Symantec Access Management

 View Only

Tech Tip : CA Single Sign-On : Can not sign Assertion with ID 

  • 1.  Tech Tip : CA Single Sign-On : Can not sign Assertion with ID 

    Broadcom Employee
    Posted Jun 22, 2018 10:42 AM



    We're running a Policy Server, and by Federation request, the signing
    feature for assertion fails :

    SAML transactions are failing:


    1. [06/20/2018][19:54:53.844][19:54:53][14755][140230464100096][]
    not sign Assertion with ID: _19d016651fa5b40a5ad648c79e76b7e1ab4f
    Error: Caught an Exception calling signXMLDocument using
    IXMLSignature. nulljava.lang.NullPointerException

    at com.netegrity.smkeydatabase.api.XMLDocumentOpsImpl.signXMLDocument(Unknown Source)
    at com.netegrity.SAML2Security.DSigSigner.signSAMLEnveloped(Unknown Source)
    at com.netegrity.SAML2Security.DSigSigner.signSAMLEnveloped(Unknown Source)
    at com.netegrity.assertiongenerator.saml2.ProtocolBase.signOrEncryptAssertion(Unknown Source)
    at com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol.closeupProcess(Unknown Source)
    at com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20.postProcess(Unknown Source)
    at com.netegrity.assertiongenerator.AssertionGenerator.invoke(Unknown Source)
    at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(Unknown Source)


    2. [06/20/2018][19:54:53.844][19:54:53][14755][140230464100096][]
    [][][][][][][][][][No Assertion is found to sign.][][][][][][][][][][][][][][][]

    3. [06/20/2018][19:54:53.844][19:54:53][14755][140230464100096][]
    [][][][][][][][][][][][][][Total Assertions to Encrypt: 1][][][][][][][][][][][][][][][]

    How can we fix this ?





    We have seen this message :

    Encrypting Assertion:0 Error in SAML2EncryptDecrypt encrypt -
    Marshalling Assertion failed. encrypt: Error encrypting XML
    Document. Error encrypting XML Document. Illegal key size or default

    This error indicates that there could be some issues with Java JCE policy files.




    Apply the JCE files to the JDK installation that you've set with the
    Policy Server :

    JCE—Verify that JRE supports unlimited key strength in the Java
    Cryptography Extension (JCE) package.

    For JDK 1.8_151 and later, perform the following steps:
    Navigate to the jdk_home/jre/lib/security directory and open the file.
    Uncomment the following line:


    Save the file.

    For the other previous versions of JDK, perform the following steps:

    Locate the JCE package for your operating system from the Oracle

    Download the unlimited JCE package for the Java version that is
    supported by CA Single Sign-On.

    Navigate to the jdk_home\jre\lib\security directory on your system
    and apply the patch to the following files:



    jdk_home specifies the location of the Java installation.

    KB : KB000102905