Exception thrown while exporting metadata using smfedexport from Policy Server.

Document ID : KB000051508
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Customer obtained an exception while executing the smfedexport command.

Command executed:
smfedexport -type saml2idp -expiredays 0 -username ***** -password **** -sign -pubkey

Exception occurred:
An exception occurred while signing metadata document.com.netegrity.SAML2Security.DSigException:
Caught an Exception calling signXMLDocument using IXMLSignature. nulljava.lang.NullPointerException
at com.netegrity.smkeydatabase.api.XMLDocumentOpsImpl.signXMLDocument(XMLDocumentOpsImpl.java:1016)
at com.netegrity.SAML2Security.DSigSigner.signSAMLEnveloped(DSigSigner.java:254)
at com.ca.SAML2METADATA.utils.SMFedUtilities.signMetadata(SMFedUtilities.java:166)
at com.ca.smfedexport.tool.IDPMetadataProcessor.generateIdpDescriptor(IDPMetadata Processor.java:209)
at com.ca.smfedexport.tool.SMFedExport.main(SMFedExport.java:108)

There is no exception if they execute the command without the -sign parameter.

Upon reviewing the list of certificates under SmKeyDatabase, the "defaultenterpriseprivatekey" entry is associate with type
"CertificateEntry" instead of "KeyEntry".

Solution:

  1. Delete the existing "defaultenterpriseprivatekey" from the Smkeydatabase.

  2. Then convert the private key from PEM(text) file to DER(binary) format with following command:

    openssl pkcs8 -topk8 -inform PEM -outform DER -in <PEM private key file> -out <DER private key file>

  3. Ensure that the public certificate file is in PEM(text) and is BASE64 encoded.

  4. Add the private key pair with the following sample command:

    smkeytool.bat -addPrivKey -alias defaultenterpriseprivatekey -keyfile "c:\program files\netegrity\siteminder\certs\post-pkey.der" -certfile "c:\program
    files\netegrity\siteminder\certs\post-cert.crt" -password password

    The first part of this command is the location of the private key in DER format at the Identity Provider. For this deployment, that is post-pkey.der.
    The second part of the command is the location of the public key certificate, which is post-cert.crt followed by the password associated with
    the private key, which is password.