Release Notes › Web Services Security (formerly SOA Security Manager) Release Notes › Web Services Security Known Issues

Web Services Security Known Issues

General Issues

The following topics describe general known issues.

CA SiteMinder WSS Fails To Generate WS-Security Headers Using RSA-OAEP Encryption

CA SiteMinder WSS fails to create an encrypted WS-Security token when a response is configured to use the RSA-OAEP algorithm to encrypt the symmetric encryption key, generating the following error in tmxmltoolkit.log:

008-05-22 14:53:10,531 [INFO] handler.response.WSSecurityUsernameResponseHandler 8A2ADA6E-3D9B-57FB-35E3-9CC05471E849 - Cannot do encryption: unsupported key algorithm provided: rsa_oaep

Workaround

Configure the WS-Security header generating response to use the default rsa-1_5 algorithm to encrypt the symmetric encryption key.

Signing Not Working for SAML Session Tickets in SOAP Envelope (74036)

If configured to generate signed SAML Session Tickets in the SOAP envelope, CA SiteMinder WSS produces the SAML Session Ticket and places it in the SOAP envelope as expected, but the message is not signed.

Signing works correctly for SAML Session Tickets placed in HTTP headers or HTTP cookies.

Operation-Level Policy Changes Not Committed In Certain Situation When Configuring Application Policy From WSDL (69006)

When creating an application policy from a WSDL file, operation-level policy changes in the Define Web Service Protection Policy table are lost if you return to the top level by clicking the All Web Services link and then immediately click the Next button to proceed.

Workaround

After you have specified operation-level policy changes for a particular port, if you click the All Web Services to return to the top level of the Define Web Service Protection Policy table, click any other button or link (for example, the link for that port again) before clicking Next to ensure the operation-level changes are committed.

Clicking Back Button in Secure Web Services from WSDL Wizard Sometimes Causes "Array Index out of range error -1" (72176)

Clicking the Back button on the Secure Web Services from WSDL: Define Policies pane of the Secure Web Services from WSDL Wizard sometimes results in an "Array Index out of range error -1". This error is non-fatal and can be ignored.

Install Issues

The following topics describe known issues related to product installation and uninstallation.

Back Option Not Supported During Console Mode Install (74339)

The option to go back to reenter incorrectly supplied information is not supported during console mode installation on UNIX.

Uninstaller Fails with Errors (66522)

Attempting to uninstall any CA SiteMinder WSS component without the prerequisite level of JVM installed and correctly referenced in the system path causes the uninstaller to fail with one of the following errors:

• “Could not find a valid Java virtual machine to load. You need to reinstall a supported Java virtual machine.”
• "No Java virtual machine could be found from your PATH environment variable. You must install a VM prior to running this program."

Workaround

Make sure the JRE is in the PATH variable.

SOA Agent for Web Servers Issues

The following topics describe SiteMinder WSS Agent for Web Servers issues.

WSS Agent Not Supported on JBoss

In CA SiteMinder® 12.51, the WSS Agent Configuration Wizard does not install the WSS agent if the host computer has a JBoss 6 application server.

SiteMinder WSS Agent for Web Servers Failover to Secondary Policy Server Slow

If configured for failover and the primary Policy Server fails, the SiteMinder WSS Agent for Web Servers can take up to one minute to failover to the secondary Policy Server.

SiteMinder WSS Agent Configuration Wizard Fails Intermittently for IIS 7.x SiteMinder WSS Agent on Windows Server 2008 (142248)

Unattended configuration sometimes fails when attempting to configure the SiteMinder WSS Agent for Web Servers to work with IIS 7.x on Windows Server 2008. In this case, the following message is written to the log:

“Unable to write to applicationHost.conf file. Please Restart the IIS Webserver and redo the configuration.”

This issue occurs when the configuration wizard cannot stop IIS before it attempts to modify the IIS applicationHost.file and therefore cannot edit the file because it is still in use.

Workaround

Stop IIS 7.x before attempting unattended configuration of the SiteMinder WSS Agent.

SiteMinder WSS Agent for IBM WebSphere Issues

The following topics describe known issues in the SiteMinder WSS Agent for IBM WebSphere.

SiteMinder WSS Agent for IBM WebSphere Limitations

The SiteMinder WSS Agent for IBM WebSphere has the following limitations:

• XML Digital Signature Authentication scheme is not supported
• WS-Security Signature and Encryption are not supported
• mustUnderstand attribute in WS-Security header is not supported

SiteMinder WSS Agent and SiteMinder Agent for IBM WebSphere Coexistence Limitation (61190)

The following use case for coexistence of SiteMinder WSS Agent for IBM WebSphere and SiteMinder Agent for IBM WebSphere is not supported:

• SiteMinder WSS Agent for IBM WebSphere and SiteMinder Agent for IBM WebSphere both configured in the same JVM instance (that is, in the same WebSphere profile)
• SiteMinder WSS Agent for IBM WebSphere and SiteMinder Agent for IBM WebSphere both configured to the have the same default Agent name.
• WebSphere Java 2 security and application security enabled

If you do configure such an environment, the SiteMinder TAI Module will intercept web service requests that should be handled by the SiteMinder WSS Agent.

mustUnderstand Attribute Limitation (61018, 60551)

The SiteMinder WSS Agent for IBM WebSphere does not support generation of WS-Security mustUnderstand attributes.

You should not therefore assign responses that generate mustUnderstand attributes to policies associated with resources protected by the SiteMinder WSS Agent for IBM WebSphere.

XML Digital Signature Authentication Fails for Certain Payloads on SiteMinder WSS Agent for IBM WebSphere (60619)

For resources protected by the SiteMinder WSS Agent for IBM WebSphere, XML Digital Signature authentication is failing for certain XML payloads.

SiteMinder WSS Agent Configuration Wizard Cannot Unconfigure SiteMinder WSS Agent for WebSphere (66204)

The SiteMinder WSS Agent Configuration Wizard does not allow you to unconfigure the SiteMinder WSS Agent for WebSphere as it does for the SiteMinder WSS Agent for Web Servers.

Workaround

To unconfigure a SiteMinder WSS Agent for WebSphere (that is, to stop it from protecting web service resources in the WebSphere container), perform the following steps:

1. Back out all configuration changes you made to configure your web services to invoke the SiteMinder WSS Agent JAX-RPC Handler from deployment descriptors. For more information, see the SiteMinder WSS Agent Configuration Guide.
2. Uninstall the SiteMinder WSS Agent.
3. Restart WebSphere.

SiteMinder WSS Agent for Oracle WebLogic Issues

The following topics describe known issues in the SiteMinder WSS Agent for Oracle WebLogic.

SiteMinder WSS Agent for Oracle WebLogic Limitations

The SiteMinder WSS Agent for Oracle WebLogic has the following limitations:

• Message-based authorization using variables is not supported
• mustUnderstand attribute in WS-Security header is not supported

SiteMinder WSS Agent Configuration Wizard Cannot Unconfigure SiteMinder WSS Agent for WebLogic (66204)

The SiteMinder WSS Agent Configuration Wizard does not allow you to unconfigure the SiteMinder WSS Agent for WebLogic as it does for the SiteMinder WSS Agent for Web Servers.

Workaround

To unconfigure s SiteMinder WSS Agent for WebLogic (that is, to stop it from protecting web service resources in the WebLogic container), perform the following steps:

1. Back out all configuration changes you made to configure your web services to invoke the SiteMinder WSS Agent JAX-RPC Handler from deployment descriptors or handler chain configuration files, as applicable. For more information, see the SiteMinder WSS Agent Configuration Guide.
2. Uninstall the SiteMinder WSS Agent.
3. Restart WebLogic.

CA SiteMinder® Agent for JBoss Issues

The following topics describe known issues in the CA SiteMinder® Agent for JBoss.

Uninstaller Fails with Errors (87704)

Attempting to uninstall the SiteMinder Agent for JBoss without the prerequisite level of JVM installed and correctly referenced in the system path causes the uninstaller to fail with one of the following errors:

• “Could not find a valid Java virtual machine to load. You need to reinstall a supported Java virtual machine.”
• "No Java virtual machine could be found from your PATH environment variable. You must install a JVM prior to running this program."

Workaround

Make sure the JVM is in the system PATH variable.

XML Digital Signature Authentication Sometimes Fails When Entire Document is Signed (141772)

For resources protected by the SiteMinder WSS Agent for JBoss, XML Digital Signature authentication is failing for SOAP requests where the entire document is signed. This failure is because the JBoss container does not preserve whitespace between SOAP message elements.

Workaround

Program the web service client to remove all whitespace between SOAP message elements in the request message to match the space removal that JBoss performs upon receiving the message.

Installer Throws Erroneous Error When Supplying JVM Location (137843)

When the SiteMinder Agent for JBoss installer prompts for the JVM location, it displays an "Unable to install the Java Virtual Machine included with this installer" error message even when a valid path is entered.

Workaround

This error message is erroneous; the installer continues with the installation regardless of the error message.

CA SiteMinder WSS SDK Issues

The following topics describe known issues in the CA SiteMinder WSS SDK.

Web Service Client API XMLDocument Class signWSDocument Method Fails With Uninitialized Keystore Exception (133785)

When the signWSDocument method of the XMLDocument class of the Web Service Client API is called with a PEM format X.509 file argument, it fails with an "Uninitialized keystore" error.

Web Service Client API XMLDocument Class signWSDocument Method Fails to Decode DER Format Certificates (133787)

When the signWSDocument method of the XMLDocument class of the Web Service Client API is called with a DER format X.509 file argument, it throws an exception indicating it cannot parse the certificate.

Web Service Client API XMLDocument Class signDocument Method Produces XML Signatures with Unresolvable Reference URIs (133788)

When the signDocument method of the XMLDocument class of the Web Service Client API is called to sign a SOAP document with a DER format X.509 file argument, the method produces a signature that cannot be validated by a SiteMinder WSS Agent. The SOAP Body element is identified with the following syntactically correct attribute:

ID="Body" 

However, SiteMinder WSS Agents can only resolve references to "Id", not "ID" attributes (note the case: Id as opposed to ID).

Web Service Client API XMLDocument Class signDocument Method Throws a NullPointerException when Signing Non-SOAP XML Using an X.509 Certificate (133789)

When the signDocument method of the XMLDocument class of the Web Service Client API is called to sign a non-SOAP XML document with a null publicKeyFile argument and a valid X.509 file argument, the method throws a NullPointerException.

Defects Fixed in SOA Security Manager Releases