SAML login is failing after replacing the expired IDP public certificate with a new certificate.

dxi adminui pod repeatedly logs the following exception:

 [FaultExceptionMapperProvider,catalina-exec-12] ERROR [] - TID[9.56396] 2151125: SAML 'ResponseSignature' signature validation failed.
com.ca.emm.corejsvr.ExceptionWithNC: 2151125: SAML 'ResponseSignature' signature validation failed.
                at com.ca.emm.svcsenv.svrcommon.jmsclient.JmsMQRequester.errorResponse2ExceptionWithNC(JmsMQRequester.java:646) ~[mxmsvcs_server_common-2.0.1.37.jar:?]
                at com.ca.emm.ess.service.AnARestServiceImpl.authenticate(AnARestServiceImpl.java:186) ~[classes/:?]
                at com.ca.emm.ess.controller.AuthnController.handleTokenPost(AuthnController.java:181) ~[classes/:?]
                at sun.reflect.GeneratedMethodAccessor147.invoke(Unknown Source) ~[?:?]
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_302]
                at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_302]
                at org.apache.openejb.server.cxf.rs.PojoInvoker.performInvocation(PojoInvoker.java:43) ~[openejb-cxf-rs-8.0.8.jar:8.0.8]
                at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96) ~[cxf-shade-8.0.8.jar:8.0.8]
                at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:201) [cxf-rt-frontend-jaxrs-3.4.4.jar:3.4.4]
                at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:104) [cxf-rt-frontend-jaxrs-3.4.4.jar:3.4.4]
                at org.apache.openejb.server.cxf.rs.AutoJAXRSInvoker.invoke(AutoJAXRSInvoker.java:68) [openejb-cxf-rs-8.0.8.jar:8.0.8]
                at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59) [cxf-shade-8.0.8.jar:8.0.8]
                at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96) [cxf-shade-8.0.8.jar:8.0.8]
                at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) [cxf-shade-8.0.8.jar:8.0.8]
                at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-shade-8.0.8.jar:8.0.8]
                at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:265) [cxf-shade-8.0.8.jar:8.0.8]
                at org.apache.openejb.server.cxf.rs.CxfRsHttpListener.doInvoke(CxfRsHttpListener.java:266) [openejb-cxf-rs-8.0.8.jar:8.0.8]
                at org.apache.tomee.webservices.CXFJAXRSFilter.doFilter(CXFJAXRSFilter.java:99) [tomee-jaxrs-8.0.8.jar:8.0.8]
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [catalina.jar:9.0.52]
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [catalina.jar:9.0.52]
                at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) [tomcat-websocket.jar:9.0.52]
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [catalina.jar:9.0.52]
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [catalina.jar:9.0.52]
                at org.apache.catalina.filters.ExpiresFilter.doFilter(ExpiresFilter.java:1227) [catalina.jar:9.0.52]
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [catalina.jar:9.0.52]
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [catalina.jar:9.0.52]
                at com.ca.emm.svcsenv.svrcommon.rest.RequestContextManagerFilter.doFilter(RequestContextManagerFilter.java:198) [mxmsvcs_server_common-2.0.1.37.jar:?]
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [catalina.jar:9.0.52]
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [catalina.jar:9.0.52]
                at org.apache.logging.log4j.web.Log4jServletFilter.doFilter(Log4jServletFilter.java:71) [log4j-web-2.14.1.jar:?]
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189) [catalina.jar:9.0.52]
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162) [catalina.jar:9.0.52]
                at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197) [catalina.jar:9.0.52]
                at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) [catalina.jar:9.0.52]
                at org.apache.tomee.catalina.OpenEJBValve.invoke(OpenEJBValve.java:45) [tomee-catalina-8.0.8.jar:8.0.8]
                at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:542) [catalina.jar:9.0.52]
                at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135) [catalina.jar:9.0.52]
                at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [catalina.jar:9.0.52]
                at org.apache.tomee.catalina.OpenEJBSecurityListener$RequestCapturer.invoke(OpenEJBSecurityListener.java:97) [tomee-catalina-8.0.8.jar:8.0.8]
                at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687) [catalina.jar:9.0.52]
                at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) [catalina.jar:9.0.52]
                at com.ca.emm.essfilter.AuthzTomcatValve.invoke(AuthzTomcatValve.java:158) [ess-filter-tomcat-valve.jar:?]
                at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:769) [catalina.jar:9.0.52]
                at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357) [catalina.jar:9.0.52]
                at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382) [tomcat-coyote.jar:9.0.52]
                at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-coyote.jar:9.0.52]
                at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:893) [tomcat-coyote.jar:9.0.52]
                at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1726) [tomcat-coyote.jar:9.0.52]
                at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote.jar:9.0.52]
                at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191) [tomcat-util.jar:9.0.52]
                at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659) [tomcat-util.jar:9.0.52]
                at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:9.0.52]
                at java.lang.Thread.run(Thread.java:748) [?:1.8.0_302]

Please advise

Release : 21.3

Component : Introscope

It was found that the root cause of this issue is when you apply the new certificate, if you only change the certificate field and no other fields, the change is being ignored.  Signature validation fails but we did not get up to checking the certificate yet.

During our test, we found that when we reapplied the certificate and we changed one other field, it was successful and the customer could login with no problem.

We have filed an internal ticket to get this bug fixed.