Symptom:
Deploying the Federation Web Services (affwebservices.war) on JBoss 6.1 fails with the following exception:
Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: JBAS011232: Only one JAX-RS Application Class allowed
This error is caused by an open issue in JBoss.
Solution:
Edit the affwebservices deployment descriptor to add a number of <context-param> entries.
Follow these steps:
<context-param> <param-name>resteasy.scan</param-name> <param-value>false</param-value> </context-param> <context-param> <param-name>resteasy.scan.resources</param-name> <param-value>false</param-value> </context-param> <context-param> <param-name>resteasy.scan.providers</param-name> <param-value>false</param-value> </context-param>
Symptom:
Back channel processing fails when you use the client certificate option to protect the back channel. The failure impacts all profiles that use the back channel, including HTTP-Artifact single sign-on and SAML 2.0 Single Logout over SOAP.
Failures occur under the following conditions:
Solution:
The following solutions are available:
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
Note: The Apache solution applies only to partnership federation.
SAML 2.0 artifact transactions fail in CA SiteMinder® federation (legacy or partnership) deployments after you upgrade the Policy Server at the Service Provider.
The following conditions result in failed transactions:
When the Policy Server tries to verify that the signature of the artifact response, the SSO transaction fails.
To prevent artifact SSO from failing, temporarily turn off the signature vulnerability check. Disable the check after you upgrade the Policy Server at the Service Provider site but before you put the Policy Server into service.
Follow these steps:
siteminder_install_dir\config\properties\xsw.properties
siteminder_install_dir is the location where you installed the Policy Server.
For complete upgrade instructions for all CA SiteMinder® components, see the CA SiteMinder® Upgrade Guide.
The OCSPUpdater used for federation certificate validity checking cannot sign OCSP requests using the SHA-224 algorithm. The updater can only sign with the SHA-256, SHA-384, and SHA-512 algorithms.
Symptom:
You are doing a console mode installation of a CA SiteMinder® product on a Solaris platform. The following error message displays: "Unable to install the Java Virtual Machine included with this installer."
Solution:
Ignore this error message. The error is a third-party issue and it has no functional impact.
Symptom:
On the JBoss 5.1.2 server, system JARs are overriding application-specific JARs, such as those JARs for the Web Agent Option Pack.
Solution:
Prevent the Web Agent Option Pack XML API files from being overwritten by JBOSS system JARS.
Important! This workaround only applies to the supported version of JBOSS 5.1.2.
Add the following filter package in two places in the war-deployers-jboss-beans.xml file:
<property name="filteredPackages">javax.servlet,org.apache.commons. logging,javax.xml.parsers,org.xml.sax,org.w3c.dom</property>
The filter package allows the use of the Web Agent Option Pack XML API files instead of the JBOSS system files.
Follow these steps:
/deployers/jbossweb.deployer/META-INF/
<property name="filteredPackages">javax.servlet,org.apache. commons.logging</property>
<property name="filteredPackages">javax.servlet,org.apache.commons. logging,javax.xml.parsers,org.xml.sax,org.w3c.dom</property>
This entry in the file is on one line.
Add the filter package in both places in the XML file.
Symptom:
A federation transaction is failing at the asserting party when the federation web services application is deployed on a JBOSS server, version 5.1.0 and higher. An error message indicates one of the following conditions:
Solution:
Deploy affwebservices.war file in an exploded folder under the jboss deploy directory.
Follow these steps:
jar cvf affwebservices.war *
JBOSS_home is the installed location of the JBOSS application server.
Note: Be sure that the affwebservices.war file is not in the deploy directory.
http://fqhn:port_number/affwebservices/assertionretriever
fqhn
Represents the fully qualified host name and
port_number
Specifies the port number of the server where the Federation Web Services application is installed.
CA SiteMinder® legacy and partnership federation do not support directory mapping. The user is tied to the directory they are initially authenticated against. If that directory is not present in the affiliate domain, the authorization fails.
You can install the r12.3 CA SiteMinder® SPS Federation Gateway only in a legacy federation deployment. This release of the gateway is compatible with CA SiteMinder® 12.5.
You cannot use the r12.3 gateway in a 12.5 partnership federation deployment.
Copyright © 2013 CA.
All rights reserved.
|
|