Can not sign Assertion with ID

Article Id: 102905
Status: Published
Updated On: 22-06-2018 07:38
Products:
CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On CA Single Sign-On
Issue/Introduction:

We're running a Policy Server, and by Federation request, the signing
feature for assertion fails :

SAML transactions are failing:

smtracedefault.log:


1. [06/20/2018][19:54:53.844][19:54:53][14755][140230464100096][ProtocolBase.java]
   [SignOrEncryptAssertion][25fbad5f-ba854e77-6a22d699-93190504-19958bb1-5fd]
   [][][][][][][][][][][][][][][][][][][][Can
   not sign Assertion with ID: _19d016651fa5b40a5ad648c79e76b7e1ab4f
   Error: Caught an Exception calling signXMLDocument using
   IXMLSignature. nulljava.lang.NullPointerException

   at com.netegrity.smkeydatabase.api.XMLDocumentOpsImpl.signXMLDocument(Unknown Source)
   at com.netegrity.SAML2Security.DSigSigner.signSAMLEnveloped(Unknown Source)
   at com.netegrity.SAML2Security.DSigSigner.signSAMLEnveloped(Unknown Source)
   at com.netegrity.assertiongenerator.saml2.ProtocolBase.signOrEncryptAssertion(Unknown Source)
   at com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol.closeupProcess(Unknown Source)
   at com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20.postProcess(Unknown Source)
   at com.netegrity.assertiongenerator.AssertionGenerator.invoke(Unknown Source)
   at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(Unknown Source)

   ][][][][][][][][][][][][][][][]

2. [06/20/2018][19:54:53.844][19:54:53][14755][140230464100096][AuthnRequestProtocol.java]
   [closeupProcess][25fbad5f-ba854e77-6a22d699-93190504-19958bb1-5fd][][][][][][][][][][]
   [][][][][][][][][][No Assertion is found to sign.][][][][][][][][][][][][][][][]

3. [06/20/2018][19:54:53.844][19:54:53][14755][140230464100096][ProtocolBase.java]
   [encryptAssertion][25fbad5f-ba854e77-6a22d699-93190504-19958bb1-5fd][][][][][][]
   [][][][][][][][][][][][][][Total Assertions to Encrypt: 1][][][][][][][][][][][][][][][]

How can we fix this ?

Cause:

We have seen this message : 

  [06/20/2018][19:54:53.848][19:54:53][14755][140230464100096][ProtocolBase.java]
  [encryptAssertion][25fbad5f-ba854e77-6a22d699-93190504-19958bb1-5fd][][][][][]
  [][][][][][][][][][][][][][][Error
  Encrypting Assertion:0 Error in SAML2EncryptDecrypt encrypt -
  Marshalling Assertion failed. encrypt: Error encrypting XML
  Document. Error encrypting XML Document. Illegal key size or default
  parameters][][][][][][][][][][][][][][][]

This error indicates that there could be some issues with Java JCE policy files. 
 

Environment:

Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP
Component:

Resolution:

Apply the JCE files to the JDK installation that you've set with the
Policy Server :

JCE—Verify that JRE supports unlimited key strength in the Java
Cryptography Extension (JCE) package.

  For JDK 1.8_151 and later, perform the following steps: 
  Navigate to the jdk_home/jre/lib/security directory and open the java.security file. 
  Uncomment the following line: 

  crypto.policy=unlimited 

  Save the file. 


  For the other previous versions of JDK, perform the following steps:

  Locate the JCE package for your operating system from the Oracle
  website.

  Download the unlimited JCE package for the Java version that is
  supported by CA Single Sign-On.

  Navigate to the jdk_home\jre\lib\security directory on your system
  and apply the patch to the following files:

  local_policy.jar

  US_export_policy.jar 

  jdk_home specifies the location of the Java installation.

  https://docops.ca.com/ca-single-sign-on/12-7/en/installing/install-a-policy-server/install-policy-server-on-windows#InstallPolicyServeronWindows-ReviewtheConsiderations