search cancel

Error : SAML Could not initialize class XMLEncryptDecryptApacheImpl


Article ID: 201073


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER



When running a Policy Server and this one creates a signed
SAMLResponse, then the Assertion Generator fails and reports error :

  [3707070/140438027622144][Sun Aug 23 2020 03:21:01][]
  [ERROR][sm-FedServer-00130] postProcess() returns fatal error.
   IssueInstant="2020-08-23T02:21:01Z" Version="2.0"


        <StatusMessage>Error Signing Assertion.</StatusMessage>

and the traces reports :

  Can not sign Assertion with ID: 

  Error: Error in DSig - Can't create SMKeyDatabase.Exception occurred during creation of the XMLDocumentOps instance.
  Exception:  Could not initialize class  com.netegrity.smkeydatabase.api.XMLEncryptDecryptApacheImpl

  com.netegrity.smkeydatabase.api.XMLDocumentOpsException: Exception occurred during creation of the XMLDocumentOps instance.
  Exception:  Could not initialize class com.netegrity.smkeydatabase.api.XMLEncryptDecryptApacheImpl

   at com.netegrity.smkeydatabase.api.XMLDocumentOpsFactory.getXMLDocumentOpsInstance(
   at com.netegrity.SAML2Security.DSigSigner.initialize(Unknown Source)
   at com.netegrity.SAML2Security.DSigSigner.<clinit>(Unknown Source)



In 12.8 the major change is bouncy castle adoption. During this
process lot of code had been refactored and new code is introduced. So
one of such code is is causing issue to occur in 12.8.

In 12.7 Product reads value from Environment variable and compares
with "ONLY". If the environment variable read is not "ONLY" then
product assumes it as COMPAT.

In 12.8 due to new code trying to get exact value stored in code
(ONLY,COMPAT,MIGRATE) with variable read from Environment i.e
System.getenv("CA_SM_PS_FIPS140") due to mismatch issue occurring
while encrypting the assertion.

Looking at the environment variables in ca_ps_env.ksh, we note that
the COMPAT value has a trailing space which is causing the issue.




Policy Server 128SP2 on RedHat 6;




  - Stop the Policy Server;
  - Edit the ca_ps_env.ksh :

    Change the following line :

      CA_SM_PS_FIPS140="COMPAT "; export CA_SM_PS_FIPS140

      CA_SM_PS_FIPS140="COMPAT"; export CA_SM_PS_FIPS140
  - Start the Policy Server to solve this issue;