Getting "Error in DSig - Can't create SMKeyDatabase" on all Federation Partnerships after upgrading to Policy Server 12.8.1

Document ID : KB000122151
Last Modified Date : 30/11/2018
Show Technical Document Details
Issue:
After upgrading from 12.7 to 12.8.01, the below error messages are seen on all SAML federation partnerships.
Anytime an SP initiated authnrequest is attempted, it fails and we see the following in the FWSTrace logs and smps.log:

[Wed Nov 21 2018 09:22:41][SAMLAuthnRequestTunnelService.java][ERROR][sm-FedServer-00330] Exception when generating AuthnRequest: com.netegrity.SAML2Security.DSigException: Error in DSig - Can't create SMKeyDatabase.Exception occurred during creation of the XMLDocumentOps instance. Exception: org/slf4j/LoggerFactory 
com.netegrity.smkeydatabase.api.XMLDocumentOpsException: Exception occurred during creation of the XMLDocumentOps instance. Exception: org/slf4j/LoggerFactory 

at com.netegrity.smkeydatabase.api.XMLDocumentOpsFactory.getXMLDocumentOpsInstance(XMLDocumentOpsFactory.java:95) 

at com.netegrity.SAML2Security.DSigSigner.initialize(Unknown Source) 

at com.netegrity.SAML2Security.DSigSigner.<clinit>(Unknown Source) 

at com.netegrity.saml2ps.tunnel.SAMLAuthnRequestTunnelService.signRawXML(Unknown Source) 

at com.netegrity.saml2ps.tunnel.SAMLAuthnRequestTunnelService.tunnel(Unknown Source) 

at com.netegrity.policyserver.smapi.TunnelServiceContext.tunnel(TunnelServiceContext.java:245)

 
Environment:
12.8.01 Policy Server
Any Web Agent and OS
 
Cause:
There may be some missing libraries in JVMOptions.txt. Also, if you have customized parameters, you need to add them to the JVMOptions in the new environment. The JVMOptions.txt file contains the settings that the Policy Server uses when creating the Java virtual machine that is used to support Federation Web Services. SAML 1.x, SAML 2.0, and WS-Federation use this file.
 
During a Policy Server upgrade, the existing JVMOptions.txt file is renamed to JVMOptions.txt.backup. A new JVMOptions.txt file is created.
 
Below is an example of a JVMOptions.txt from a NON - WORKING environment after upgrading the Policy Server to 12.8.1.
-server
-Xbootclasspath/p:D:/CA/siteminder/bin/endorsed/xercesImpl.jar;D:/CA/siteminder/bin/endorsed/xml-apis.jar;D:/CA/siteminder/bin/endorsed/resolver.jar;D:/CA/siteminder/bin/endorsed/serializer.jar
-Xrs
-Xms128m
-Xmx256m
-DNETE_PS_ROOT=D:/CA/siteminder
-Djavax.xml.parsers.DocumentBuilderFactory=org.apache.xerces.jaxp.DocumentBuilderFactoryImpl
-Djavax.xml.parsers.SAXParserFactory=org.apache.xerces.jaxp.SAXParserFactoryImpl
-Dorg.apache.xerces.xni.parser.XMLParserConfiguration=org.apache.xerces.parsers.XML11Configuration
-Dorg.xml.sax.driver=org.apache.xerces.parsers.SAXParser
-Djava.endorsed.dirs=D:/CA/siteminder/bin/endorsed
-Djava.class.path=D:/CA/siteminder/resources;D:/CA/siteminder/config/properties;D:/CA/siteminder/bin/jars/smbootstrap.jar
-Djava.util.logging.config.file=D:/CA/siteminder/config/properties/logging.properties
 
Below is an example of a JVMOptions.txt that is from a WORKING environment.
The highlighted parts is what was missing in the JVMOptions.txt of the impacted environment.
 
-server
-Xbootclasspath/p:D:/CA/siteminder/bin/thirdparty/stax2-api-4.0.0.jar;D:/CA/siteminder/bin/thirdparty/woodstox-core-asl-4.4.1.jar;D:/CA/siteminder/bin/thirdparty/wss4j-ws-security-common-2.2.0.jar;D:/CA/siteminder/bin/thirdparty/wss4j-ws-security-dom-2.2.0.jar;D:/CA/siteminder/bin/endorsed/xercesImpl.jar;D:/CA/siteminder/bin/endorsed/xmlsec-2.1.2.jar;D:/CA/siteminder/bin/endorsed/xml-apis.jar;D:/CA/siteminder/bin/thirdparty/slf4j-api-1.7.25.jar;D:/CA/siteminder/bin/endorsed/resolver.jar;D:/CA/siteminder/bin/endorsed/serializer.jar
-Xrs
-Xms128m
-Xmx256m
-DNETE_PS_ROOT=D:/CA/siteminder
-Djavax.xml.parsers.DocumentBuilderFactory=org.apache.xerces.jaxp.DocumentBuilderFactoryImpl
-Djavax.xml.parsers.SAXParserFactory=org.apache.xerces.jaxp.SAXParserFactoryImpl
-Dorg.apache.xerces.xni.parser.XMLParserConfiguration=org.apache.xerces.parsers.XML11Configuration
-Dorg.xml.sax.driver=org.apache.xerces.parsers.SAXParser
-Djava.endorsed.dirs=D:/CA/siteminder/bin/endorsed
-Djava.class.path=D:/CA/siteminder/resources;D:/CA/siteminder/config/properties;D:/CA/siteminder/bin/jars/smbootstrap.jar;D:/CA/siteminder/bin/thirdparty/log4j-api-2.10.0.jar;D:/CA/siteminder/bin/thirdparty/log4j-core-2.10.0.jar;D:/CA/siteminder/bin/thirdparty/log4j-slf4j-impl-2.10.0.jar
-Djava.util.logging.config.file=D:/CA/siteminder/config/properties/logging.properties
-Dorg.apache.xml.security.ignoreLineBreaks=true
 
 
Resolution:
Edit the JVMOptions.txt of the non-working environment to include the above highlighted:
-The missing .jars
-Dorg.apache.xml.security.ignoreLineBreaks=true
- And any customized parameters that you may have.
 
Additional Information:
https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/legacy-federation/review-the-jvmoptions-file-for-the-jvm

https://docops.ca.com/ca-single-sign-on/12-8/en/upgrading/in-place-upgrade/upgrade-policy-server#UpgradePolicyServer-UpdatetheJVMOptionsFilewithCustomizedParameters