SA-14545

Summary

WSSecurityException occurs when requesting a SAML token from the OpenAM STS server (from a Pega SOAP Connector trying to call a SAML enabled externalservice).
The issue occurs sporadically, and is usually resolved after a restart.
 

Error Messages

2015-06-25 01:34:52,421 [ PegaRULES-Batch-2] [ STANDARD] [ ] [ Designs:01.03] ( axis2.engine.AxisEngine) ERROR Rule-Connect-SOAP.IPA-IntSecurityTokenService-.IssueToken - The signature or decryption was invalid 
com.pega.apache.axis2.AxisFault: The signature or decryption was invalid 
at com.pega.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:186) 
at com.pega.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:95) 
... 
at com.pega.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:364) 
... 
at com.pega.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:555) 
at com.pega.apache.rahas.client.STSClient.requestSecurityToken(STSClient.java:160) 
... 
Caused by: com.pega.apache.ws.security.WSSecurityException: The signature or decryption was invalid 
at com.pega.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:451) 
at com.pega.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:232) 
... 
at com.pega.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:248) 
at com.pega.apache.rampart.RampartEngine.process(RampartEngine.java:155) 
at com.pega.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:92) 
.
.
.
 

Steps to Reproduce

Not Applicable

Root Cause

A defect or configuration issue in the operating environment.

Sporadically JBOSS would use incorrect provider to decrypt the response and this would result in the error. To prevent this, Pega provided libraries should be modified to register the Security provider with a unique name to avoid clashing with incorrect class loading by JBOSS.

Resolution

Install HFix-22870.