When trying to configure assertion encryption, there is an error in Policy Server: "Error Encrypting Assertion." and "Error Encrypting NameID." and "AssertionHandler postProcess() failed".

Document ID : KB000023785
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue :

After a successful Federation test of POST- and Artifact- Binding use cases, when you try to configure encryption of the Assertion or of the NameID there is an error on the Policy Server in the smps log "Error Encrypting Assertion." or "Error Encrypting NameID." The smtrace log also contains "AssertionHandler postProcess() failed". When this occurs the user gets a 500 error in the browser on the IDP side. The certifcate and private key used for encryption/decryption have been successfully added to the certificate store. Why do I get this error ?

Environment :

All Policy Server versions on Solaris.

Solution :

You get this error because you the order of the security providers of the java is incorrect.

On Solaris 10 you need to modifiy the order of Java security encryption provider.

By default, the file /usr/jdk/latest/jre/lib/security/java.security contains the following:

security.provider.1=sun.security.pkcs11.SunPKCS11
security.provider.2=sun.security.provider.Sun

You should change the order and your file should be like:

security.provider.1=sun.security.provider.Sun
security.provider.2=sun.security.pkcs11.SunPKCS11