search cancel

Error: FAILED_INVALID_RESPONSE_RETURNED and issuer dn is empty or null

book

Article ID: 113610

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On CA Single Sign On Federation (SiteMinder) SITEMINDER

Issue/Introduction

 

When running CA Access Gateway - AG (a.k.a. SPS), when the user through VPN requests a Federation resource, it fails, and SPS and Policy Server report errors:

Policy Server 

  1. [06/05/2018][09:47:25][140379345655552][][][][][][][][][][][][][]
     [Loading the configration data for the Service Provider with ID "https://xyz.compay.com/saml/sp/metadata/company_vpn" ...]
     [][][AuthnRequestProtocol.java][17357][09:47:25.599][getSPProperties]
     [][][][][14b440c6-0aea601d-400f7e70-9573a793-58ce19fc-5809][][][][][][][]
     [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] 

CA Access Gateway (SPS) 

  2. [06/05/2018][09:47:25][3048][140127741576960]
     [14b440c6-0aea601d-400f7e70-9573a793-58ce19fc-5809][SSO.java]
     [processAssertionGeneration]
     [Transaction with ID: 14b440c6-0aea601d-400f7e70-9573a793-58ce19fc-5809 failed.
     Reason: FAILED_INVALID_RESPONSE_RETURNED] 

  3. [06/05/2018][09:47:25][3048][140127741576960]
     [14b440c6-0aea601d-400f7e70-9573a793-58ce19fc-5809]
     [ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 500] 

Federation:

   "Received the following response from SAML2 assertion generator: SAML2Response=NO."

 

Environment

 

Policy Server 12.7CR00 on RedHat Linux 7; 
CA Access Gateway (SPS) 12.7 on Redhat Linux 7.

 

Cause

 

The problem is that the Policy Server gets the partnership configuration but cannot get the certificate serial number or issuer DN for some reason.

  a*) The configuration for the encryption certificate is this:
  
      EncryptionCertSerialNumber=e4d41e01771769a9a5ebbd3558f2a3a, 
      EncryptionCertIssuerDN=CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US, 
      EncryptionBlockAlgorithm=tripledes 
      EncryptionKeyAlgorithm=rsa-v15

And the Policy Server reports this problem:


  b*) [06/05/2018][09:47:25][140379345655552][][][][][][][][][][][][][]
      [Primary certificate serial number or issuer dn is empty or null]
      [][][SignatureProcessor.java][17357][09:47:25.600][verifyFromHTTP]
      [][][][][14b440c6-0aea601d-400f7e70-9573a793-58ce19fc-5809][][][][][][]
      [][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
     

The CA Access Gateway - SG (a.k.a SPS) receives the request, and after submitting the SAML request to the Policy Server (step 3), it receives an error and returns error 500 (step 5) as below.

FWSTrace.log :

  1. [06/05/2018][09:47:25][3048][140127741576960][14b440c6-0aea601d-400f7e70-9573a793-58ce19fc-5809]
    [SSO.java][processAssertionGeneration]
    [Request to policy server for generating saml2 assertion/artifact based on selected profile.
    [CHECKPOINT = SSOSAML2_GENERATEASSERTIONORARTIFACT_REQ]]

  2. [06/05/2018][09:47:25][3048][140127741576960][14b440c6-0aea601d-400f7e70-9573a793-58ce19fc-5809]
    [SSO.java][processAssertionGeneration][Result of authorizeEx call is: 1.]

  3. [06/05/2018][09:47:25][3048][140127741576960][14b440c6-0aea601d-400f7e70-9573a793-58ce19fc-5809]
    [SSO.java][processAssertionGeneration]
    [Transaction with ID: 14b440c6-0aea601d-400f7e70-9573a793-58ce19fc-5809 failed.
    Reason: FAILED_INVALID_RESPONSE_RETURNED]

  4. [06/05/2018][09:47:25][3048][140127741576960][14b440c6-0aea601d-400f7e70-9573a793-58ce19fc-5809]
    [SSO.java][processAssertionGeneration]
    [Denying request due to "NO" returned from SAML2 assertion generator.]
  5. [06/05/2018][09:47:25][3048][140127741576960][14b440c6-0aea601d-400f7e70-9573a793-58ce19fc-5809]
    [ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 500 ]

So, the Policy Server gets the Partnership configuration but cannot find the certificate.     

 

Resolution

 

This issue has been fixed in Policy Server 12.7SP1.

Upgrade Policy Server to 12.8 and later to solve this issue.