Support Article
Error in signature with X509Token
SA-6868
Summary
We've just upgraded to Pega 7.1.7 from Pega 7.1.6 and the signing of SAML tokens stopped working with message errorInObtainingToken and exception com.pega.apache.axis2.AxisFault: Error in signature with X509Token. It appears that the root cause is Caused by: javax.xml.crypto.dsig.TransformException: Couldn't find Transform for: http://www.w3.org/2001/10/xml-exc-c14n#.
Error Messages
2015-01-08 09:21:24,480 [http-/0.0.0.0:8080-5] [TABTHREAD1] [ ] [ Designs:01.02.02] (ecurity.message.WSSecSignature) ERROR |Rule-Connect-SOAP.-.IssueToken bimmcj - javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.dsig.TransformException: Couldn't find Transform for: http://www.w3.org/2001/10/xml-exc-c14n#
2015-01-08 09:21:24,518 [http-/0.0.0.0:8080-5] [TABTHREAD1] [ ] [ Designs:01.02.02] ( rahas.client.STSClient) ERROR|Rule-Connect-SOAP.TokenService-.IssueToken bimmcj - errorInObtainingToken
com.pega.apache.axis2.AxisFault: Error in signature with X509Token
at com.pega.apache.rampart.handler.RampartSender.invoke(RampartSender.java:76)
at com.pega.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
...
at com.pegarules.generated.activity.ra_action_invokeaxis2_c81a9eca10285d8f160a613b5898ec8f.step12_circum0(ra_action_invokeaxis2_c81a9eca10285d8f160a613b5898ec8f.java:3476)
at com.pegarules.generated.activity.ra_action_invokeaxis2_c81a9eca10285d8f160a613b5898ec8f.perform(ra_action_invokeaxis2_c81a9eca10285d8f160a613b5898ec8f.java:257)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3375)
...
Caused by: com.pega.apache.rampart.RampartException: Error in signature with X509Token
at com.pega.apache.rampart.builder.AsymmetricBindingBuilder.doSignature(AsymmetricBindingBuilder.java:802)
...
Caused by: com.pega.apache.ws.security.WSSecurityException: Signature creation failed
at com.pega.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:570)
at com.pega.apache.rampart.builder.AsymmetricBindingBuilder.doSignature(AsymmetricBindingBuilder.java:787)
... 109 more
Caused by: javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.dsig.TransformException: Couldn't find Transform for: http://www.w3.org/2001/10/xml-exc-c14n#
at org.jcp.xml.dsig.internal.dom.DOMReference.transform(DOMReference.java:450)
...
Caused by: javax.xml.crypto.dsig.TransformException: Couldn't find Transform for: http://www.w3.org/2001/10/xml-exc-c14n#
at org.apache.jcp.xml.dsig.internal.dom.ApacheCanonicalizer.transform(ApacheCanonicalizer.java:222)
...
Caused by: java.lang.NullPointerException
at com.pega.apache.axiom.om.impl.dom.AttrImpl.cloneNode(AttrImpl.java:353)
...
at org.apache.xml.security.transforms.Transform.<init>(Transform.java:131)
at org.apache.jcp.xml.dsig.internal.dom.ApacheCanonicalizer.transform(ApacheCanonicalizer.java:213)
... 116 more
Steps to Reproduce
n/a
Root Cause
The root cause of this problem is a defect in Pegasystems’ code/rules. Sporadically the JBoss Application server was loading the incorrect Class leading to the issue.
Local change to invokeAxis2 activity was needed to load the correct Security provider.
Resolution
This issue is resolved through the following local change.
This issue is resolved through the following local change.
Add this code to Step-1 of invokeaxis2 directly in the dev system and see if the non-working case gets resolved.
We can refine the code later once we get the confirmation that it works
java.security.Provider[] providers = java.security.Security.getProviders();
providers = java.security.Security.getProviders();
for(java.security.Provider prov : providers){
oLog.infoForced("Before Provider: " + prov.getClass());
}
oLog.infoForced("----------------------------------------------");
for(java.security.Provider prov : providers){
oLog.infoForced("Provider: " + prov.getClass());
if(prov.getName().equals("ApacheXMLDSig")){
oLog.infoForced("removing provider"+prov.getName());
java.security.Security.removeProvider("ApacheXMLDSig");
}
}
oLog.infoForced("----------------------------------------------");
providers = java.security.Security.getProviders();
for(java.security.Provider prov : providers){
oLog.infoForced("After Provider: " + prov.getClass());
}
Published January 31, 2016 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.