SAML2 Single Sign-On Service Request Processing with HTTP Error 400
Article ID: 191020
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On Federation (SiteMinder)
SITEMINDER
Issue/Introduction
We are seeing the error in PROD with the error "SAML2 Single Sign-On Service request processing with HTTP error 400" for the IDP-initiated Parntership integration. Below is the error we see in the Policy Server logs.
[05/17/2020][10:15:30][10:15:30.057][][][][][][3224][1356][abb456ce-cc7aad97-59f7facc-381ced78-cd3c6dfa-1][][][][][][][][][TunnelUtils][addProviderPasswords][][][][][][][][][][][][][][][][][][][][][][][][][][][Exception while attempting to retrieve passwords:
java.lang.Exception: com.ca.siteminder.sdk.agentapi.crypto.SmCryptoProviderException: javax.crypto.BadPaddingException: Invalid padding.
at com.netegrity.federationps.tunnel.TunnelUtils.addPasswordsToMap(Unknown Source)
at com.netegrity.federationps.tunnel.TunnelUtils.addProviderPasswords(Unknown Source)
at com.netegrity.saml2ps.tunnel.SAMLSPbyIDTunnelService.tunnel(Unknown Source)
at com.netegrity.policyserver.smapi.TunnelServiceContext.tunnel(Unknown Source)
Caused by: com.ca.siteminder.sdk.agentapi.crypto.SmCryptoProviderException: javax.crypto.BadPaddingException: Invalid padding.
at com.ca.siteminder.sdk.agentapi.crypto.ap.c(DashoA10*..:731)
at com.ca.siteminder.sdk.agentapi.crypto.ap.b(DashoA10*..:628)
at com.ca.siteminder.sdk.agentapi.crypto.SmServerCrypto.b(DashoA10*..:137)
at com.ca.siteminder.sdk.agentapi.crypto.SmServerCrypto.decrypt(DashoA10*..:123)
... 4 more
Caused by: javax.crypto.BadPaddingException: Invalid padding.
at com.rsa.cryptoj.c.gc.engineDoFinal(Unknown Source)
at javax.crypto.Cipher.doFinal(Cipher.java:2223)
at com.ca.siteminder.sdk.agentapi.crypto.ap.c(DashoA10*..:692)
[05/17/2020][10:15:30][10:15:30.057][][][][][][3224][1356][abb456ce-cc7aad97-59f7facc-381ced78-cd3c6dfa-1][][][][][][][][][TunnelUtils][addProviderPasswords][][][][][][][][][][][][][][][][][][][][][][][][][][][Exception while attempting to retrieve passwords:
java.lang.Exception: com.ca.siteminder.sdk.agentapi.crypto.SmCryptoProviderException: javax.crypto.BadPaddingException: Invalid padding.
at com.netegrity.federationps.tunnel.TunnelUtils.addPasswordsToMap(Unknown Source)
at com.netegrity.federationps.tunnel.TunnelUtils.addProviderPasswords(Unknown Source)
at com.netegrity.saml2ps.tunnel.SAMLSPbyIDTunnelService.tunnel(Unknown Source)
at com.netegrity.policyserver.smapi.TunnelServiceContext.tunnel(Unknown Source)
Caused by: com.ca.siteminder.sdk.agentapi.crypto.SmCryptoProviderException: javax.crypto.BadPaddingException: Invalid padding.
at com.ca.siteminder.sdk.agentapi.crypto.ap.c(DashoA10*..:731)
at com.ca.siteminder.sdk.agentapi.crypto.ap.b(DashoA10*..:628)
at com.ca.siteminder.sdk.agentapi.crypto.SmServerCrypto.b(DashoA10*..:137)
at com.ca.siteminder.sdk.agentapi.crypto.SmServerCrypto.decrypt(DashoA10*..:123)
... 4 more
Caused by: javax.crypto.BadPaddingException: Invalid padding.
at com.rsa.cryptoj.c.gc.engineDoFinal(Unknown Source)
at javax.crypto.Cipher.doFinal(Cipher.java:2223)
at com.ca.siteminder.sdk.agentapi.crypto.ap.c(DashoA10*..:692)
Environment
Release : 12.6
Component : SITEMINDER FEDERATION SECURITY SERVICES
Cause
This problem began after configuring the system for FIPS-Migrate mode. It appears this partnership property did not get converted/migrated as we could see an RSA encryption type if the FWSTrace.log instead of the expected AES algorythm.
Resolution
Duplicating each partnership cleared the problem, allowing the partnerships to work successfully.
Feedback
Yes
No
Powered by
