CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 10th June 2016

Description:

Exception is returned while executing the following smfedexport command:

smfedexport -type saml2idp -expiredays 0 -username ***** -password **** -sign -pubkey

Exception returned:

An exception occurred while signing metadata document.com.netegrity.SAML2Security.DSigException:

Caught an Exception calling signXMLDocument using IXMLSignature. nulljava.lang.NullPointerException

at com.netegrity.smkeydatabase.api.XMLDocumentOpsImpl.signXMLDocument(XMLDocumentOpsImpl.java:1016)

at com.netegrity.SAML2Security.DSigSigner.signSAMLEnveloped(DSigSigner.java:254)

at com.ca.SAML2METADATA.utils.SMFedUtilities.signMetadata(SMFedUtilities.java:166)

at com.ca.smfedexport.tool.IDPMetadataProcessor.generateIdpDescriptor(IDPMetadata Processor.java:209)

at com.ca.smfedexport.tool.SMFedExport.main(SMFedExport.java:108)

There is no exception if they execute the command without the -sign option.

Upon inspecting the list of certificates under SmKeyDatabase, the "defaultenterpriseprivatekey" entry is associate with  "CertificateEntry" type instead of "KeyEntry".

Solution:

1. Delete the existing "defaultenterpriseprivatekey" from the Smkeydatabase.

2. Then convert the private key from PEM(text) file to DER(binary) format with following command:

   openssl pkcs8 -topk8 -inform PEM -outform DER -in <PEM private key file> -out <DER private key file>

3. Ensure that the public certificate file is in PEM(text) and BASE64 encoded.

4. Add the cert/key pair with the following command:

   smkeytool.bat -addPrivKey -alias defaultenterpriseprivatekey -keyfile "c:\siteminder\certs\post-pkey.der" -certfile "c:\siteminder\certs\post-cert.crt" -password password

The first part of the command references the private key (in DER format). The second part of the command references the public certificate, followed by the password associated with the private key.