypting Assertion:0 Error in SAML2EncryptDecrypt encrypt - Marshalling Assertion failed. encrypt: Error encrypting XML Document. Error encrypting XML Document. Illegal key size or default parameters][][][][][][][][][][][][][][][]
This error indicates that there could be some issues with Java JCE policy files.
Environment
Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP Component:
Resolution
Apply the JCE files to the JDK installation that you've set with the Policy Server :
JCE—Verify that JRE supports unlimited key strength in the Java Cryptography Extension (JCE) package.
For JDK 1.8_151 and later, perform the following steps: Navigate to the jdk_home/jre/lib/security directory and open the java.security file. Uncomment the following line:
crypto.policy=unlimited
Save the file.
For the other previous versions of JDK, perform the following steps:
Locate the JCE package for your operating system from the Oracle website.
Download the unlimited JCE package for the Java version that is supported by CA Single Sign-On.
Navigate to the jdk_home\jre\lib\security directory on your system and apply the patch to the following files:
local_policy.jar
US_export_policy.jar
jdk_home specifies the location of the Java installation.