When running Federation Services and changing a certificate for a
given Partnership, the Policy Server reports error when processing a
Federation request :
[11836/140358742677248][Mon May 17 2021 16:35:47.940]
[AssertionGenerator.java][ERROR][sm-FedServer-00090] AssertionHandler process() throws exception:
njava.lang.NoClassDefFoundError: com/sun/istack/FinalArrayList
at com.sun.xml.bind.v2.ContextFactory.createContext(ContextFactory.java:219)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.xml.bind.ContextFinder.newInstance(ContextFinder.java:171)
at javax.xml.bind.ContextFinder.newInstance(ContextFinder.java:129)
at javax.xml.bind.ContextFinder.find(ContextFinder.java:307)
at javax.xml.bind.JAXBContext.newInstance(JAXBContext.java:478)
at javax.xml.bind.JAXBContext.newInstance(JAXBContext.java:435)
at com.netegrity.util.SmJAXBContextFactory.newInstance(Unknown Source)
at com.netegrity.util.SmJAXBContextFactory.getSMJAXBContext(Unknown Source)
at com.netegrity.util.SmJAXBContextFactory.getSMSAMLJAXBContext(Unknown Source)
at com.netegrity.util.JAXBParsingUtil.<clinit>(Unknown Source)
at com.netegrity.assertiongenerator.saml2.ProtocolBase.marshal(Unknown Source)
at com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol.processRequest(Unknown Source)
at com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20.process(Unknown Source)
at com.netegrity.assertiongenerator.AssertionGenerator.invoke(Unknown Source)
at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(ActiveExpressionContext.java:282)
The Policy Server has been recently upgraded from 12.6 to 12.8SP5.
Policy Server 12.8SP5 on RedHat 7
At first glance, this error seems to be a problem with the Policy
Server JVM configuration.
Second, when changing certificate for a Federation Partnership, it's
recommended to place first the new certificate as Secondary one as per
documentation (1).
The Policy Server runs the following Customized JVMOptions.txt :
-server
-Xbootclasspath/p:/opt/CA/siteminder/bin/endorsed/xercesImpl.jar:/opt/CA/siteminder/bin/endorsed/xml-apis.jar:/opt/CA/siteminder/bin/endorsed/resolver.jar:/opt/CA/siteminder/bin/endorsed/serializer.jar
-Xrs
-Xms2048m
-Xmx2048m
-DNETE_PS_ROOT=/opt/CA/siteminder
-Djavax.xml.parsers.DocumentBuilderFactory=org.apache.xerces.jaxp.DocumentBuilderFactoryImpl
-Djavax.xml.parsers.SAXParserFactory=org.apache.xerces.jaxp.SAXParserFactoryImpl
-Dorg.apache.xerces.xni.parser.XMLParserConfiguration=org.apache.xerces.parsers.XML11Configuration
-Dorg.xml.sax.driver=org.apache.xerces.parsers.SAXParser
-Djava.endorsed.dirs=/opt/CA/siteminder/bin/endorsed
-Djava.class.path=/opt/CA/siteminder/resources:/opt/CA/siteminder/config/properties:/opt/CA/siteminder/bin/jars/smbootstrap.jar:/opt/CA/siteminder/bin/jars/myCustomAuthScheme-1.9.0.jar:/opt/CA/siteminder/bin/jars/json-20140107.jar:/opt/CA/siteminder/bin/jars/myAppCorporate.jar:/opt/CA/siteminder/bin/jars/myAppMyBiz.jar:/opt/CA/siteminder/bin/jars/myAppCommon.jar:/opt/CA/siteminder/bin/thirdparty/myAppFederationCorporate.jar
-Djava.util.logging.config.file=/opt/CA/siteminder/config/properties/logging.properties
Out of the box JVMOptions.txt 12.8SP5 and the above JVMOptions.txt
present big differences and some missing jars :
Out of the box 12.8SP5 JVMOptions.txt :
-server
-Xbootclasspath/p:/opt/CA/siteminder/bin/thirdparty/stax2-api-3.1.4.jar:/opt/CA/siteminder/bin/thirdparty/woodstox-core-asl-4.4.1.jar:/opt/CA/siteminder/bin/thirdparty/wss4j-ws-security-common-2.2.4.jar:/opt/CA/siteminder/bin/thirdparty/wss4j-ws-security-dom-2.2.4.jar:/opt/CA/siteminder/bin/endorsed/xercesImpl.jar:/opt/CA/siteminder/bin/endorsed/xmlsec-2.1.4.jar:/opt/CA/siteminder/bin/endorsed/xml-apis.jar:/opt/CA/siteminder/bin/thirdparty/slf4j-api-1.7.28.jar:/opt/CA/siteminder/bin/endorsed/resolver.jar:/opt/CA/siteminder/bin/endorsed/serializer.jar:/opt/CA/siteminder/bin/thirdparty/istack-commons-runtime.jar
-Xrs
-Xms128m
-Xmx256m
-DNETE_PS_ROOT=/opt/CA/siteminder
-Djavax.xml.parsers.DocumentBuilderFactory=org.apache.xerces.jaxp.DocumentBuilderFactoryImpl
-Djavax.xml.parsers.SAXParserFactory=org.apache.xerces.jaxp.SAXParserFactoryImpl
-Dorg.apache.xerces.xni.parser.XMLParserConfiguration=org.apache.xerces.parsers.XML11Configuration
-Dorg.xml.sax.driver=org.apache.xerces.parsers.SAXParser
-Djava.endorsed.dirs=/opt/CA/siteminder/bin/endorsed
-Djava.class.path=/opt/CA/siteminder/resources:/opt/CA/siteminder/config/properties:/opt/CA/siteminder/bin/jars/smbootstrap.jar:/opt/CA/siteminder/bin/thirdparty/log4j-api-2.12.1.jar:/opt/CA/siteminder/bin/thirdparty/log4j-core-2.12.1.jar:/opt/CA/siteminder/bin/thirdparty/log4j-slf4j-impl-2.12.1.jar
-Djava.util.logging.config.file=/opt/CA/siteminder/config/properties/logging.properties
-Dorg.apache.xml.security.ignoreLineBreaks=true
Modify the JVMOptions.txt taking as base the out of the box 12.8SP5
JVMOptions.txt and once having the out of the box JVMOptions.txt
configured, then add the customization you need to solve the issue.
(1)
Signature and Encryption Dialog (SAML 2.0 IdP)
Secondary Verification Certificate Alias(Optional) Specifies a
second certificate alias for a certificate in the certificate data
store. If verification of a signed authentication request fails
using the verification certificate alias, the IdP uses this
secondary verification alias. Specifying a secondary alias is
useful if an SP rolls over its signing certificate. A rollover can
occur for any reason, such as when a certificate expires, a
private key is compromised, or the private key size changes. If
the certificate is not already in the certificate data store,
click Import to import one. When secondary certificates are
configured or updated for an active partnership, the run time
automatically picks up the changes. You do not need to flush the
cache from the UI for the changes to take effect.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/using/administrative-ui/federation-partnerships-reference/signature-and-encryption-dialog-saml-2-0-idp.html