search cancel

Error : SAML Could not initialize class XMLEncryptDecryptApacheImpl

book

Article ID: 201073

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

When running a Policy Server and this one creates a signed
SAMLResponse, then the Assertion Generator fails and reports error :

  [3707070/140438027622144][Sun Aug 23 2020 03:21:01][AssertionGenerator.java]
  [ERROR][sm-FedServer-00130] postProcess() returns fatal error.
  <Response
   ID="_d8a9c3db6c1e22d101c93402cb5ac574e2e7"
   IssueInstant="2020-08-23T02:21:01Z" Version="2.0"
   xmlns="urn:oasis:names:tc:SAML:2.0:protocol">

      <ns1:Issuer
       Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"
       xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">
        myidp
      </ns1:Issuer>

      <Status> 
      <StatusCode
       Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
        <StatusMessage>Error Signing Assertion.</StatusMessage>
      </Status>
  </Response>
  

and the traces reports :

  Can not sign Assertion with ID: 
  _6caef431233627a2549e02de3b76474b5889

  Error: Error in DSig - Can't create SMKeyDatabase.Exception occurred during creation of the XMLDocumentOps instance.
  Exception:  Could not initialize class  com.netegrity.smkeydatabase.api.XMLEncryptDecryptApacheImpl

  com.netegrity.smkeydatabase.api.XMLDocumentOpsException: Exception occurred during creation of the XMLDocumentOps instance.
  Exception:  Could not initialize class com.netegrity.smkeydatabase.api.XMLEncryptDecryptApacheImpl

   at com.netegrity.smkeydatabase.api.XMLDocumentOpsFactory.getXMLDocumentOpsInstance(XMLDocumentOpsFactory.java:95)
   at com.netegrity.SAML2Security.DSigSigner.initialize(Unknown Source)
   at com.netegrity.SAML2Security.DSigSigner.<clinit>(Unknown Source)

Cause

 

In 12.8 the major change is bouncy castle adoption. During this
process lot of code had been refactored and new code is introduced. So
one of such code is is causing issue to occur in 12.8.

In 12.7 Product reads value from Environment variable and compares
with "ONLY". If the environment variable read is not "ONLY" then
product assumes it as COMPAT.

In 12.8 due to new code trying to get exact value stored in code
(ONLY,COMPAT,MIGRATE) with variable read from Environment i.e
System.getenv("CA_SM_PS_FIPS140") due to mismatch issue occurring
while encrypting the assertion.

Looking at the environment variables in ca_ps_env.ksh, we note that
the COMPAT value has a trailing space which is causing the issue.

 

Environment

 

Policy Server 128SP2 on RedHat 6;

 

Resolution

 

  - Stop the Policy Server;
  - Edit the ca_ps_env.ksh :

    Change the following line :

      CA_SM_PS_FIPS140="COMPAT "; export CA_SM_PS_FIPS140
      
    to 

      CA_SM_PS_FIPS140="COMPAT"; export CA_SM_PS_FIPS140
      
  - Start the Policy Server to solve this issue;