APAR status
Closed as program error.
Error description
The WebSphere SAML Single Sign-On (SSO) Trust Association Interceptor (TAI) might emit a java.lang.NullPointerException error when it receives a SAML response that contains an encrypted SAML Assertion: EncryptedKeyC E CWWSS5601E: The following exception occured while decrypting the message: java.lang.NullPointerException: Key not specified or obtained at com.ibm.ws.wssecurity.xml.xss4j.enc.DecryptionContext.getEn cryptionEngine(DecryptionContext.java:669) This can happen when the properties required to decrypt the asserion, such as sso_<id>.sp.keyAlias, are not present in the SAML SSO TAI configuration.
Local fix
Ensure that following property is configured correctly - The problem is that WAS is trying to decrypt the EncryptedAssertion, so all 4 of these properties must be defined and point to the private key that can be used to decrypt the EncryptedAssertion: sso_<id>.sp.keyStore sso_<id>.sp.keyName sso_<id>.sp.keyPassword sso_<id>.sp.keyAlias
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server users of * * SAML * * Web SSO * **************************************************************** * PROBLEM DESCRIPTION: SAML SSO might emit a * * java.lang.NullPointerException error * * when * * decryption key parameters are missing * **************************************************************** * RECOMMENDATION: Install a fix pack that contains this * * APAR. * **************************************************************** When the SAML SSO configuration does not include the properties required to decrypt an encrypted assertion and the runtime receives an encrypted Assertion from an idP, it might emit a java.lang.NullPointerException error.
Problem conclusion
The SAML SSO TAI is updated so that it emits an ffdc error like the following if a decryption error occurs when the sso_<id>.sp.keyAlias property is missing from the TAI configuration: [2/9/22 10:02:27:743 CST] FFDC Exception:com.ibm.websphere.security.WebTrustAssociationFailedEx ception SourceId:com.ibm.ws.security.web.saml.ACSTrustAssociationInterce ptor.invokeTAIbeforeSSO ProbeId:609 com.ibm.websphere.security.WebTrustAssociationFailedException: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWSML7039E: One or more of the properties required to decrypt a SAML assertion are missing from the SAML TAI configuration. The required pareameters are [sso_<id>.sp.keyAlias, sso_<id>.sp.keyPassword].: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS5601E: The following exception occurred while decrypting the message: CWWSS8048E: The Application Server is unable to obtain the decrypting key. at com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.proc essSAMLResponseContext(ACSTrustAssociationInterceptor.java:971) at com.ibm.ws.security.web.saml.ACSTrustAssociationInterceptor.invo keTAIbeforeSSO(ACSTrustAssociationInterceptor.java:593) Messages were also changed under the following error conditions: Missing the sso_<id>.sp.keyPassword, but not the sso_<id>.sp.keyAlias: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWSML7039E: One or more of the properties required to decrypt a SAML assertion are missing from the SAML TAI configuration. The required parameters are [sso_<id>.sp.keyAlias, sso_<id>.sp.keyPassword].: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS7074E: The key is not retrieved. The exception is:: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS5312E: The Application Server cannot retrieve the 'myKey' key from the 'myKeystore' keystore. The following exception occurred: java.security.UnrecoverableKeyException: requested entry requires a password The sso_<id>.sp.keyAlias is incorrect: com.ibm.wsspi.wssecurity.core.SoapSecurityException: java.lang.RuntimeException: Fail to decrypt EncryptedKey: CWWSS7074E: The key is not retrieved. The exception is:: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS6800E: The entry with alias 'myKey' of keystore 'myKeystore' cannot be found: entry=null The sso_<id>.sp.keyPassword is incorrect: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWSML7040E: A [java.security.UnrecoverableKeyException] error occurred when attempting to retrieve the key with alias, [myKey], from the [myKeystore] keystore. Check if the configured password is correct.: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS7074E: The key is not retrieved. The exception is:: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS5312E: The Application Server cannot retrieve the 'myKey' key from the 'myKeystore' keystore. The following exception occurred: java.security.UnrecoverableKeyException: Given final block not properly padded All of these conditions previously returned the following message: com.ibm.wsspi.wssecurity.core.SoapSecurityException: Fail to decrypt EncryptedKey The fix for this APAR is targeted for inclusion in fix pack 8.5.5.21 and 9.0.5.12. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH43722
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-01-28
Closed date
2022-02-22
Last modified date
2022-02-22
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0"}]
Document Information
Modified date:
23 February 2022