Previous Topic: Federation Does Not Support the Cookie Provider (172511)Next Topic: Known Issues for Legacy Federation


Deployment of Federation Web Services Fails on JBoss 6.1 (174757)

Symptom:

Deploying the Federation Web Services (affwebservices.war) on JBoss 6.1 fails with the following exception:

Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: JBAS011232: Only one JAX-RS Application Class allowed

This error is caused by an open issue in JBoss.

Solution:

Edit the affwebservices deployment descriptor to add a number of <context-param> entries.

Follow these steps:

  1. Open the affwebservices deployment descriptor file (webagent_option_pack/affwebservices/WEB-INF/web.xml) in a text editor.
  2. Add the following lines after the <web-app> tag and before the <servlet> tag:
    <context-param>
    <param-name>resteasy.scan</param-name>
    <param-value>false</param-value>
    </context-param>
    <context-param>
    <param-name>resteasy.scan.resources</param-name>
    <param-value>false</param-value>
    </context-param>
    <context-param>
    <param-name>resteasy.scan.providers</param-name>
    <param-value>false</param-value>
    </context-param>
    
  3. Save and exit the text editor.

Back Channel Processing Fails with Client Certificate Protection (168151, 168278, 169147, 168774, 169312)

Symptom:

Back channel processing fails when you use the client certificate option to protect the back channel. The failure impacts all profiles that use the back channel, including HTTP-Artifact single sign-on and SAML 2.0 Single Logout over SOAP.

Failures occur under the following conditions:

Solution:

The following solutions are available:

Signature Wrapping Checks Impact Artifact SSO After Upgrade (168864)

SAML 2.0 artifact transactions fail in CA SiteMinder® federation (legacy or partnership) deployments after you upgrade the Policy Server at the Service Provider.

The following conditions result in failed transactions:

When the Policy Server tries to verify that the signature of the artifact response, the SSO transaction fails.

To prevent artifact SSO from failing, temporarily turn off the signature vulnerability check. Disable the check after you upgrade the Policy Server at the Service Provider site but before you put the Policy Server into service.

Follow these steps:

  1. Navigate to the xsw.properties file. Locate the file in the following directory:

    siteminder_install_dir\config\properties\xsw.properties

    siteminder_install_dir is the location where you installed the Policy Server.

  2. Open the file in a text editor, and set the DisableXSWCheck to true (DisableXSWCheck=true). Setting the value to true disables the vulnerability check.
  3. After the entire deployment is at version 12.52, and the Policy Server is running, return the DisableXSWCheck setting to false (DisableXSWCheck=false). Setting the value to false enables the signature vulnerability check.

For complete upgrade instructions for all CA SiteMinder® components, see the CA SiteMinder® Upgrade Guide.

OCSPUpdater Does Not Support the SHA-224 Algorithm (150477,150474)

The OCSPUpdater used for federation certificate validity checking cannot sign OCSP requests using the SHA-224 algorithm. The updater can only sign with the SHA-256, SHA-384, and SHA-512 algorithms.

Java Virtual Machine Installation Error on Solaris can be Ignored (149886)

Symptom:

You are doing a console mode installation of a CA SiteMinder® product on a Solaris platform. The following error message displays: "Unable to install the Java Virtual Machine included with this installer."

Solution:

Ignore this error message. The error is a third-party issue and it has no functional impact.

Web Agent Option Pack on JBOSS Requires Workaround (147357, 149394)

Symptom:

On the JBoss 5.1.2 server, system JARs are overriding application-specific JARs, such as those JARs for the Web Agent Option Pack.

Solution:

Prevent the Web Agent Option Pack XML API files from being overwritten by JBOSS system JARS.

Important! This workaround only applies to the supported version of JBOSS 5.1.2.

Add the following filter package in two places in the war-deployers-jboss-beans.xml file:

<property name="filteredPackages">javax.servlet,org.apache.commons.
logging,javax.xml.parsers,org.xml.sax,org.w3c.dom</property>

The filter package allows the use of the Web Agent Option Pack XML API files instead of the JBOSS system files.

Follow these steps:

  1. Locate the war-deployers-jboss-beans.xml file located in the directory:

    /deployers/jbossweb.deployer/META-INF/

  2. Find the following entry:
    <property name="filteredPackages">javax.servlet,org.apache.
    commons.logging</property> 
    
  3. Change the entry to:
    <property name="filteredPackages">javax.servlet,org.apache.commons.
    logging,javax.xml.parsers,org.xml.sax,org.w3c.dom</property>
    

    This entry in the file is on one line.

  4. Find the second instance of the entry in step 2 and replace it with the entry in step 3.

    Add the filter package in both places in the XML file.

  5. Save the XML file.

Deploying Federation Web Services in JBOSS 5.1.x (150603)

Symptom:

A federation transaction is failing at the asserting party when the federation web services application is deployed on a JBOSS server, version 5.1.0 and higher. An error message indicates one of the following conditions:

Solution:

Deploy affwebservices.war file in an exploded folder under the jboss deploy directory.

Follow these steps:

  1. Open a command window and navigate to the affwebservices directory, which is in the directory /webagent_option_pack/affwebservices/.
  2. Create a WAR file by entering the command:
    jar cvf affwebservices.war *
    
  3. Navigate to the directory JBOSS_home/server/default/deploy/

    JBOSS_home is the installed location of the JBOSS application server.

  4. Under the deploy directory, create a directory named affwebservices.war.
  5. Inside the affwebservices.war directory, extract the affwebservices.war file.

    Note: Be sure that the affwebservices.war file is not in the deploy directory.

  6. Restart the application server.
  7. After the server has restarted, access the JBOSS Administrative Console. The affwebservices.war file is displayed in the JBOSS console under Applications>WARs.
  8. Test that the FWS application is working by opening a web browser and entering the following link:
    http://fqhn:port_number/affwebservices/assertionretriever 
    

    fqhn

    Represents the fully qualified host name and

    port_number

    Specifies the port number of the server where the Federation Web Services application is installed.

  9. Execute a federated single sign-on transaction. A successful transaction confirms that CA SiteMinder® federation is working properly.

CA SiteMinder® Federation does not Support Directory Mapping (147993)

CA SiteMinder® legacy and partnership federation do not support directory mapping. The user is tied to the directory they are initially authenticated against. If that directory is not present in the affiliate domain, the authorization fails.

SPS Federation Gateway in a Federation Deployment

You can install the r12.3 CA SiteMinder® SPS Federation Gateway only in a legacy federation deployment. This release of the gateway is compatible with CA SiteMinder® 12.5.

You cannot use the r12.3 gateway in a 12.5 partnership federation deployment.