Release Notes › Federation Release Notes › Known Issues for Legacy and Partnership Federation › Deployment of Federation Web Services Fails on JBoss 6.1 (174757)

Deployment of Federation Web Services Fails on JBoss 6.1 (174757)

Symptom:

Deploying the Federation Web Services (affwebservices.war) on JBoss 6.1 fails with the following exception:

Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: JBAS011232: Only one JAX-RS Application Class allowed

This error is caused by an open issue in JBoss.

Solution:

Edit the affwebservices deployment descriptor to add a number of <context-param> entries.

Follow these steps:

1. Open the affwebservices deployment descriptor file (webagent_option_pack/affwebservices/WEB-INF/web.xml) in a text editor.
2. Add the following lines after the <web-app> tag and before the <servlet> tag:

   <context-param>
   <param-name>resteasy.scan</param-name>
   <param-value>false</param-value>
   </context-param>
   <context-param>
   <param-name>resteasy.scan.resources</param-name>
   <param-value>false</param-value>
   </context-param>
   <context-param>
   <param-name>resteasy.scan.providers</param-name>
   <param-value>false</param-value>
   </context-param>
   

3. Save and exit the text editor.

Back Channel Processing Fails with Client Certificate Protection (168151, 168278, 169147, 168774, 169312)

Symptom:

Back channel processing fails when you use the client certificate option to protect the back channel. The failure impacts all profiles that use the back channel, including HTTP-Artifact single sign-on and SAML 2.0 Single Logout over SOAP.

Failures occur under the following conditions:

• A deployment with IIS web servers and any application server. The failure is the result of an IIS limitation. This problem applies to legacy and partnership federation.
• A certificate that is generated with the OpenSSL toolkit and the UTF-8 flag is set.
• Apache web servers running JBoss at the IdP, unless you make a configuration change to the httpd.ssl.conf file.

Solution:

The following solutions are available:

• Protect the back channel using the Basic option and ensure that all URLs are using the SSL protocol.
• Do not set the UTF-8 flag when generating a certificate with the OpenSSL toolkit.
• For Apache web servers running JBoss at the IdP, uncomment the following line in the Apache httpd.ssl.conf file:

  SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
  

  Note: The Apache solution applies only to partnership federation.

Signature Wrapping Checks Impact Artifact SSO After Upgrade (168864)

SAML 2.0 artifact transactions fail in CA SiteMinder® federation (legacy or partnership) deployments after you upgrade the Policy Server at the Service Provider.

The following conditions result in failed transactions:

• CA SiteMinder® federation is deployed is at the Service Provider site.
• SAML 2.0 HTTP-Artifact SSO is configured.
• Signature verification at the Service Provider is configured for the assertion or the artifact resolve response.
• The Policy Server setting that prevents XML signature wrapping attacks is enabled.

When the Policy Server tries to verify that the signature of the artifact response, the SSO transaction fails.

To prevent artifact SSO from failing, temporarily turn off the signature vulnerability check. Disable the check after you upgrade the Policy Server at the Service Provider site but before you put the Policy Server into service.

Follow these steps:

1. Navigate to the xsw.properties file. Locate the file in the following directory:

   siteminder_install_dir\config\properties\xsw.properties

   siteminder_install_dir is the location where you installed the Policy Server.

2. Open the file in a text editor, and set the DisableXSWCheck to true (DisableXSWCheck=true). Setting the value to true disables the vulnerability check.
3. After the entire deployment is at version 12.52, and the Policy Server is running, return the DisableXSWCheck setting to false (DisableXSWCheck=false). Setting the value to false enables the signature vulnerability check.

For complete upgrade instructions for all CA SiteMinder® components, see the CA SiteMinder® Upgrade Guide.

OCSPUpdater Does Not Support the SHA-224 Algorithm (150477,150474)

The OCSPUpdater used for federation certificate validity checking cannot sign OCSP requests using the SHA-224 algorithm. The updater can only sign with the SHA-256, SHA-384, and SHA-512 algorithms.

Java Virtual Machine Installation Error on Solaris can be Ignored (149886)

Symptom:

You are doing a console mode installation of a CA SiteMinder® product on a Solaris platform. The following error message displays: "Unable to install the Java Virtual Machine included with this installer."

Solution:

Ignore this error message. The error is a third-party issue and it has no functional impact.

Web Agent Option Pack on JBOSS Requires Workaround (147357, 149394)

Symptom:

On the JBoss 5.1.2 server, system JARs are overriding application-specific JARs, such as those JARs for the Web Agent Option Pack.

Solution:

Prevent the Web Agent Option Pack XML API files from being overwritten by JBOSS system JARS.

Important! This workaround only applies to the supported version of JBOSS 5.1.2.

Add the following filter package in two places in the war-deployers-jboss-beans.xml file:

<property name="filteredPackages">javax.servlet,org.apache.commons.
logging,javax.xml.parsers,org.xml.sax,org.w3c.dom</property>

The filter package allows the use of the Web Agent Option Pack XML API files instead of the JBOSS system files.

Follow these steps:

1. Locate the war-deployers-jboss-beans.xml file located in the directory:

   /deployers/jbossweb.deployer/META-INF/

2. Find the following entry:

   <property name="filteredPackages">javax.servlet,org.apache.
   commons.logging</property> 
   

3. Change the entry to:

   <property name="filteredPackages">javax.servlet,org.apache.commons.
   logging,javax.xml.parsers,org.xml.sax,org.w3c.dom</property>
   

   This entry in the file is on one line.

4. Find the second instance of the entry in step 2 and replace it with the entry in step 3.

   Add the filter package in both places in the XML file.

5. Save the XML file.

Deploying Federation Web Services in JBOSS 5.1.x (150603)

Symptom:

A federation transaction is failing at the asserting party when the federation web services application is deployed on a JBOSS server, version 5.1.0 and higher. An error message indicates one of the following conditions:

• CA SiteMinder® could not decrypt the SMSESSION cookie.
• An encryption exception occurred during session cookie creation.

Solution:

Deploy affwebservices.war file in an exploded folder under the jboss deploy directory.

Follow these steps:

1. Open a command window and navigate to the affwebservices directory, which is in the directory /webagent_option_pack/affwebservices/.
2. Create a WAR file by entering the command:

   jar cvf affwebservices.war *
   

3. Navigate to the directory JBOSS_home/server/default/deploy/

   JBOSS_home is the installed location of the JBOSS application server.

4. Under the deploy directory, create a directory named affwebservices.war.
5. Inside the affwebservices.war directory, extract the affwebservices.war file.

   Note: Be sure that the affwebservices.war file is not in the deploy directory.

6. Restart the application server.
7. After the server has restarted, access the JBOSS Administrative Console. The affwebservices.war file is displayed in the JBOSS console under Applications>WARs.
8. Test that the FWS application is working by opening a web browser and entering the following link:

   http://fqhn:port_number/affwebservices/assertionretriever 
   

   fqhn

   Represents the fully qualified host name and

   port_number

   Specifies the port number of the server where the Federation Web Services application is installed.

9. Execute a federated single sign-on transaction. A successful transaction confirms that CA SiteMinder® federation is working properly.

CA SiteMinder® Federation does not Support Directory Mapping (147993)

CA SiteMinder® legacy and partnership federation do not support directory mapping. The user is tied to the directory they are initially authenticated against. If that directory is not present in the affiliate domain, the authorization fails.

SPS Federation Gateway in a Federation Deployment

You can install the r12.3 CA SiteMinder® SPS Federation Gateway only in a legacy federation deployment. This release of the gateway is compatible with CA SiteMinder® 12.5.

You cannot use the r12.3 gateway in a 12.5 partnership federation deployment.