Back channel SLO not working

book

Article ID: 38681

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Issue:

- SLO is configured over back channel with No Auth. When a user selects the logout button on the SP side, a certificate error is generated at the SP.

 

[02/18/2016][11:45:38][12041][64][1b88c8da-ad5e96c6-ccb42776-573df16f-9305d21d-786][MessageDispatcher.java][dispatchMessage][Dispatcher object thrown unknown exception while processing the message. Message: Certificate not verified..]

[02/18/2016][11:45:38][12041][64][1b88c8da-ad5e96c6-ccb42776-573df16f-9305d21d-786][MessageDispatcher.java][dispatchMessage][Exception:

javax.net.ssl.SSLException: Certificate not verified.

                at com.rsa.sslj.x.aG.b(Unknown Source)

                at com.rsa.sslj.x.aG.a(Unknown Source)

                at com.rsa.sslj.x.aG.a(Unknown Source)

                at com.rsa.sslj.x.ap.c(Unknown Source)

                at com.rsa.sslj.x.ap.a(Unknown Source)

                at com.rsa.sslj.x.ap.i(Unknown Source)

                at com.rsa.sslj.x.ap.h(Unknown Source)

                at com.rsa.sslj.x.aR.startHandshake(Unknown Source)

                at com.rsa.ssl.SSLSocket.getOutputStream(Unknown Source)

                at com.netegrity.srca.connection.SSLHandler.startSession(SSLHandler.java:339)

                at com.netegrity.srca.Srca.invoke(Srca.java:336)

                at com.netegrity.srca.Srca.invoke(Srca.java:269)

                at com.netegrity.srca.Srca.invoke(Srca.java:362)

                at com.netegrity.srca.Srca.invoke(Srca.java:269)

                at com.netegrity.srca.Srca.invoke(Srca.java:362)

                at com.netegrity.srca.Srca.invoke(Srca.java:269)

                at com.netegrity.srca.Srca.invoke(Srca.java:362)

                at com.netegrity.srca.Srca.invoke(Srca.java:269)

                at com.netegrity.srca.Srca.invoke(Srca.java:362)

                at com.netegrity.srca.Srca.invoke(Srca.java:269)

                at com.netegrity.srca.Srca.invoke(Srca.java:362)

                at com.netegrity.affiliateminder.webservices.MessageDispatcher.a(DashoA10*..:423)

                at com.netegrity.affiliateminder.webservices.MessageDispatcher.a(DashoA10*..:369)

                at com.ca.federation.backchannel.channelhandlers.fq.a(DashoA10*..:903)

                at com.ca.federation.backchannel.channelhandlers.fq.a(DashoA10*..:180)

                at com.ca.federation.servicehandlers.SOAPLogoutServiceHandler.sendLogoutRequest(DashoA10*..:101)

                at com.netegrity.affiliateminder.webservices.saml2.SLOService.a(DashoA10*..:1720)

                at com.netegrity.affiliateminder.webservices.saml2.SLOService.processOutputMessage(DashoA10*..:1665)

                at com.netegrity.affiliateminder.webservices.c.a(DashoA10*..:2941)

                at com.netegrity.affiliateminder.webservices.saml2.SLOService.a(DashoA10*..:1348)

                at com.netegrity.affiliateminder.webservices.saml2.SLOService.b(DashoA10*..:1299)

                at com.netegrity.affiliateminder.webservices.saml2.SLOService.a(DashoA10*..:1261)

                at com.netegrity.affiliateminder.webservices.saml2.SLOService.a(DashoA10*..:1164)

                at com.netegrity.affiliateminder.webservices.saml2.SLOService.a(DashoA10*..:844)

                at com.netegrity.affiliateminder.webservices.saml2.SLOService.c(DashoA10*..:805)

                at com.netegrity.affiliateminder.webservices.saml2.SLOService.doGet(DashoA10*..:240)

                at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)

                at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)

                at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)

                at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)

      

Caused by: java.security.cert.CertificateException: the certificate chain is not trusted, Parameters must be PKIXParameters or be CertPathWithOCSPParameters containing

 

Environment:  

- Siteminder Policy Server 12.52 SP1 

- Weblogic Application Server 7

 

Cause: 

- There is an issue with Weblogic Application Server and above in which the WAS will read the security properties from the file "security.xml" in the <install_dir>\AppServer\profiles\<server_name>\config\cells\<cell_name> instead of the java.security file. 

 

Workaround: 

- OSCP needs to be disabled in the WAS in order for Backchannel SLO to work properly:

- Make a backup of the security.xml file (name the extra file "security.xml.backup" or something similar) so you can revert, should this not resolve the issue. 

- Within the security.xml file: 

- Find the XML code that begins with <trustManagers>, and find the XML code that ends with </trustManagers> 

- The entirety of this code needs to be commented out. 

- Restart all servers involved in the Backchannel SLO process, and test. 

Environment

Release:
Component: SMPLC