search cancel

Error NoClassDefFoundError FinalArrayList in Federation Policy Server

book

Article ID: 215601

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

 

When running Federation Services and changing a certificate for a
given Partnership, the Policy Server reports error when processing a
Federation request :

   [11836/140358742677248][Mon May 17 2021 16:35:47.940]
   [AssertionGenerator.java][ERROR][sm-FedServer-00090] AssertionHandler process() throws exception:
   njava.lang.NoClassDefFoundError: com/sun/istack/FinalArrayList

     at com.sun.xml.bind.v2.ContextFactory.createContext(ContextFactory.java:219)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
     at java.lang.reflect.Method.invoke(Method.java:498)
     at javax.xml.bind.ContextFinder.newInstance(ContextFinder.java:171)
     at javax.xml.bind.ContextFinder.newInstance(ContextFinder.java:129)
     at javax.xml.bind.ContextFinder.find(ContextFinder.java:307)
     at javax.xml.bind.JAXBContext.newInstance(JAXBContext.java:478)
     at javax.xml.bind.JAXBContext.newInstance(JAXBContext.java:435)
     at com.netegrity.util.SmJAXBContextFactory.newInstance(Unknown Source)
     at com.netegrity.util.SmJAXBContextFactory.getSMJAXBContext(Unknown Source)
     at com.netegrity.util.SmJAXBContextFactory.getSMSAMLJAXBContext(Unknown Source)
     at com.netegrity.util.JAXBParsingUtil.<clinit>(Unknown Source)
     at com.netegrity.assertiongenerator.saml2.ProtocolBase.marshal(Unknown Source)
     at com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol.processRequest(Unknown Source)
     at com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20.process(Unknown Source)
     at com.netegrity.assertiongenerator.AssertionGenerator.invoke(Unknown Source)
     at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(ActiveExpressionContext.java:282)

The Policy Server has been recently upgraded from 12.6 to 12.8SP5.

 

Cause

 

At first glance, this error seems to be a problem with the Policy
Server JVM configuration.

Second, when changing certificate for a Federation Partnership, it's
recommended to place first the new certificate as Secondary one as per
documentation (1).

The Policy Server runs the following Customized JVMOptions.txt :

  -server
  -Xbootclasspath/p:/opt/CA/siteminder/bin/endorsed/xercesImpl.jar:/opt/CA/siteminder/bin/endorsed/xml-apis.jar:/opt/CA/siteminder/bin/endorsed/resolver.jar:/opt/CA/siteminder/bin/endorsed/serializer.jar
  -Xrs
  -Xms2048m
  -Xmx2048m
  -DNETE_PS_ROOT=/opt/CA/siteminder
  -Djavax.xml.parsers.DocumentBuilderFactory=org.apache.xerces.jaxp.DocumentBuilderFactoryImpl
  -Djavax.xml.parsers.SAXParserFactory=org.apache.xerces.jaxp.SAXParserFactoryImpl
  -Dorg.apache.xerces.xni.parser.XMLParserConfiguration=org.apache.xerces.parsers.XML11Configuration
  -Dorg.xml.sax.driver=org.apache.xerces.parsers.SAXParser
  -Djava.endorsed.dirs=/opt/CA/siteminder/bin/endorsed
  -Djava.class.path=/opt/CA/siteminder/resources:/opt/CA/siteminder/config/properties:/opt/CA/siteminder/bin/jars/smbootstrap.jar:/opt/CA/siteminder/bin/jars/myCustomAuthScheme-1.9.0.jar:/opt/CA/siteminder/bin/jars/json-20140107.jar:/opt/CA/siteminder/bin/jars/myAppCorporate.jar:/opt/CA/siteminder/bin/jars/myAppMyBiz.jar:/opt/CA/siteminder/bin/jars/myAppCommon.jar:/opt/CA/siteminder/bin/thirdparty/myAppFederationCorporate.jar
  -Djava.util.logging.config.file=/opt/CA/siteminder/config/properties/logging.properties
  


Out of the box JVMOptions.txt 12.8SP5 and the above JVMOptions.txt
present big differences and some missing jars :

Out of the box 12.8SP5 JVMOptions.txt :

  -server
  -Xbootclasspath/p:/opt/CA/siteminder/bin/thirdparty/stax2-api-3.1.4.jar:/opt/CA/siteminder/bin/thirdparty/woodstox-core-asl-4.4.1.jar:/opt/CA/siteminder/bin/thirdparty/wss4j-ws-security-common-2.2.4.jar:/opt/CA/siteminder/bin/thirdparty/wss4j-ws-security-dom-2.2.4.jar:/opt/CA/siteminder/bin/endorsed/xercesImpl.jar:/opt/CA/siteminder/bin/endorsed/xmlsec-2.1.4.jar:/opt/CA/siteminder/bin/endorsed/xml-apis.jar:/opt/CA/siteminder/bin/thirdparty/slf4j-api-1.7.28.jar:/opt/CA/siteminder/bin/endorsed/resolver.jar:/opt/CA/siteminder/bin/endorsed/serializer.jar:/opt/CA/siteminder/bin/thirdparty/istack-commons-runtime.jar
  -Xrs
  -Xms128m
  -Xmx256m
  -DNETE_PS_ROOT=/opt/CA/siteminder
  -Djavax.xml.parsers.DocumentBuilderFactory=org.apache.xerces.jaxp.DocumentBuilderFactoryImpl
  -Djavax.xml.parsers.SAXParserFactory=org.apache.xerces.jaxp.SAXParserFactoryImpl
  -Dorg.apache.xerces.xni.parser.XMLParserConfiguration=org.apache.xerces.parsers.XML11Configuration
  -Dorg.xml.sax.driver=org.apache.xerces.parsers.SAXParser
  -Djava.endorsed.dirs=/opt/CA/siteminder/bin/endorsed
  -Djava.class.path=/opt/CA/siteminder/resources:/opt/CA/siteminder/config/properties:/opt/CA/siteminder/bin/jars/smbootstrap.jar:/opt/CA/siteminder/bin/thirdparty/log4j-api-2.12.1.jar:/opt/CA/siteminder/bin/thirdparty/log4j-core-2.12.1.jar:/opt/CA/siteminder/bin/thirdparty/log4j-slf4j-impl-2.12.1.jar
  -Djava.util.logging.config.file=/opt/CA/siteminder/config/properties/logging.properties
  -Dorg.apache.xml.security.ignoreLineBreaks=true

 

Environment

 

Policy Server 12.8SP5 on RedHat 7

 

Resolution

 

Modify the JVMOptions.txt taking as base the out of the box 12.8SP5
JVMOptions.txt and once having the out of the box JVMOptions.txt
configured, then add the customization you need to solve the issue.

 

Additional Information

 

(1)

    Signature and Encryption Dialog (SAML 2.0 IdP)

      Secondary Verification Certificate Alias(Optional) Specifies a
      second certificate alias for a certificate in the certificate data
      store. If verification of a signed authentication request fails
      using the verification certificate alias, the IdP uses this
      secondary verification alias. Specifying a secondary alias is
      useful if an SP rolls over its signing certificate. A rollover can
      occur for any reason, such as when a certificate expires, a
      private key is compromised, or the private key size changes. If
      the certificate is not already in the certificate data store,
      click Import to import one.  When secondary certificates are
      configured or updated for an active partnership, the run time
      automatically picks up the changes. You do not need to flush the
      cache from the UI for the changes to take effect.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/using/administrative-ui/federation-partnerships-reference/signature-and-encryption-dialog-saml-2-0-idp.html