Federation Security Services Guide › Troubleshooting › URLs for Services at the Asserting Party › Affwebserver.log and FWSTrace.log Show Wrong Time

Affwebserver.log and FWSTrace.log Show Wrong Time

Symptom:

If the Web Agent Option Pack is installed on a Weblogic 8.1.6 server, the time stamps in the affwebservices.log and the FWSTrace.log are in GMT time not local time, despite the LogLocalTime parameter in the LoggerConfig.properties file being set to Yes.

Solution:

WebLogic is referencing the LoggerConfig properties file in a different location than the default location of the SAML Affiliate Agent.

To verify that the log files use local time

1. Navigate to the LoggerConfig.properties file at the following location:

   \bea\user_projects\domains\ca_apps_domain\FWS\stage\affwebservices\

   affwebservices\WEB-INF\classes\LoggerConfig.properties

2. Open the properties file and set the LogLocalTime parameter to Yes.
3. Restart the WebLogic server.

Resolving Signature Verification Failures

A malicious user can commit an XML signature wrapping attack by changing the content of a document without invalidating the signature. By default, software controls for the Policy Server and Web Agent Option Pack are set to defend against signature wrapping attacks. However, a third-party product can issue an XML document in a way that does not conform to XML specifications. As a result, the default signature checks can result in a signature verification failure.

Signature verification failures occur for the following reasons:

• A duplicate ID element is in the XML document and the signature references this duplicate ID. Duplicate ID attributes are not permitted.
• The XML signature does not reference the expected parent element, and a signature wrapping vulnerability is logged.

If a federation transaction fails, examine the smtracedefault.log file and the fwstrace.log file for a signature verification failure. These errors can indicate that the received XML document is not conforming to XML standards. As a workaround, you can disable the default Policy Server and Web Agent protection against signature wrapping attacks.

Important! If you disable the protection against signature vulnerabilities, determine another way to protect against these attacks.

To disable the XML signature wrapping checks:

1. Navigate to the xsw.properties file. The file exists in different locations for the Policy Server and the Web Agent.
   • For error messages in the Policy Server smtracedefault.log file, go to siteminder_home/config/properties
   • For error messages in the Web Agent fwstrace.log, go to

     web_agent_option_pack_ home/affwebservices/web-INF/classes.

     Note: If the web agent option pack is installed on the same system as the web agent, the file resides in the web_agent_home directory.

2. Change the following xsw.properties settings to true:
   • DisableXSWCheck=true (Policy Server setting only)
   • DisableUniqueIDCheck=true (Policy Server and Web Agent Option Pack setting)

     Note: The value of the DisableUniqueIDCheck setting must be the same for the Policy Server and the Web Agent Option Pack.

3. Save the file.

SAML 1.x-Only Issues

The following issues apply only to SAML 1.x features.

SAML 1.x Artifact Profile Single Sign-On Failing

Symptom:

If single sign-on with the SAML 1.x artifact profile is configured, the consumer site fails to send SAML request messages to the producer. Error messages similar to the following appear in the Federation Web Service log file:

May 23, 2012 4:20:44.234 PM[28349544:E] Dispatcher object thrown unknown exception while processing the request message. Message: java.net.ConnectException: Connection refused: connect.
May 23, 2012 4:20:44.234 PM[28349544:E] Exception caught. Message: com.netegrity.affiliateminder.webservices.m: Exception occurred while message dispatcher(srca) object trying to send SOAP request message to the SAML producer.

Solution:

Verify that the web server hosting the Assertion Retrieval Service is running with a configured SSL port.