WSFEDDISPATCHER HTTP Status 500 Error

Document ID : KB000108858
Last Modified Date : 31/07/2018
Show Technical Document Details
Issue:
Following an automated security OS patch in our environment, wsfeddispatcher throws a HTTP Status 500 Error

FWSTrace log
###########
[07/23/2018][10:32:49][6496][8468][13b1dd01-baf9a2e2-44ddcd1e-66884471-56dc67c5-4696][SSO.java][processAssertionGeneration][Transaction with ID: 13b1dd01-baf9a2e2-44ddcd1e-66884471-56dc67c5-4696 failed. Reason: WSFED_SSO_INVALID_RESPONSE_RETURNED]
[07/23/2018][10:32:49][6496][8468][13b1dd01-baf9a2e2-44ddcd1e-66884471-56dc67c5-4696][SSO.java][processAssertionGeneration][Denying request due to "NO" returned from WSFED assertion generator.]
[07/23/2018][10:32:49][6496][8468][13b1dd01-baf9a2e2-44ddcd1e-66884471-56dc67c5-4696][SSO.java][processAssertionGeneration][Ending WSFED Single Sign-On Service request processing with HTTP error 500]
SMPS Log
#########
[122536/122008][Mon Jul 23 2018 06:32:48][AssertionGenerator.java][ERROR][sm-FedServer-00120] postProcess() throws exception: ncom.netegrity.assertiongenerator.AssertionGeneratorException: Error while signing Assertion!  Exception:
com.netegrity.smkeydatabase.api.XMLDocumentOpsException: SignInProtocol:  Exception when signing SAML Assertion - WSFEDSigner:  Exception while signing XML document.
com.netegrity.smkeydatabase.api.XMLDocumentOpsException: Caught an Exception calling signXMLDocument using IXMLSignature. XMLSignatureApacheImpl.signXMLDocument(): Signing certificate has expired. Exception Message: java.security.cert.CertificateExpiredException: NotAfter: Fri Jul 20 07:22:59 EDT 2018java.lang.Exception: XMLSignatureApacheImpl.signXMLDocument(): Signing certificate has expired. Exception Message: java.security.cert.CertificateExpiredException: NotAfter: Fri Jul 20 07:22:59 EDT 2018
    at com.netegrity.smkeydatabase.api.XMLSignatureApacheImpl.signXMLDocument(XMLSignatureApacheImpl.java:302)
Environment:
All SSO Versions
Cause:
While looking into smps log of Policy server, Signing certificate was expired and that is why federation transactions were failing.
Resolution:
Please refer below steps to use new/renewed Private Key in Policy Server:

1) Import new/renewed Private key in policy store using smkeytool
 ./smkeytool.sh   -addPrivKey -alias <alias> (-keyfile <private_key_file> -certfile <cert_file> | -keycertfile <key_cert_file>) [-password <password>] [-v]

or

Using AdminUI 
Infrastructure ->X509 Certificate Management ->Trusted Certificates and Private Keys

2) Deactivate Partnership and select new/renewed Private Key in "Signing Private Key Alias"

3) Activate Partnership