WSFEDDISPATCHER HTTP Status 500 Error
Article ID: 108858
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
Issue/Introduction
Following an automated security OS patch in our environment, wsfeddispatcher throws a HTTP Status 500 Error
FWSTrace log
###########
[07/23/2018][10:32:49][6496][8468][13b1dd01-baf9a2e2-44ddcd1e-66884471-56dc67c5-4696][SSO.java][processAssertionGeneration][Transaction with ID: 13b1dd01-baf9a2e2-44ddcd1e-66884471-56dc67c5-4696 failed. Reason: WSFED_SSO_INVALID_RESPONSE_RETURNED]
[07/23/2018][10:32:49][6496][8468][13b1dd01-baf9a2e2-44ddcd1e-66884471-56dc67c5-4696][SSO.java][processAssertionGeneration][Denying request due to "NO" returned from WSFED assertion generator.]
[07/23/2018][10:32:49][6496][8468][13b1dd01-baf9a2e2-44ddcd1e-66884471-56dc67c5-4696][SSO.java][processAssertionGeneration][Ending WSFED Single Sign-On Service request processing with HTTP error 500]
SMPS Log
#########
[122536/122008][Mon Jul 23 2018 06:32:48][AssertionGenerator.java][ERROR][sm-FedServer-00120] postProcess() throws exception: ncom.netegrity.assertiongenerator.AssertionGeneratorException: Error while signing Assertion! Exception:
com.netegrity.smkeydatabase.api.XMLDocumentOpsException: SignInProtocol: Exception when signing SAML Assertion - WSFEDSigner: Exception while signing XML document.
com.netegrity.smkeydatabase.api.XMLDocumentOpsException: Caught an Exception calling signXMLDocument using IXMLSignature. XMLSignatureApacheImpl.signXMLDocument(): Signing certificate has expired. Exception Message: java.security.cert.CertificateExpiredException: NotAfter: Fri Jul 20 07:22:59 EDT 2018java.lang.Exception: XMLSignatureApacheImpl.signXMLDocument(): Signing certificate has expired. Exception Message: java.security.cert.CertificateExpiredException: NotAfter: Fri Jul 20 07:22:59 EDT 2018
at com.netegrity.smkeydatabase.api.XMLSignatureApacheImpl.signXMLDocument(XMLSignatureApacheImpl.java:302)
FWSTrace log
###########
[07/23/2018][10:32:49][6496][8468][13b1dd01-baf9a2e2-44ddcd1e-66884471-56dc67c5-4696][SSO.java][processAssertionGeneration][Transaction with ID: 13b1dd01-baf9a2e2-44ddcd1e-66884471-56dc67c5-4696 failed. Reason: WSFED_SSO_INVALID_RESPONSE_RETURNED]
[07/23/2018][10:32:49][6496][8468][13b1dd01-baf9a2e2-44ddcd1e-66884471-56dc67c5-4696][SSO.java][processAssertionGeneration][Denying request due to "NO" returned from WSFED assertion generator.]
[07/23/2018][10:32:49][6496][8468][13b1dd01-baf9a2e2-44ddcd1e-66884471-56dc67c5-4696][SSO.java][processAssertionGeneration][Ending WSFED Single Sign-On Service request processing with HTTP error 500]
SMPS Log
#########
[122536/122008][Mon Jul 23 2018 06:32:48][AssertionGenerator.java][ERROR][sm-FedServer-00120] postProcess() throws exception: ncom.netegrity.assertiongenerator.AssertionGeneratorException: Error while signing Assertion! Exception:
com.netegrity.smkeydatabase.api.XMLDocumentOpsException: SignInProtocol: Exception when signing SAML Assertion - WSFEDSigner: Exception while signing XML document.
com.netegrity.smkeydatabase.api.XMLDocumentOpsException: Caught an Exception calling signXMLDocument using IXMLSignature. XMLSignatureApacheImpl.signXMLDocument(): Signing certificate has expired. Exception Message: java.security.cert.CertificateExpiredException: NotAfter: Fri Jul 20 07:22:59 EDT 2018java.lang.Exception: XMLSignatureApacheImpl.signXMLDocument(): Signing certificate has expired. Exception Message: java.security.cert.CertificateExpiredException: NotAfter: Fri Jul 20 07:22:59 EDT 2018
at com.netegrity.smkeydatabase.api.XMLSignatureApacheImpl.signXMLDocument(XMLSignatureApacheImpl.java:302)
Environment
All SSO Versions
Cause
While looking into smps log of Policy server, Signing certificate was expired and that is why federation transactions were failing.
Resolution
Please refer below steps to use new/renewed Private Key in Policy Server:
1) Import new/renewed Private key in policy store using smkeytool
./smkeytool.sh -addPrivKey -alias <alias> (-keyfile <private_key_file> -certfile <cert_file> | -keycertfile <key_cert_file>) [-password <password>] [-v]
or
Using AdminUI
Infrastructure ->X509 Certificate Management ->Trusted Certificates and Private Keys
2) Deactivate Partnership and select new/renewed Private Key in "Signing Private Key Alias"
3) Activate Partnership
1) Import new/renewed Private key in policy store using smkeytool
./smkeytool.sh -addPrivKey -alias <alias> (-keyfile <private_key_file> -certfile <cert_file> | -keycertfile <key_cert_file>) [-password <password>] [-v]
or
Using AdminUI
Infrastructure ->X509 Certificate Management ->Trusted Certificates and Private Keys
2) Deactivate Partnership and select new/renewed Private Key in "Signing Private Key Alias"
3) Activate Partnership
Feedback
Yes
No
Powered by
