Symantec Access Management

 View Only
Expand all | Collapse all

Exception when Signing SAML Assertion for SiteMinder Integration with Sharepoint

  • 1.  Exception when Signing SAML Assertion for SiteMinder Integration with Sharepoint

    Posted Oct 02, 2015 12:20 PM


    We have set up SiteMinder Protection for Sharepoint with an Agent for Sharepoint Proxy Server and Agent. We are currently moving to a new policy server and have exported and imported policy store objects from old policy server/store (12.51/AD LDS) to new policy server/store(12.52/AD LDS). However with the new policy servers, we are receiving the below errors:

     

    [AssertionGenerator.java][ERROR][sm-FedServer-00120] postProcess() throws exception: ncom.netegrity.assertiongenerator.AssertionGeneratorException: Error while signing Assertion!  Exception:

    com.netegrity.smkeydatabase.api.XMLDocumentOpsException: SignInProtocol:  Exception when signing SAML Assertion - WSFEDSigner:  Exception while initializing signing certificate.

    com.netegrity.smkeydatabase.api.XMLDocumentOpsException: For input string: "{RC2}******************************************************************************************************************************{RC2}yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy

     

    An Apache Tomcat error is seen on the Sharepoint side.

     

    When we switch back to old policy server, Sharepoint works as normal. The same certificate is being used on both old and new policy servers and this certificate has been inported into the Sharepoint Central Administration Server. Can anyone offer any clue as to what may be the issue?

     

    Thanks,
    Jaime



  • 2.  Re: Exception when Signing SAML Assertion for SiteMinder Integration with Sharepoint

    Posted Oct 07, 2015 11:17 AM

    Jamie JaimeBritton62352722

     

    When moving from "R12.51 / ADLDS" to "R12.52 / AD LDS" what command was used to export and import the policies. Did we check the export file if the Certs were exported too?

     

    Also could we run 'smkeytool -listCerts' on both machines and make sure that the certs are getting listed. Source the ENV variables before we run the command line tool. The tool is available under <Policy_Server_Install_Home>/bin folder.

     

    smkeytool -listCerts         [This would list all certs].

    OR

    smkeytool -listCerts - alias <alias_name>         [This would list only a particular cert].

     

     

     

     

    Also check the R12.51 and R12.52 "Read Me" files. What exact version of R12.51 are we on? Is it R12.51 CR00 or CR01....? The reason being I vaguely remember there being an encryption key issue which was fixed in CR01 or roundabout. I haven't see any details about SSO between your R12.51 infrastructure and R12.52 infrastructure (e.g. Where is your Key Store?). This could be another contributor to the issue.

     

     

    Regards

     

    Hubert



  • 3.  Re: Exception when Signing SAML Assertion for SiteMinder Integration with Sharepoint

    Posted Aug 30, 2016 02:13 PM

    HubertDennis

    Hey Hubert,

    I have a similar issue, but with a different scenario, I am integrating sharepoint and have included the certificate in certificate manager in Admin UI. I did try to list the certs using smkeytool and the certificate is listed. But i still get an error

     

    [AssertionGenerator.java][ERROR][sm-FedServer-00120] postProcess() throws exception: ncom.netegrity.assertiongenerator.AssertionGeneratorException: Error while signing Assertion!  Exception:
    com.netegrity.smkeydatabase.api.XMLDocumentOpsException: SignInProtocol:  Exception when signing SAML Assertion - Can't get certificate associated with the alias: *******

     

    I have same alias name configured in SharePoint Connection wizard too..

     

    Any idea that could help me to resolve this would be great.

     

    we are using R12.52 and i get ApacheTomcat error.

     

    *******Resolved******

     

    I got the alias name incorrect, after correcting, i am running into different issue now.

     

    [AssertionGenerator.java][ERROR][sm-FedServer-00120] postProcess() throws exception: ncom.netegrity.assertiongenerator.AssertionGeneratorException: Error while signing Assertion!  Exception:
    com.netegrity.smkeydatabase.api.XMLDocumentOpsException: SignInProtocol:  Exception when signing SAML Assertion - WSFEDSigner:  Exception while signing XML document.
    com.netegrity.smkeydatabase.api.XMLDocumentOpsException: Caught an Exception calling signXMLDocument using IXMLSignature. nulljava.lang.NullPointerException

     

    Does it ring a bell?



  • 4.  Re: Exception when Signing SAML Assertion for SiteMinder Integration with Sharepoint

    Posted Aug 30, 2016 06:09 PM

    Most Likely possibility:

    Could we check if the "defaultenterpriseprivatekey" is not expired and if it is expired replace that with a valid certificate. I know the question does arise "I am not using defaultenterpriseprivatekey to sign the SharePoint WSFED Token?". But I have seen in my experience that during migration if the "defaultenterpriseprivatekey" is not populated correctly, it has a cascading effect on other certs.



  • 5.  Re: Exception when Signing SAML Assertion for SiteMinder Integration with Sharepoint

    Posted Aug 30, 2016 11:51 PM
    [Error while signing Assertion! Exception:  com.netegrity.smkeydatabase.api.XMLDocumentOpsException: SignInProtocol: Exception when signing SAML Assertion - WSFEDSigner: Exception while signing XML document.  com.netegrity.smkeydatabase.api.XMLDocumentOpsException: Caught an Exception calling signXMLDocument using IXMLSignature. nulljava.lang.NullPointerException 

     

    Removed and re-imported the 'defaultenterpriseprivatekey' into the smkeydatabase resolved the assertion failure

     

    http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec529285.aspx 

     

     

    Hope this helps!

     

    Peace 

    Hubert



  • 6.  Re: Exception when Signing SAML Assertion for SiteMinder Integration with Sharepoint

    Posted Aug 31, 2016 08:10 AM

    HubertDennis

    Thank you Hubert, But yes as you said i am not "defaultenterprisekey". However, how do i find whether defaultenterprisekey is present and corrupted. I don't see any Certs folder under siteminder!!

    And yes, if i haven't mentioned earlier, i am using a self signed certificate, created using openssl. And while importing the certificate into AdminUI, i imported only the .cer and not the private key. do i have to import private also?



  • 7.  Re: Exception when Signing SAML Assertion for SiteMinder Integration with Sharepoint

    Posted Aug 31, 2016 08:27 AM

    Christie

     

    Since as an AP (Account Partner in WSFED) we are signing the WSFED Token, this is done via the Private Key. Thus on AP Side we need to have both the Private Key and Public Certificate imported. We have only imported the Public Certificate and not the Private key. This is wrong. We should be importing the Private Key and Public Certificate.

     

    Please import both Private Key and Public Certificate using the WAMUI, then retest.

     

    As for the other queries, an alias name is something that we provide. "defaultenterpriseprivatekey" is something that we provide as an alias for a designated Private Key and Public Cert pair. The benefit is that if for any reason we configured a Federation Object and forgot to mention an alias which would sign the Assertion, then the product defaults to using "defaultenterpriseprivatekey". The older version of the product had more stricter rules surrounding the usage and mandatory implementation of one key pair as "defaultenterpriseprivatekey". A lot has been relaxed in the current R12.52 release regarding the usage & mandatory implementation of "defaultenterpriseprivatekey". I would not go into much details, as there is much to talk and this is not needed in scope of current issue.

     

    We can manage all certificates using WAMUI. You can also generate a SelfSigned Certificate using the WAMUI (I would suggest using WAMUI as primary) and command line.

     

    Overview : Key and Certificate Management - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

    WAM UI : Import Trusted Certificates and Key Certificate Pairs - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

    Command Line : CA SiteMinder® Key Tool - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation  

     

     

     

    Peace

    Hubert



  • 8.  Re: Exception when Signing SAML Assertion for SiteMinder Integration with Sharepoint

    Posted Sep 01, 2016 02:18 AM

    HubertDennis

    Thanks Hubert, i did try that, but i still get the same error and i possibly think, this might be due to SPS, since i get the following below error.

     

    Error Details

    Request URI

    : /

    Error Type

    : SPS Exception

    Error Code

    : Noodle_ConnectException

    Message

    : Connection refused remotely, no process is listening on the remote address/port.

     

    And i am trying to resolve going through another content of your in below article, and still i get the same error.

     

    Noodle ConnectException 

    Will dig in more and let you know.

     

    Thanks again by the way.



  • 9.  Re: Exception when Signing SAML Assertion for SiteMinder Integration with Sharepoint

    Posted Sep 01, 2016 03:07 AM

    HubertDennis

     

    No go!!!



  • 10.  Re: Exception when Signing SAML Assertion for SiteMinder Integration with Sharepoint

    Posted Sep 01, 2016 07:49 AM

    Christie

     

    This error that you see i.e. 

     

    [AssertionGenerator.java][ERROR][sm-FedServer-00120] postProcess() throws exception: ncom.netegrity.assertiongenerator.AssertionGeneratorException: Error while signing Assertion!  Exception:
    com.netegrity.smkeydatabase.api.XMLDocumentOpsException: SignInProtocol:  Exception when signing SAML Assertion - WSFEDSigner:  Exception while signing XML document.
    com.netegrity.smkeydatabase.api.XMLDocumentOpsException: Caught an Exception calling signXMLDocument using IXMLSignature. nulljava.lang.NullPointerException

     

    In which logs are you seeing this error? Is it on SharePoint Agent log OR Policy Server log?

     

    If you are seeing this error on SharePoint Agent FWSTrace.log; have we stopped and started SharePoint Agent Services; after importing the private key and public cert on Policy Server WAMUI?

     

    Again on the policy server side, you mentioned you had only imported the Public Cert. So did you first delete that Public Cert from WAMUI, then proceed to import the Private Key and Public Certs simultaneously at the sametime using the WAMUI.

     

    So the steps would be

     

    1. Login to WAM UI.
    2. Delete imported Public Cert.
    3. Add Private Key and Public Cert.
    4. Login to SharePoint Agent Server machine. Make sure in Affiliate Domain the alias mapping is still present by re-running the SharePoint Connection Wizard and choosing Edit Connection.
      1. Now just because the Affiliate Domain has the alias name mapping it does not mean everything is all right. Remember in siteminder all objects are linked by OIDs. We deleted the Public Cert. So that link is may now be dirty. We have to re-establish that link.
      2. Submit the Edit Connection Wizard, such that it refreshes the Object link between the new Certificate (key pair) Imported and existing affiliate domain. 
    5. Login to SharePoint Agent Server, stop and start services.
    6. Test.

     

     

    Also I don't think the noodle exception is linked to Assertion Signing. They are two different code paths independent of each other. So please lets us not discuss noodle exception in this thread.

     

     

    Another suggestion I have for you is, you mentioned having generated the SelfSigned Certificate using openssl and then importing that into WAMUI. My suggestion would be to create a new SelfSigned Certificate from the WAMUI OR a Proper CA Signed Certificate (by generating a CSR) from WAM UI. Provide a new Alias name for the certificate key pair created via the WAM UI and then use this new alias name in the SharePoint Connection Wizard. Now test the journey.

     

     

    Peace

    Hubert



  • 11.  Re: Exception when Signing SAML Assertion for SiteMinder Integration with Sharepoint

    Posted Sep 02, 2016 12:47 PM

    Hey HubertDennis,

     

    Thanks a lot man, I got this issue resolved. as you said link didn't get properly established, even after re-importing the certificate and key twice. So i thought of restarting the policy server and that played the magic and worked.