Symantec Access Management

  • Private Community

  • 1.  Primary certificate serial number or issuer dn is empty or null

    Posted Dec 05, 2017 01:01 PM

    I have installed new policy server R12.7 SP01 on RHEL 7.x server. I have already created Session store and using SPS for Federation. Application is working good with IDP initiate but I need to test SP-POST initiate. I am getting HTTP 500 error message from IDP side and unable to generate assertion. Following error message in SMPS.log and smtrace.log files. I am using Salesforce for SP side. 

    [12/05/2017][11:54:53.116][11:54:53][25615][139941929522944][SignatureProcessor.java][verifyXML][28454859-44ab3909-aabfeda8-ab22f51b-fbb01f51-2a][][][][][][][][][][][][][][][][][][][][Primary certificate serial number or issuer dn is empty or null][][]

     

    [25615/139941929522944][Tue Dec 05 2017 11:54:53][AssertionGenerator.java][ERROR][sm-FedServer-00080] preProcess() returns fatal error. <Response ID="_56e275566d07400b09772d21650e7a754fd1" InResponseTo="_2CAAAAWC4AtloME8wZTAwMDAwMDAwMDAxAAAA0r-xvK-oddNq3AcHCggGhkIzm9CZYnCpUa7WBc3VSj6cf8Zj-kDzVrEuzJOLOmD8LMdgVK4uqubqpQHbaG63KlwPe1wXK9KvrIkhNyY9K6ZOiUUemG1yRlHQNLKRUNGRj2StdjtLx4qOVKyufGGE-4BWJxr3N5ufCKadhMLrS78j9b6nnrz3ZA-T5bYl-8TZmoe-lFrE1azsgAT5vSg3D0scC6QkaDXLzO-yTzkA8vqjKZFLRQA2jvkyKf7PpKgrng" IssueInstant="2017-12-05T17:54:53Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
    <ns1:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion">xxxx.***.net</ns1:Issuer>
    <Status>
    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
    <StatusMessage>Configuration error.</StatusMessage>
    </Status>
    </Response>



  • 2.  Re: Primary certificate serial number or issuer dn is empty or null

    Broadcom Employee
    Posted Dec 07, 2017 10:29 AM


    Prior to 12.7 there was only a single option to specify the signature verification certificate alias.
    12.7 now provides two (primary and secondary) certificate verification options.
    Based on the error message possible the primary certificate verification alias doesn’t have either serial number of issuer dn.

     

    Was the policy store updated to R12.7

    You may want to open issue for further investigation



  • 3.  Re: Primary certificate serial number or issuer dn is empty or null

    Posted Dec 07, 2017 10:33 AM

    Thanks for your response Stephen. I have already updated Policy store with R12.7 SP01. Other applications are working good except Salesforce SP-Post. 



  • 4.  Re: Primary certificate serial number or issuer dn is empty or null

    Posted Dec 07, 2017 10:35 AM

    I have already opened  a case with CA support team and working with them. CA technician already verified the setup and didn't find anything wrong in the setup. 



  • 5.  Re: Primary certificate serial number or issuer dn is empty or null
    Best Answer

    Posted Dec 07, 2017 11:11 PM

    Hi Naresh,

     

    Can you please check if you are using exactly the same signing cert (at SP) and verification cert (at IDP) for this partnership. It looks to me that eitehr they do not match or you have NOT specified verification cert alias at IDP.

     

    Regards,

    Ujwol



  • 6.  Re: Primary certificate serial number or issuer dn is empty or null

    Posted Dec 08, 2017 11:13 AM

    I have fixed this issue. I have added Salesforce SSL cert. Please check attached screenshot for SSL certs.



  • 7.  Re: Primary certificate serial number or issuer dn is empty or null

    Broadcom Employee
    Posted Dec 08, 2017 11:15 AM

    Thanks for the update - what was the issue number you had entered I would like to review it make sure it's got the right info 



  • 8.  Re: Primary certificate serial number or issuer dn is empty or null

    Posted Dec 08, 2017 11:18 AM

    CA case number 00905931