Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

Error in signature with X509Token

SA-6868

Summary



We've just upgraded to Pega 7.1.7 from Pega 7.1.6 and the signing of SAML tokens stopped working with message errorInObtainingToken and exception com.pega.apache.axis2.AxisFault: Error in signature with X509Token. It appears that the root cause is Caused by: javax.xml.crypto.dsig.TransformException: Couldn't find Transform for: http://www.w3.org/2001/10/xml-exc-c14n#. 

Error Messages



2015-01-08 09:21:24,480 [http-/0.0.0.0:8080-5] [TABTHREAD1] [ ] [ Designs:01.02.02] (ecurity.message.WSSecSignature) ERROR |Rule-Connect-SOAP.-.IssueToken bimmcj - javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.dsig.TransformException: Couldn't find Transform for: http://www.w3.org/2001/10/xml-exc-c14n#
2015-01-08 09:21:24,518 [http-/0.0.0.0:8080-5] [TABTHREAD1] [ ] [ Designs:01.02.02] ( rahas.client.STSClient) ERROR|Rule-Connect-SOAP.TokenService-.IssueToken bimmcj - errorInObtainingToken
com.pega.apache.axis2.AxisFault: Error in signature with X509Token
at com.pega.apache.rampart.handler.RampartSender.invoke(RampartSender.java:76)
at com.pega.apache.axis2.engine.Phase.invokeHandler(Phase.java:340)
...
at com.pegarules.generated.activity.ra_action_invokeaxis2_c81a9eca10285d8f160a613b5898ec8f.step12_circum0(ra_action_invokeaxis2_c81a9eca10285d8f160a613b5898ec8f.java:3476)
at com.pegarules.generated.activity.ra_action_invokeaxis2_c81a9eca10285d8f160a613b5898ec8f.perform(ra_action_invokeaxis2_c81a9eca10285d8f160a613b5898ec8f.java:257)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3375)
...
Caused by: com.pega.apache.rampart.RampartException: Error in signature with X509Token
at com.pega.apache.rampart.builder.AsymmetricBindingBuilder.doSignature(AsymmetricBindingBuilder.java:802)
...
Caused by: com.pega.apache.ws.security.WSSecurityException: Signature creation failed
at com.pega.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:570)
at com.pega.apache.rampart.builder.AsymmetricBindingBuilder.doSignature(AsymmetricBindingBuilder.java:787)
... 109 more
Caused by: javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.dsig.TransformException: Couldn't find Transform for: http://www.w3.org/2001/10/xml-exc-c14n#
at org.jcp.xml.dsig.internal.dom.DOMReference.transform(DOMReference.java:450)
...
Caused by: javax.xml.crypto.dsig.TransformException: Couldn't find Transform for: http://www.w3.org/2001/10/xml-exc-c14n#
at org.apache.jcp.xml.dsig.internal.dom.ApacheCanonicalizer.transform(ApacheCanonicalizer.java:222)
...
Caused by: java.lang.NullPointerException
at com.pega.apache.axiom.om.impl.dom.AttrImpl.cloneNode(AttrImpl.java:353)
...
at org.apache.xml.security.transforms.Transform.<init>(Transform.java:131)
at org.apache.jcp.xml.dsig.internal.dom.ApacheCanonicalizer.transform(ApacheCanonicalizer.java:213)
... 116 more

Steps to Reproduce



n/a

Root Cause



The root cause of this problem is a defect in Pegasystems’ code/rules. Sporadically the JBoss Application server was loading the incorrect Class leading to the issue.
Local change to invokeAxis2 activity was needed to load the correct Security provider.

Resolution



This issue is resolved through the following local change.

This issue is resolved through the following local change.

Add this code to Step-1 of invokeaxis2 directly in the dev system and see if the non-working case gets resolved. 
We can refine the code later once we get the confirmation that it works
 
java.security.Provider[] providers = java.security.Security.getProviders();
 
 
providers = java.security.Security.getProviders();
               for(java.security.Provider prov : providers){                     
                     oLog.infoForced("Before Provider: " + prov.getClass());
               }
 
oLog.infoForced("----------------------------------------------");
               for(java.security.Provider prov : providers){                     
                     oLog.infoForced("Provider: " + prov.getClass());
if(prov.getName().equals("ApacheXMLDSig")){
oLog.infoForced("removing provider"+prov.getName());
java.security.Security.removeProvider("ApacheXMLDSig");
}
               }
 
oLog.infoForced("----------------------------------------------");
providers = java.security.Security.getProviders();
               for(java.security.Provider prov : providers){                     
                     oLog.infoForced("After Provider: " + prov.getClass());
               }
 

Tags:

Pega Platform Pega Platform 7.1.7 Data Integration

Published January 31, 2016 - Updated October 8, 2020

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Visit the Collaboration Center

Did you find this content helpful?

Yes
No

Want to help us improve this content?
Suggest an edit

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us