search cancel

OIDC token processing failed with "Cannot parset bytes to a Response" error

book

Article ID: 256249

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

Multiple users are having issue with OIDC token generation.We are seeing the below error in our FWS trace log (FWSTrace.log):

[12/14/2022][11:36:53][3140][10436][1292c920-faa2598c-923f56b5-5ec586d8-185ef001-544][TokenService.java][processRequest][ Calling OpenIDConnectTunnelClient for accessToken]
[12/14/2022][11:36:53][3140][10436][1292c920-faa2598c-923f56b5-5ec586d8-185ef001-544][OpenIDConnectTunnelClient.java][callOpenIDConnectAccessTokenRequest][Tunnel result code: 2.]
[12/14/2022][11:36:53][3140][10436][1292c920-faa2598c-923f56b5-5ec586d8-185ef001-544][OpenIDConnectTunnelClient.java][callOpenIDConnectAccessTokenRequest][Exception caught in class com.ca.federation.webservices.openidconnect.d, method callOpenIDConnectAccessTokenRequest: java.lang.IllegalArgumentException: "Cannot parse bytes to a Response"]
[12/14/2022][11:36:53][3140][10436][1292c920-faa2598c-923f56b5-5ec586d8-185ef001-544][TokenService.java][processRequest][ AccessTokenTunnel call failed ]
[12/14/2022][11:36:53][3140][10436][1292c920-faa2598c-923f56b5-5ec586d8-185ef001-544][OpenIDConnectServiceBase.java][sendJSONErrorResponse][ Sending error JSON message: 
{"error":"invalid_request","error_description":"Internal Server Error."} 
 with error code:500]

If we turn on tracing on Policy Sever, we see the following error


[12/14/2022][19:29:41][19:29:41.798][][][][][][4464][5288][][][][][][][][][][][][OidcCommonUtil.java][encryptJWTToken][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][ Start encryption... ][][][][][][][][][]
[12/14/2022][19:29:41][19:29:41.798][][][][][][4464][5288][][][][][][][][][][][][CertUtil.java][getPublicKey][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][Getting certificate for alias: <cert's alias>][][][][][][][][][]
[12/14/2022][19:29:41][19:29:41.798][][][][][][4464][5288][][][][][][][][][][][][CertUtil.java][getPublicKey][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][Certificate for alias: <cert's alias> status = false][][][][][][][][][]
[12/14/2022][19:29:41][19:29:41.798][][][][][][4464][5288][][][][][][][][][][][][CertUtil.java][getPublicKey][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][Cert with alias = <cert's alias> got expired][][][][][][][][][]
[12/14/2022][19:29:41][19:29:41.798][][][][][][4464][5288][][][][][][][][][][][][OidcCommonUtil.java][encryptJWTToken][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][Cert with alias = <cert's alias> got expired][][][][][][][][][]
[12/14/2022][19:29:41][19:29:41.798][][][][][][4464][5288][][][][][][][][][][][][AccessTokenTunnelService.java][tunnel][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][ Exception caught: java.lang.Exception: Cert with alias = <cert's alias> got expired

    at com.ca.federation.openidconnect.util.CertUtil.getPublicKey(Unknown Source)

    at com.ca.federation.openidconnect.util.OidcCommonUtil.encryptJWTToken(Unknown Source)

    at com.ca.federation.openidconnect.generator.IDTokenGenerator.signAndEncryptIDToken(Unknown Source)

    at com.ca.federation.openidconnect.generator.IDTokenGenerator.generateIDToken(Unknown Source)

    at com.ca.federation.openidconnect.generator.IDTokenGenerator.generateIDToken(Unknown Source)

    at com.ca.federation.openidconnect.tunnel.AccessTokenTunnelService.processTokenGeneration(Unknown Source)

    at com.ca.federation.openidconnect.tunnel.AccessTokenTunnelService.tunnel(Unknown Source)

    at com.netegrity.policyserver.smapi.TunnelServiceContext.tunnel(TunnelServiceContext.java:245)

Environment

Release : 12.8.x

Cause

Signing certificate is expired

Resolution

Please renew the signing certificate (the Cert alias is shown in the smtrace log) to a valid one