WSFEDDISPATCHER HTTP Status 500 Error

book

Article ID: 108858

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Following an automated security OS patch in our environment, wsfeddispatcher throws a HTTP Status 500 Error

FWSTrace log
###########
[07/23/2018][10:32:49][6496][8468][13b1dd01-baf9a2e2-44ddcd1e-66884471-56dc67c5-4696][SSO.java][processAssertionGeneration][Transaction with ID: 13b1dd01-baf9a2e2-44ddcd1e-66884471-56dc67c5-4696 failed. Reason: WSFED_SSO_INVALID_RESPONSE_RETURNED]
[07/23/2018][10:32:49][6496][8468][13b1dd01-baf9a2e2-44ddcd1e-66884471-56dc67c5-4696][SSO.java][processAssertionGeneration][Denying request due to "NO" returned from WSFED assertion generator.]
[07/23/2018][10:32:49][6496][8468][13b1dd01-baf9a2e2-44ddcd1e-66884471-56dc67c5-4696][SSO.java][processAssertionGeneration][Ending WSFED Single Sign-On Service request processing with HTTP error 500]
SMPS Log
#########
[122536/122008][Mon Jul 23 2018 06:32:48][AssertionGenerator.java][ERROR][sm-FedServer-00120] postProcess() throws exception: ncom.netegrity.assertiongenerator.AssertionGeneratorException: Error while signing Assertion!  Exception:
com.netegrity.smkeydatabase.api.XMLDocumentOpsException: SignInProtocol:  Exception when signing SAML Assertion - WSFEDSigner:  Exception while signing XML document.
com.netegrity.smkeydatabase.api.XMLDocumentOpsException: Caught an Exception calling signXMLDocument using IXMLSignature. XMLSignatureApacheImpl.signXMLDocument(): Signing certificate has expired. Exception Message: java.security.cert.CertificateExpiredException: NotAfter: Fri Jul 20 07:22:59 EDT 2018java.lang.Exception: XMLSignatureApacheImpl.signXMLDocument(): Signing certificate has expired. Exception Message: java.security.cert.CertificateExpiredException: NotAfter: Fri Jul 20 07:22:59 EDT 2018
    at com.netegrity.smkeydatabase.api.XMLSignatureApacheImpl.signXMLDocument(XMLSignatureApacheImpl.java:302)

Cause

While looking into smps log of Policy server, Signing certificate was expired and that is why federation transactions were failing.

Environment

All SSO Versions

Resolution

Please refer below steps to use new/renewed Private Key in Policy Server:

1) Import new/renewed Private key in policy store using smkeytool
 ./smkeytool.sh   -addPrivKey -alias <alias> (-keyfile <private_key_file> -certfile <cert_file> | -keycertfile <key_cert_file>) [-password <password>] [-v]

or

Using AdminUI 
Infrastructure ->X509 Certificate Management ->Trusted Certificates and Private Keys

2) Deactivate Partnership and select new/renewed Private Key in "Signing Private Key Alias"

3) Activate Partnership