Production certificate for federation partnership was updated over the weekend change.

After certificate update, user gets error in policy server trace log. At the same time, in admin ui federation partnership, new cert does not show in the drop down list when modifying federation partnership.

[05/06/2023][12:04:14.333][12:04:14][23296][139845653481216][AssertionHandlerSAML20.java][postProcess][][][][][][][][][][][][][][][][][][][][][Start to wrap-up the SAML2.0 response.][]
[05/06/2023][12:04:14.334][12:04:14][23296][139845653481216][AuthnRequestProtocol.java][closeupProcess][][][][][][][][][][][][][][][][][][][][][POST signing option: 2][]
[05/06/2023][12:04:14.334][12:04:14][23296][139845653481216][AuthnRequestProtocol.java][closeupProcess][][][][][][][][][][][][][][][][][][][][][Policy server signs saml2 assertion [CHECKPOINT = SSOSAML2_PSSIGNASSERTION_RSP]][]
[05/06/2023][12:04:14.334][12:04:14][23296][139845653481216][ProtocolBase.java][SignOrEncryptAssertion][][][][][][][][][][][][][][][][][][][][][Signing the Assertion with ID: _3d7198afc374586b6b1b9cc625cd1d93849e ...][]
[05/06/2023][12:04:14.337][12:04:14][23296][139845653481216][AuthnRequestProtocol.java][closeupProcess][][][][][][][][][][][][][][][][][][][][][Failed to Sign Assertion. Exception Message : com.netegrity.SAML2Security.DSigException: Error in DSigSigner - Signing failed. Caught an Exception calling signXMLDocument using IXMLSignature.  Exception: null
    at com.netegrity.SAML2Security.DSigSigner.signSAMLEnveloped(Unknown Source)
    at com.netegrity.SAML2Security.DSigSigner.signSAMLEnveloped(Unknown Source)
    at com.netegrity.assertiongenerator.saml2.ProtocolBase.signOrEncryptAssertion(Unknown Source)
    at com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol.closeupProcess(Unknown Source)
    at com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20.postProcess(Unknown Source)
    at com.netegrity.assertiongenerator.AssertionGenerator.invoke(Unknown Source)
    at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(ActiveExpressionContext.java:282)
Caused by: com.netegrity.smkeydatabase.api.XMLDocumentOpsException: Caught an Exception calling signXMLDocument using IXMLSignature.  Exception: null
    at com.netegrity.smkeydatabase.api.XMLDocumentOpsImpl.signXMLDocument(XMLDocumentOpsImpl.java:891)
    ... 7 more
Caused by: java.lang.NullPointerException
    at com.netegrity.smkeydatabase.api.XMLDocumentOpsImpl.signXMLDocument(XMLDocumentOpsImpl.java:866)
    ... 7 more
[05/06/2023][12:04:14.337][12:04:14][23296][139845653481216][AssertionGenerator.java][invoke][][][][][][][][][][][][][][][][][][][][][AssertionHandler postProcess() failed. Leaving AssertionGenerator.][]

Release : 12.8.03 and above

Customer imported the certificate as trusted cert, but did not import the private key along with it.

The cert type is wrong during import.

From admin ui, you can see the difference on certificate type.

In order for federation signing to work, the cert must have matching private key with it. Without the key, signing will fail, hence get null Error in DSigSigner.

Ensure import the new certificate/key pair PCKS12 file using smkeytool, with option -keycertfile.

e.g.

   # smkeytool -addPrivKey -alias <alias> -keycertfile <key_cert_file> -password <password>

Specifies the password that was used to encrypt the private key/certificate pair when the pair was created. 

Then go to admin ui, X509 Certificate Management, Trusted Certificate and Private Keys,  verify the certificate TYPE is correct.

Renewal of certificate causes OIDC client signature verification failure

smkeytool

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/administrating/policy-server-tools/smkeytool.html