Layer 7 Access Management

Tech Tip : CA Single Sign-On : Can not sign Assertion with ID 

  • 1.  Tech Tip : CA Single Sign-On : Can not sign Assertion with ID 

    Posted 06-22-2018 10:42 AM

    Issue:

     

    We're running a Policy Server, and by Federation request, the signing
    feature for assertion fails :

    SAML transactions are failing:

    smtracedefault.log:

    1. [06/20/2018][19:54:53.844][19:54:53][14755][140230464100096][ProtocolBase.java]
    [SignOrEncryptAssertion][25fbad5f-ba854e77-6a22d699-93190504-19958bb1-5fd]
    [][][][][][][][][][][][][][][][][][][][Can
    not sign Assertion with ID: _19d016651fa5b40a5ad648c79e76b7e1ab4f
    Error: Caught an Exception calling signXMLDocument using
    IXMLSignature. nulljava.lang.NullPointerException

    at com.netegrity.smkeydatabase.api.XMLDocumentOpsImpl.signXMLDocument(Unknown Source)
    at com.netegrity.SAML2Security.DSigSigner.signSAMLEnveloped(Unknown Source)
    at com.netegrity.SAML2Security.DSigSigner.signSAMLEnveloped(Unknown Source)
    at com.netegrity.assertiongenerator.saml2.ProtocolBase.signOrEncryptAssertion(Unknown Source)
    at com.netegrity.assertiongenerator.saml2.AuthnRequestProtocol.closeupProcess(Unknown Source)
    at com.netegrity.assertiongenerator.saml2.AssertionHandlerSAML20.postProcess(Unknown Source)
    at com.netegrity.assertiongenerator.AssertionGenerator.invoke(Unknown Source)
    at com.netegrity.policyserver.smapi.ActiveExpressionContext.invoke(Unknown Source)

    ][][][][][][][][][][][][][][][]

    2. [06/20/2018][19:54:53.844][19:54:53][14755][140230464100096][AuthnRequestProtocol.java]
    [closeupProcess][25fbad5f-ba854e77-6a22d699-93190504-19958bb1-5fd][][][][][][][][][][]
    [][][][][][][][][][No Assertion is found to sign.][][][][][][][][][][][][][][][]

    3. [06/20/2018][19:54:53.844][19:54:53][14755][140230464100096][ProtocolBase.java]
    [encryptAssertion][25fbad5f-ba854e77-6a22d699-93190504-19958bb1-5fd][][][][][][]
    [][][][][][][][][][][][][][Total Assertions to Encrypt: 1][][][][][][][][][][][][][][][]

    How can we fix this ?

     

    Cause:

     

     

    We have seen this message :

    [06/20/2018][19:54:53.848][19:54:53][14755][140230464100096][ProtocolBase.java]
    [encryptAssertion][25fbad5f-ba854e77-6a22d699-93190504-19958bb1-5fd][][][][][]
    [][][][][][][][][][][][][][][Error
    Encrypting Assertion:0 Error in SAML2EncryptDecrypt encrypt -
    Marshalling Assertion failed. encrypt: Error encrypting XML
    Document. Error encrypting XML Document. Illegal key size or default
    parameters][][][][][][][][][][][][][][][]

    This error indicates that there could be some issues with Java JCE policy files.

     

    Resolution:

     

    Apply the JCE files to the JDK installation that you've set with the
    Policy Server :

    JCE—Verify that JRE supports unlimited key strength in the Java
    Cryptography Extension (JCE) package.

    For JDK 1.8_151 and later, perform the following steps:
    Navigate to the jdk_home/jre/lib/security directory and open the java.security file.
    Uncomment the following line:

    crypto.policy=unlimited

    Save the file.

    For the other previous versions of JDK, perform the following steps:

    Locate the JCE package for your operating system from the Oracle
    website.

    Download the unlimited JCE package for the Java version that is
    supported by CA Single Sign-On.

    Navigate to the jdk_home\jre\lib\security directory on your system
    and apply the patch to the following files:

    local_policy.jar

    US_export_policy.jar

    jdk_home specifies the location of the Java installation.

    https://docops.ca.com/ca-single-sign-on/12-7/en/installing/install-a-policy-server/install-policy-server-on-windows#InstallPolicyServeronWindows-ReviewtheConsiderations


    KB : KB000102905