ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
Can not sign Assertion with ID
Article ID: 102905
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
Issue/Introduction
We're running a Policy Server, and by Federation request, the signing
feature for assertion fails :
SAML transactions are failing:
smtracedefault.log:
1. [06/20/2018][19:54:53.844][19:54:53][14755][140230464100096][ProtocolBase.java]
[SignOrEncryptAssertion][25fbad5f-ba854e77-6a22d699-93190504-19958bb1-5fd]
[][][][][][][][][][][][][][][][][][][][Can
not sign Assertion with ID: _19d016651fa5b40a5ad648c79e76b7e1ab4f
Error: Caught an Exception calling signXMLDocument using
IXMLSignature. nulljava.lang.NullPointerException
at com.netegrity.smkeydatabase.api.XMLDocumentOpsImpl.signXMLDocument(Unknown Source)
at com.netegrity.SAML2Security.DSigSigner.signSAMLEnveloped(Unknown Source)
at com.netegrity.SAML2Security.DSigSigner.signSAMLEnveloped(Unknown Source)
at com.netegrity.assertiongenerator.saml2.ProtocolBase.signOrEncryptAssertion(Unknown Source)
at com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol.closeupProcess(Unknown Source)
at com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20.postProcess(Unknown Source)
at com.netegrity.assertiongenerator.AssertionGenerator.invoke(Unknown Source)
at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(Unknown Source)
][][][][][][][][][][][][][][][]
2. [06/20/2018][19:54:53.844][19:54:53][14755][140230464100096][AuthnRequestProtocol.java]
[closeupProcess][25fbad5f-ba854e77-6a22d699-93190504-19958bb1-5fd][][][][][][][][][][]
[][][][][][][][][][No Assertion is found to sign.][][][][][][][][][][][][][][][]
3. [06/20/2018][19:54:53.844][19:54:53][14755][140230464100096][ProtocolBase.java]
[encryptAssertion][25fbad5f-ba854e77-6a22d699-93190504-19958bb1-5fd][][][][][][]
[][][][][][][][][][][][][][Total Assertions to Encrypt: 1][][][][][][][][][][][][][][][]
How can we fix this ?
feature for assertion fails :
SAML transactions are failing:
smtracedefault.log:
1. [06/20/2018][19:54:53.844][19:54:53][14755][140230464100096][ProtocolBase.java]
[SignOrEncryptAssertion][25fbad5f-ba854e77-6a22d699-93190504-19958bb1-5fd]
[][][][][][][][][][][][][][][][][][][][Can
not sign Assertion with ID: _19d016651fa5b40a5ad648c79e76b7e1ab4f
Error: Caught an Exception calling signXMLDocument using
IXMLSignature. nulljava.lang.NullPointerException
at com.netegrity.smkeydatabase.api.XMLDocumentOpsImpl.signXMLDocument(Unknown Source)
at com.netegrity.SAML2Security.DSigSigner.signSAMLEnveloped(Unknown Source)
at com.netegrity.SAML2Security.DSigSigner.signSAMLEnveloped(Unknown Source)
at com.netegrity.assertiongenerator.saml2.ProtocolBase.signOrEncryptAssertion(Unknown Source)
at com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol.closeupProcess(Unknown Source)
at com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20.postProcess(Unknown Source)
at com.netegrity.assertiongenerator.AssertionGenerator.invoke(Unknown Source)
at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(Unknown Source)
][][][][][][][][][][][][][][][]
2. [06/20/2018][19:54:53.844][19:54:53][14755][140230464100096][AuthnRequestProtocol.java]
[closeupProcess][25fbad5f-ba854e77-6a22d699-93190504-19958bb1-5fd][][][][][][][][][][]
[][][][][][][][][][No Assertion is found to sign.][][][][][][][][][][][][][][][]
3. [06/20/2018][19:54:53.844][19:54:53][14755][140230464100096][ProtocolBase.java]
[encryptAssertion][25fbad5f-ba854e77-6a22d699-93190504-19958bb1-5fd][][][][][][]
[][][][][][][][][][][][][][Total Assertions to Encrypt: 1][][][][][][][][][][][][][][][]
How can we fix this ?
Cause
We have seen this message :
[06/20/2018][19:54:53.848][19:54:53][14755][140230464100096][ProtocolBase.java]
[encryptAssertion][25fbad5f-ba854e77-6a22d699-93190504-19958bb1-5fd][][][][][]
[][][][][][][][][][][][][][][Error
Encrypting Assertion:0 Error in SAML2EncryptDecrypt encrypt -
Marshalling Assertion failed. encrypt: Error encrypting XML
Document. Error encrypting XML Document. Illegal key size or default
parameters][][][][][][][][][][][][][][][]
This error indicates that there could be some issues with Java JCE policy files.
[06/20/2018][19:54:53.848][19:54:53][14755][140230464100096][ProtocolBase.java]
[encryptAssertion][25fbad5f-ba854e77-6a22d699-93190504-19958bb1-5fd][][][][][]
[][][][][][][][][][][][][][][Error
Encrypting Assertion:0 Error in SAML2EncryptDecrypt encrypt -
Marshalling Assertion failed. encrypt: Error encrypting XML
Document. Error encrypting XML Document. Illegal key size or default
parameters][][][][][][][][][][][][][][][]
This error indicates that there could be some issues with Java JCE policy files.
Environment
Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP
Component:
Component:
Resolution
Apply the JCE files to the JDK installation that you've set with the
Policy Server :
JCE—Verify that JRE supports unlimited key strength in the Java
Cryptography Extension (JCE) package.
For JDK 1.8_151 and later, perform the following steps:
Navigate to the jdk_home/jre/lib/security directory and open the java.security file.
Uncomment the following line:
crypto.policy=unlimited
Save the file.
For the other previous versions of JDK, perform the following steps:
Locate the JCE package for your operating system from the Oracle
website.
Download the unlimited JCE package for the Java version that is
supported by CA Single Sign-On.
Navigate to the jdk_home\jre\lib\security directory on your system
and apply the patch to the following files:
local_policy.jar
US_export_policy.jar
jdk_home specifies the location of the Java installation.
https://docops.ca.com/ca-single-sign-on/12-7/en/installing/install-a-policy-server/install-policy-server-on-windows#InstallPolicyServeronWindows-ReviewtheConsiderations
Policy Server :
JCE—Verify that JRE supports unlimited key strength in the Java
Cryptography Extension (JCE) package.
For JDK 1.8_151 and later, perform the following steps:
Navigate to the jdk_home/jre/lib/security directory and open the java.security file.
Uncomment the following line:
crypto.policy=unlimited
Save the file.
For the other previous versions of JDK, perform the following steps:
Locate the JCE package for your operating system from the Oracle
website.
Download the unlimited JCE package for the Java version that is
supported by CA Single Sign-On.
Navigate to the jdk_home\jre\lib\security directory on your system
and apply the patch to the following files:
local_policy.jar
US_export_policy.jar
jdk_home specifies the location of the Java installation.
https://docops.ca.com/ca-single-sign-on/12-7/en/installing/install-a-policy-server/install-policy-server-on-windows#InstallPolicyServeronWindows-ReviewtheConsiderations
Feedback
Yes
No
Powered by
