Tips on how to troubleshoot the SAML "DSigSigner Initialization Failing" error

Document ID : KB000022326
Last Modified Date : 14/02/2018
Show Technical Document Details

Question :

I am running Policy Server 12SP3 which runs smkeydatabase and not the Certificate Data Store (CDS) with Option Pack and using SAML 2.0 POST use case. When I try to sign assertion, I get the following errors:

[17:28:24][No Plugin callout is configured.]   
[17:28:24][Start to wrap-up the SAML2.0 response.]   
[17:28:24][POST signing option: 0]   
[17:28:24][Signing the Assertion with ID:   
_710f81d9966fdcdb1b30a712d53fc06963be ...]   
[17:28:24][Can not sign Assertion with ID:   
_710f81d9966fdcdb1b30a712d53fc06963be   
Error: Error in DSigSigner - Initializtion failed]   
[17:28:24][Failed to Sign Assertion.]   
[17:28:24][AssertionHandler postProcess() failed. Leaving   
AssertionGenerator.]  

How can I troubleshoot that problem ?

Answer :

In order to help you to troubleshoot that problem, check these :

  • Check the permissions by the smkeydatabase directory;

    On Linux / Unix, the directory should be 755 and owned by the user who runs the Policy Server; files should be 644;
    On Windows, the directory should have all persmissions for the owner, which is the user who runs the Policy Server: Files should be read and write for the owner;
  • On the smkeydatabase, run the command smkeytool -listCerts in order to be sure the certificates can be read;

  • On the smkeydatabase, run the command smkeytool.sh -export -alias defaultenterpriseprivatekey -outfile ~/siteminder.intranet.com.key

  • type key -password password in order to be sure you can export the key;

  • Check the JVMOptions.txt file for all the classpath if there is any .jar outside SiteMinder that could generate a class load error;