search cancel

Exception while Decrypting Attributes: java.lang.NullPointerException

book

Article ID: 258111

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

SAML SP connection is failing with the below exception when upgrade to 12.8 SP5 release.

------ Exception while Decrypting Attributes: java.lang.NullPointerException

- After Upgrading the Policy Server to 12.8 SP5, while validating some of the FED Applications, it was found that the Policy Server is failing on consuming the assertion with Null pointer Exception. 

Upgrading from 12.8 SP3 (Any lower versions than 12.8 SP5) to 12.8 SP5 release Policy Server can cause this exception.

Environment

CA siteminder Policy Server Version: Full Version=12.80.500.2546
 
This issue is also observed for the build of the 12.8 SP5 (2362) which is used for "AuthHub" (12.8 SP5 (Auth Hub Release) build number is 2362).

Cause

On the Attribute processing, the Null pointer exception is popping up as follows. 

------ Cause:

<saml2:Conditions>
<saml2:AudienceRestriction>
<saml2:Audience>urn:federation:metlife</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>

------ NotBefore and NotOnOrAfter are optional attributes but our code is not checking for null and trying to access the elements directly as if they were present in the assertion.

Exception while Decrypting Attributes: java.lang.NullPointerException
at com.netegrity.ps.auth.saml.Saml2Validator.checkAssertion(Unknown Source)
at com.netegrity.ps.auth.saml.Saml2Validator.smAuthenticate(Unknown Source)
at com.netegrity.ps.auth.saml.SamlValidator.smAuthenticate(Unknown Source)

------ Null checks have to be enabled for " notOnOrAfterXMLGC " and " notBeforeXMLGC ".

Resolution

------ After upgrading the Policy Server release to the 12.8 SP5 release and If the exception is observed, kindly open a support ticket and reference this KB document and the below SE Engineering team defect number so that support team will provide a PATCH.

- DE507610

We have a DEV fix PATCH to resolve the above mentioned exception.

This DEV FIX PATCH contains " smauthsaml.jar " which need to be replaced in Policy Server machine under " $NETE_PS_ROOT/bin/jars " location.