FAILED_INVALID_RESPONSE_RETURNED issuer dn is empty or null
search cancel

FAILED_INVALID_RESPONSE_RETURNED issuer dn is empty or null

book

Article ID: 113610

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On CA Single Sign On Federation (SiteMinder) SITEMINDER

Issue/Introduction


When running CA Access Gateway - AG (SPS), when the user through VPN requests a Federation resource, it fails, and SPS and Policy Server report errors:

Policy Server: 

[06/05/2018][09:47:25][140379345655552][][][][][][][][][][][][][][Loading the configration data for the Service Provider with ID "https://sp.example.com/saml/sp/metadata/config" ...][][][AuthnRequestProtocol.java][17357][09:47:25.599][getSPProperties]

CA Access Gateway (SPS):

[06/05/2018][09:47:25][3048][140127741576960][][SSO.java][processAssertionGeneration][Transaction with ID: <value> failed. Reason: FAILED_INVALID_RESPONSE_RETURNED] 

[06/05/2018][09:47:25][3048][140127741576960][][ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 500] 

Federation:

"Received the following response from SAML2 assertion generator: SAML2Response=NO."

 

Environment

 

Policy Server 12.7CR00 on RedHat Linux 7; 
CA Access Gateway (SPS) 12.7 on Redhat Linux 7.

 

Cause

 
The problem is that the Policy Server gets the partnership configuration but cannot get the certificate serial number or issuer DN for some reason.

The configuration for the encryption certificate is this:
  
      EncryptionCertSerialNumber=<value>, 
      EncryptionCertIssuerDN=CN=Issuer, o=example, C=US, 
      EncryptionBlockAlgorithm=tripledes
      EncryptionKeyAlgorithm=rsa-v15

And the Policy Server reports this problem:

[06/05/2018][09:47:25][140379345655552][][][][][][][][][][][][][][Primary certificate serial number or issuer dn is empty or null][][][SignatureProcessor.java][17357][09:47:25.600][verifyFromHTTP]

The CA Access Gateway - AG (SPS) receives the request, and after submitting the SAML request to the Policy Server (step 3), it receives an error and returns error 500 (step 5) as below.

FWSTrace.log :

  1. [06/05/2018][09:47:25][3048][140127741576960][][SSO.java][processAssertionGeneration][Request to policy server for generating saml2 assertion/artifact based on selected profile.[CHECKPOINT = SSOSAML2_GENERATEASSERTIONORARTIFACT_REQ]]
  2. [06/05/2018][09:47:25][3048][140127741576960][][SSO.java][processAssertionGeneration][Result of authorizeEx call is: 1.]
  3. [06/05/2018][09:47:25][3048][140127741576960][][SSO.java][processAssertionGeneration][Transaction with ID: <value> failed. Reason: FAILED_INVALID_RESPONSE_RETURNED]
  4. [06/05/2018][09:47:25][3048][140127741576960][][SSO.java][processAssertionGeneration][Denying request due to "NO" returned from SAML2 assertion generator.]
  5. [06/05/2018][09:47:25][3048][140127741576960][][ErrorRedirectionHandler.java][redirectToErrorPage][Sending HTTP Error 500 ]     

So, the Policy Server gets the Partnership configuration but cannot find the certificate.

 

Resolution

 

This issue has been fixed in Policy Server 12.7SP1.

Upgrade Policy Server to 12.8 and later to solve this issue.