Symptom:
When getting the SamlValidator, the following error appeared:
errorjava.lang.ClassCastException: [Ljava.lang.String; cannot be cast to java.lang.String.
Solution:
The primitive type was changed from String to String[] to store the values returned from the Hashmap iterator.
Star issue: 20140602;1
A malicious user can commit an XML signature wrapping attack by changing the content of a document without invalidating the signature. By default, software controls for the Policy Server and Web Agent Option Pack are set to defend against signature wrapping attacks. However, a third-party product can issue an XML document in a way that does not conform to XML specifications. As a result, the default signature checks can result in a signature verification failure.
Signature verification failures occur for the following reasons:
If a federation transaction fails, examine the smtracedefault.log file and the fwstrace.log file for a signature verification failure. These errors can indicate that the received XML document is not conforming to XML standards. As a workaround, you can disable the default Policy Server and Web Agent protection against signature wrapping attacks.
Important! If you disable the protection against signature vulnerabilities, determine another way to protect against these attacks.
To disable the XML signature wrapping checks:
web_agent_option_pack_ home/affwebservices/web-INF/classes.
Note: If the web agent option pack is installed on the same system as the web agent, the file resides in the web_agent_home directory.
Note: The value of the DisableUniqueIDCheck setting must be the same for the Policy Server and the Web Agent Option Pack.
STAR issue: 21321479;1
Symptom:
There is no detailed information about the usage of the smfedexport utility options, such as –pubkey,-sign and –signingcertalias.
Solution:
The Federation Security Services Guide has clearer explanations of the smfedexport command options.
STAR issue: 20969179-01
Copyright © 2012 CA.
All rights reserved.
|
|