ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Federation breaking intermittently

book

Article ID: 141656

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running Federation Services as SP, when the SP Federation
receives the Assertion, it creates a session for the user, but the
headers that the backend application expect are intermittently
missing.

The Federation Service reports error :

  [11/27/2019][18:41:24][9080][13060][7bb16c46-bfe322c4-16de0bda-ec12c
   92c-02739e90-e6][AssertionConsumer.java][doPost][Exception
  caught in class
  com.netegrity.affiliateminder.webservices.saml2.AssertionConsumer,
  method doPost, message java.lang.NullPointerException.]

  [11/27/2019][18:41:24][9080][13060][7bb16c46-bfe322c4-16de0bda-ec12c
   92c-02739e90-e6][AssertionConsumer.java][doPost][Stack
  Trace: java.lang.NullPointerException at
  com.netegrity.affiliateminder.webservices.saml2.AssertionConsumer.a(
   DashoA10*..:1166)
  at
  com.netegrity.affiliateminder.webservices.saml2.AssertionConsumer.do
   Post(DashoA10*..:657)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:660) at
  javax.servlet.http.HttpServlet.service(HttpServlet.java:741) at
  org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App
   licationFilterChain.java:231)
  at

  [...]

  at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
  at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
  Source) at
  org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskT
   hread.java:61)
  at java.lang.Thread.run(Unknown Source)]

and the browser recieves error 500 :

  [11/27/2019][18:41:24][9080][13060][7bb16c46-bfe322c4-16de0bda-ec12c
  92c-02739e90-e6][AssertionConsumer.java][doPost][Ending
  SAML2 AssertionConsumer Service request processing with HTTP error
  500]

How can we fix this ?

 

Cause

 

The crash of the java process occurs when processing the SAMLResponse
value, ie reading the data :

  [11/27/2019][12:45:30][9080][10552][3264ba71-2a226d8e-ceeb31a8-347b06d5-79f217e0-a]
  [FWSBase.java][getTemporaryStateCookie][Found encrypted state cookie: 
  SMFED_TEMPORARY_STATE]

  [11/27/2019][12:45:30][9080][10552][3264ba71-2a226d8e-ceeb31a8-347b06d5-79f217e0-a]
  [AssertionConsumer.java][doPost][Exception caught in class
  com.netegrity.affiliateminder.webservices.saml2.AssertionConsumer,
  method doPost, message java.lang.NullPointerException.]

  [11/27/2019][12:45:30][9080][10552][3264ba71-2a226d8e-ceeb31a8-347b06d5-79f217e0-a]
  [AssertionConsumer.java][doPost][Stack Trace:
  java.lang.NullPointerException at
  com.netegrity.affiliateminder.webservices.saml2.AssertionConsumer.a(DashoA10*..:1166)

The Federation Service Web Agent Option Pack
12.52SP1CR08 64bit is not supported on Tomcat 9 64bit on Windows 2016.

According to our support matrix, Web Agent Option Pack is only
supported on Tomcat 9 from 12.52SP1CR09 running on RedHat 7 :

  4.2 Web Agent Option Pack (WAOP) 64-bit

    | Application    | Version | Windows        | Red-Hat |   |
    | Server         |         | Server 64- bit | 64-bit  |   |
    |----------------+---------+----------------+---------+---|
    | ASF Tomcat 64- |     9.0 |                | 7 (SP1  |   |
    | bit            |         |                | CR09)   |   |
    |                |     8.5 | 2012 R2 (SP01  | 7 (SP1  |   |
    |                |         | CR05)          | CR08)   |   |

  p.25
  https://ftpdocs.broadcom.com/phpdocs/7/5262/5262_SiteMinder_12_52_SP1_Platform_Support.pdf

 

Environment

 

Web Agent Option Pack 12.52SP1CR08 64bit on Tomcat 9 64bit on Windows 2016.

 

Resolution

 

Make the Web Agent Option Pack upgraded to 12.52SP1CR09 and insure
it runs on RedHat 7;

Finally, make sure that the JVM is from JDK installation and not just
a JCE installation as per documentation requirements :

  General Option Pack Installation Requirements

    A supported Java Development Kit (JDK).
    This JDK is required even if you are using an application server that ships with a JDK or JRE.

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-52-01/installing/install-agents/web-agent-option-pack/web-agent-option-pack-installation-requirements.html

Make sure also that the JDK installation has JCE patches.