search cancel

Error: SAML Could not initialize class XMLEncryptDecryptApacheImpl

book

Article ID: 201073

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

When running a Policy Server and this one creates a signed SAMLResponse, then the Assertion Generator fails and reports the error:

  [3707070/140438027622144][Sun Aug 23 2020 03:21:01][AssertionGenerator.java]
  [ERROR][sm-FedServer-00130] postProcess() returns fatal error.
  <Response ID="_d8a9c3db6c1e22d101c93402cb5ac574e2e7" IssueInstant="2020-08-23T02:21:01Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
   <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">myidp</ns1:Issuer>
    <Status> 
     <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
        <StatusMessage>Error Signing Assertion.</StatusMessage>
      </Status>
  </Response>
 

and the traces report:

  Can not sign Assertion with ID: _6caef431233627a2549e02de3b76474b5889  Error: Error in DSig - Can't create SMKeyDatabase.Exception occurred during creation of the XMLDocumentOps instance.
  Exception:  Could not initialize class  com.netegrity.smkeydatabase.api.XMLEncryptDecryptApacheImpl  com.netegrity.smkeydatabase.api.XMLDocumentOpsException: Exception occurred during creation of the XMLDocumentOps instance.
  Exception:  Could not initialize class com.netegrity.smkeydatabase.api.XMLEncryptDecryptApacheImpl   at com.netegrity.smkeydatabase.api.XMLDocumentOpsFactory.getXMLDocumentOpsInstance(XMLDocumentOpsFactory.java:95)
   at com.netegrity.SAML2Security.DSigSigner.initialize(Unknown Source)
   at com.netegrity.SAML2Security.DSigSigner.<clinit>(Unknown Source)

 

Environment

 

Policy Server 128SP2 on RedHat 6;

 

Cause

 

In 12.8 the significant change is bouncy castle adoption. During this process lot of code was refactored and new code was introduced. So one such code is causing an issue to occur in 12.8.

In 12.7 Product reads a value from the Environment variable and compares it with "ONLY". If the environment variable read is not "ONLY" then the product assumes it as COMPAT.

In 12.8 due to new code trying to get the exact value stored in code (ONLY, COMPAT, MIGRATE) with variable read from Environment i.e System.getenv("CA_SM_PS_FIPS140") due to a mismatch issue occurring while encrypting the assertion.

Looking at the environment variables in ca_ps_env.ksh, the COMPAT value has a trailing space which is causing the issue.

 

Resolution

 

  • Stop the Policy Server;
  • Edit the ca_ps_env.ksh :
  • Change the following line :

    CA_SM_PS_FIPS140="COMPAT "; export CA_SM_PS_FIPS140
          
        to

    CA_SM_PS_FIPS140="COMPAT"; export CA_SM_PS_FIPS140
  • Start the Policy Server to solve this issue;