Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

WSSecurityException: The signature or decryption was invalid

SA-14545

Summary



WSSecurityException occurs when requesting a SAML token from the OpenAM STS server (from a Pega SOAP Connector trying to call a SAML enabled externalservice).
The issue occurs sporadically, and is usually resolved after a restart.

 

Error Messages



2015-06-25 01:34:52,421 [ PegaRULES-Batch-2] [ STANDARD] [ ] [ Designs:01.03] ( axis2.engine.AxisEngine) ERROR Rule-Connect-SOAP.IPA-IntSecurityTokenService-.IssueToken - The signature or decryption was invalid 
com.pega.apache.axis2.AxisFault: The signature or decryption was invalid 
at com.pega.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:186) 
at com.pega.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95) 
... 
at com.pega.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:364) 
... 
at com.pega.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:555) 
at com.pega.apache.rahas.client.STSClient.requestSecurityToken(STSClient.java:160) 
... 
Caused by: com.pega.apache.ws.security.WSSecurityException: The signature or decryption was invalid 
at com.pega.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:451) 
at com.pega.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:232) 
... 
at com.pega.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:248) 
at com.pega.apache.rampart.RampartEngine.process(RampartEngine.java:155) 
at com.pega.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92) 
.
.
.
 

Steps to Reproduce



Not Applicable


Root Cause



A defect or configuration issue in the operating environment.

Sporadically JBOSS would use incorrect provider to decrypt the response and this would result in the error. To prevent this, Pega provided libraries should be modified to register the Security provider with a unique name to avoid clashing with incorrect class loading by JBOSS.

Resolution



Install HFix-22870.
Suggest Edit

Published October 5, 2015 - Updated October 8, 2020

Did you find this content helpful? Yes No

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us