Getting HTTP error 500 after logging at the portal

Document ID : KB000026828
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

December 11, 2006 20:59:14.376 PM[17192413:E] portaldispatcher: Error sending SOAP msg
  December 11, 2006 20:59:14.376 PM[17192413:E] portaldispatcher:Received exception com.rsa.ssl.AlertedException: certificate
 unknown while building <AFFILIATEMSG><AFFMETHOD>GET_ASSERTION_FROM_REFERENCE</AFFMETHOD><PNAME>PORTAL_NAME</PNAME>
<PVALUE>http://site.ca.com</PVALUE><PNAME>COMPANY_SOURCEID</PNAME><PVALUE>b818452610a0ea431bff69dd346aeeff83128b6a</PVALUE>
<PNAME>AFFILIATE_NAME</PNAME><PVALUE>citdecaddfsso</PVALUE><PNAME>ASSERTION_REFERENCE</PNAME>
<PVALUE>AAG4GEUmEKDqQxv/ad00au7/gxKLakc5VheoU+LdFAQL7sVuJU6+dluA</PVALUE><PNAME>PORTAL_URL</PNAME>
<PVALUE>https://site.ca.com/affwebservices/assertionretriever</PVALUE></AFFILIATEMSG>
December 11, 2006 20:59:14.392 PM[17192413:E] Exception Stack Trace: com.rsa.ssl.AlertedException: certificate unknown
at com.rsa.ssl.common.ClientProtocol.sendHello(ClientProtocol.java:264)
at com.rsa.ssl.common.ClientProtocol.startHandshake(ClientProtocol.java:377)
at com.rsa.ssl.SSLSocket.getInputStream(SSLSocket.java:253)
at com.netegrity.srca.connection.SSLHandler.startSession(SSLHandler.java:203)
at com.netegrity.srca.Srca.invoke(Srca.java:211)
at com.netegrity.srca.Srca.invoke(Srca.java:225)
at com.netegrity.srca.Srca.invoke(Srca.java:225)
at com.netegrity.srca.Srca.invoke(Srca.java:225)
at com.netegrity.srca.Srca.invoke(Srca.java:225)
at com.netegrity.srca.Srca.invoke(Srca.java:225)
at com.netegrity.affiliateconnection.SmAffPortalDispatcher.ProcessMsg(SmAffPortalDispatcher.java:239)
at com.netegrity.affiliateserver.SmAffPortalMsgHandler.SendPortalMsg(SmAffPortalMsgHandler.java:95)
at com.netegrity.affiliatemsgs.SmAffGetAssertionMsgHandler.Process(SmAffGetAssertionMsgHandler.java:144)
at com.netegrity.serverframework.SmMsgDispatcher.run(SmMsgDispatcher.java:132)
  
December 11, 2006 20:59:14.392 PM[17192413:PortalDispatcher] Received empty response message from the portal.
December 11, 2006 20:59:14.392 PM[17192413:E] Error sending GetAssertion message to Poratl. Error String: 
December 11, 2006 20:59:14.392 PM[17192413:smaffserver] GetAssertion txn processed
December 11, 2006 20:59:14.392 PM[17192413:SmMsgDispatcher] Sending the following response to the IPC client:
 <AFFILIATEMSG><AFFMETHOD>GET_ASSERTION_FROM_REFERENCE</AFFMETHOD><RETURN>0</RETURN></AFFILIATEMSG>
December 11, 2006 20:59:14.392 PM[AFFAGENT:0:2940:Process] The GetAssertionFromRef service could not be reached. ErrorCode: '%d', ErrorMsg: '%s'.
December 11, 2006 20:59:14.392 PM[AFFAGENT:0:2940:ReturnError] Received the following error code: -5.
December 11, 2006 20:59:14.392 PM[AFFAGENT:0:2940:AgentMsg] SmAffServer API 'GetAssertion' failed : response msg
 '<AFFILIATEMSG><AFFMETHOD>GET_ASSERTION_FROM_REFERENCE</AFFMETHOD></AFFILIATEMSG>'. Check Smaff Server log for more details.
December 11, 2006 20:59:14.392 PM[AFFAGENT:0:2940:ReturnError] Exiting with HTTP 500 Server Error

Solution:

Customer needed to create a RootCA certificate using Open SSL. He had no root certificate at all and so was not importing this into the Affiliates AM.keystore.

So the steps we took to resolve this 500 error were:-

  • Create a RootCA certificate on the CA using open SSL.

  • Import the RootCA cert to the AM.keystore on the affiliate.

Example: Add a trusted CA certificate

This example shows the commands required to add a trusted certificate authority certificate:

To add a trusted CA certificate:

  1. Check whether it already exists in the consuming authority database by entering: smkeytool.sh -listCerts

  2. To add the CA certificate enter: smkeytool.bat -addCert "c:\program files\ca\siteminder\certs\sampleCARoot.crt" -trustcacert

  3. (Optional) Restart the Policy Server to see the change to the key database immediately.

    • Create a server cert using open SSL on the CA and then use that for SSL on the Portal Agent which the Affiliate points to.

Customer stopped getting the 500 after this because now when the back channel SSL connection is made from affiliate to portal agent the affiliate had the correct cert to connect over SSL.