IBM Support

PH43722: SAML SSO MAY EMIT CWWSS5601E NULLPOINTEREXCEPTION ERROR WHEN DECRYPTING ENCRYPTED ASSERTIONS

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • The WebSphere SAML Single Sign-On (SSO) Trust Association
Interceptor (TAI) might emit a java.lang.NullPointerException
error when it receives a SAML response that contains an
encrypted SAML Assertion:

EncryptedKeyC E   CWWSS5601E: The following exception occured
while decrypting the message: java.lang.NullPointerException:
Key not specified or obtained
at com.ibm.ws.wssecurity.xml.xss4j.enc.DecryptionContext.getEn
cryptionEngine(DecryptionContext.java:669)

This can happen when the properties required to decrypt the
asserion, such as sso_<id>.sp.keyAlias, are not present in the
SAML SSO TAI configuration.

Local fix

  • Ensure that following property is configured correctly -

The problem is that WAS is trying to decrypt the
EncryptedAssertion, so all 4 of these properties must be defined
and point to the private key that can be used to decrypt the
EncryptedAssertion:

sso_<id>.sp.keyStore
sso_<id>.sp.keyName
sso_<id>.sp.keyPassword
sso_<id>.sp.keyAlias

Problem summary

  • ****************************************************************
* USERS AFFECTED:  IBM WebSphere Application Server users of   *
*                  SAML                                        *
*                  Web SSO                                     *
****************************************************************
* PROBLEM DESCRIPTION: SAML SSO might emit a                   *
*                      java.lang.NullPointerException error    *
*                      when                                    *
*                      decryption key parameters are missing   *
****************************************************************
* RECOMMENDATION:  Install a fix pack that contains this       *
*                  APAR.                                       *
****************************************************************
When the SAML SSO configuration does not include the properties
required to decrypt an encrypted assertion and the runtime
receives an encrypted Assertion from an idP, it might emit a
java.lang.NullPointerException error.

Problem conclusion

  • The SAML SSO TAI is updated so that it emits an ffdc error like
the following if a decryption error occurs when the
sso_<id>.sp.keyAlias property is missing from the TAI
configuration:

[2/9/22 10:02:27:743 CST]     FFDC
Exception:com.ibm.websphere.security.WebTrustAssociationFailedEx
ception
SourceId:com.ibm.ws.security.web.saml.ACSTrustAssociationInterce
ptor.invokeTAIbeforeSSO ProbeId:609
com.ibm.websphere.security.WebTrustAssociationFailedException:
com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWSML7039E:
One or more of the properties required to decrypt a SAML
assertion are missing from the SAML TAI configuration.  The
required pareameters are [sso_<id>.sp.keyAlias,
sso_<id>.sp.keyPassword].:
com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS5601E:
The following exception occurred while decrypting the message:
CWWSS8048E: The Application Server is unable to obtain the
decrypting key.
 at
com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.proc
essSAMLResponseContext(ACSTrustAssociationInterceptor.java:971)
 at
com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.invo
keTAIbeforeSSO(ACSTrustAssociationInterceptor.java:593)


Messages were also changed under the following error conditions:

Missing the sso_<id>.sp.keyPassword, but not the
sso_<id>.sp.keyAlias:

com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWSML7039E:
One or more of the properties required to decrypt a SAML
assertion are missing from the SAML TAI configuration.  The
required parameters are [sso_<id>.sp.keyAlias,
sso_<id>.sp.keyPassword].:
com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS7074E:
The key is not retrieved. The exception is::
com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS5312E:
The Application Server cannot retrieve the 'myKey' key from the
'myKeystore' keystore. The following exception occurred:
java.security.UnrecoverableKeyException: requested entry
requires a password

The sso_<id>.sp.keyAlias is incorrect:

com.ibm.wsspi.wssecurity.core.SoapSecurityException:
java.lang.RuntimeException: Fail to decrypt EncryptedKey:
CWWSS7074E: The key is not retrieved. The exception is::
com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS6800E:
The entry with alias 'myKey' of keystore 'myKeystore' cannot be
found: entry=null

The sso_<id>.sp.keyPassword is incorrect:

com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWSML7040E:
A [java.security.UnrecoverableKeyException] error occurred when
attempting to retrieve the key with alias, [myKey], from the
[myKeystore] keystore.  Check if the configured password is
correct.: com.ibm.wsspi.wssecurity.core.SoapSecurityException:
CWWSS7074E: The key is not retrieved. The exception is::
com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS5312E:
The Application Server cannot retrieve the 'myKey' key from the
'myKeystore' keystore. The following exception occurred:
java.security.UnrecoverableKeyException: Given final block not
properly padded

All of these conditions previously returned the following
message:

com.ibm.wsspi.wssecurity.core.SoapSecurityException: Fail to
decrypt EncryptedKey

The fix for this APAR is targeted for inclusion in fix pack
8.5.5.21 and 9.0.5.12.  For more information, see 'Recommended
Updates for WebSphere Application Server':
https://www.ibm.com/support/pages/node/715553

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH43722
    • 

  • Reported component name
    WEBS APP SERV N
    • 

  • Reported component ID
    5724H8800
    • 

  • Reported release
    900
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2022-01-28
    • 

  • Closed date
    2022-02-22
    • 

  • Last modified date
    2022-02-22
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WEBS APP SERV N
    • 

  • Fixed component ID
    5724H8800
    • 



Applicable component levels


    








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            23 February 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback