When trying to init an SSO via OpenAM, I get the following error:
HTTP Status 400 - Error processing AuthnRequest. null
The request sent by the client was syntactically incorrect (Error processing AuthnRequest. null).
The logs are linking to the method AMKeyProvider.getPrivateKey, (NullPointerException), so I know a private key can't be read.
However, I'm new to OpenAM/SAML and don't know where/how to fix this issue.
Here's the full stack trace:
libSAML2:10/17/2014 12:06:41:247 PM CEST: Thread[http-bio-8443-exec-8,5,main]
ERROR: Error processing Request
java.lang.NullPointerException
at org.forgerock.openam.utils.AMKeyProvider.getPrivateKey(AMKeyProvider.java:269)
at com.sun.identity.saml.xmlsig.JKSKeyProvider.getPrivateKey(JKSKeyProvider.java:112)
at com.sun.identity.saml2.profile.SPSSOFederate.signQueryString(SPSSOFederate.java:1125)
at com.sun.identity.saml2.profile.SPSSOFederate.initiateAuthnRequest(SPSSOFederate.java:346)
at com.sun.identity.saml2.profile.SPSSOFederate.initiateAuthnRequest(SPSSOFederate.java:146)
at org.apache.jsp.saml2.jsp.spSSOInit_jsp._jspService(spSSOInit_jsp.java:149)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.forgerock.openam.validation.ResponseValidationFilter.doFilter(ResponseValidationFilter.java:44)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:98)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
The exception is pointing to: org.forgerock.openam.utils.AMKeyProvider.getPrivateKey(AMKeyProvider.java:269)
The method getPrivateKeylooks like this:
public java.security.PrivateKey getPrivateKey (String certAlias) {
java.security.PrivateKey key = null;
try {
key = (PrivateKey) ks.getKey(certAlias,
privateKeyPass.toCharArray());
} catch (KeyStoreException e) {
logger.error(e.getMessage());
} catch (NoSuchAlgorithmException e) {
logger.error(e.getMessage());
} catch (UnrecoverableKeyException e) {
logger.error(e.getMessage());
}
return key;
}
Thus, there is either no keystore at all at the expected path, no valid key with the corresponding alias in the keystore, or the keystore and/or key password is wrong.
The keystore path (as well as the path to the files containing the encrypted passwords) can be seen in the openAM admin web UI under Configuration - Servers and Sites - myServerName - Security, typically:
%BASE_DIR%/%SERVER_URI%/keystore.jks
, where %BASE_DIR% is configured under Configuration - Servers and Sites - myServerName - General.