Exception: java.lang.NoClassDefFoundError: Could not initialize class com.netegrity.SAML2Security.DSigVerifier

search cancel

Exception: java.lang.NoClassDefFoundError: Could not initialize class com.netegrity.SAML2Security.DSigVerifier

book

Article ID: 233283

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

Smps.log and smtracedefault.log failed signature verification on a signed SP initiated samlRequest.

[01/13/2022][07:51:51][07:51:51.851][][][][][][781][140207143753472][2b9f3205-11bd5d1f-2b5ffa0b-296cb4d1-77828bf2-c5][][][][][][][][][SignatureProcessor.java][verifyFromHTTP][][][][][][][][][][][][][][][][][][][][][][][][][][][Primary certificate to verify signature: alias: "xx-xxx-xxxx-xxxxxxx"][][][][][][][][]
[01/13/2022][07:51:51][07:51:51.852][][][][][][781][140207143753472][2b9f3205-11bd5d1f-2b5ffa0b-296cb4d1-77828bf2-c5][][][][][][][][][AssertionGenerator.java][invoke][][][][][][][][][][][][][][][][][][][][][][][][][][][Error happens in running Assertionhandler preProcess(). Leaving Assertion Generator Framework. Exception:
java.lang.NoClassDefFoundError: Could not initialize class com.netegrity.SAML2Security.DSigVerifier
at com.netegrity.SAML2Security.SignatureProcessor.getCertificateWithAlias(Unknown Source)
at com.netegrity.SAML2Security.SignatureProcessor.verifyFromHTTP(Unknown Source)
at com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol.verifySignatureOnRequest(Unknown Source)
at com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol.validateRequest(Unknown Source)
at com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20.preProcess(Unknown Source)
at com.netegrity.assertiongenerator.AssertionGenerator.invoke(Unknown Source)
at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(ActiveExpressionContext.java:282)

Environment

Release : 12.8.05

Component : SITEMINDER POLICY SERVER

Cause

Log4j patch steps below were not properly followed.

https://knowledge.broadcom.com/external/article?articleId=230270

In Linux platform, incorrect file and group permission can cause this error.

On a separate note, smkeytool can not list certificate with alias name that is not alpha-numeric characters. (alias: "xx-xxx-xxxx-xxxxxxx")

It will get error: "Invalid value specified for alias. Only alpha-numeric characters are allowed in aliases.'

However, this does not prevent policy server from locating the certificate and verifying the signature. So Certificate alias name itself is not the root cause of the problem.

smkeytool can list the cert by running: "smkeytool -listCerts -alias xx* -v"

Resolution

When applying log4j patch, one needs to double check smkeytool.bat/smkeytool.sh content if it matches with updated log4j patch file names.

Also ensure file saml2Security.jar exist under ~siteminder/bin/jars, has proper group permission and correct file size.

Feedback

thumb_up Yes

thumb_down No