My Oracle Support Banner

OKTA-SAML Integration on Agile End in [Security:096620]Invalid key information error (Doc ID 2649292.1)

Last updated on MARCH 15, 2020

Applies to:

Oracle Agile PLM Framework - Version 9.3.6.0 and later
Information in this document applies to any platform.

Symptoms

ACTUAL BEHAVIOR

Configuring SSO with a SAML 2.0 Identity Provider : OKTA.

During Configure SAML 2.0 Federation Service, seeing Invalid key information error when activating changes on WebLogic console.


ERROR
An error occurred during activation of changes, please see the log for details.
Message icon - Error [Management:141191]The prepare phase of the configuration update failed with an exception.
Message icon - Error [Security:096620]Invalid key information.


From the weblogic logs, see below error :

  at weblogic.management.provider.internal.RuntimeAccessDeploymentReceiverService.prepare(RuntimeAccessDeploymentReceiverService.java:422)
  at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doPrepareCallback(DeploymentReceiverCallbackDeliverer.java:186)
  at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.prepare(DeploymentReceiverCallbackDeliverer.java:42)
  at weblogic.deploy.service.internal.statemachines.targetserver.AwaitingContextUpdateCompletion.callDeploymentReceivers(AwaitingContextUpdateCompletion.java:170)
  at weblogic.deploy.service.internal.statemachines.targetserver.AwaitingContextUpdateCompletion.handleContextUpdateSuccess(AwaitingContextUpdateCompletion.java:66)
  at weblogic.deploy.service.internal.statemachines.targetserver.AwaitingContextUpdateCompletion.contextUpdated(AwaitingContextUpdateCompletion.java:32)
  at weblogic.deploy.service.internal.targetserver.TargetDeploymentService.notifyContextUpdated(TargetDeploymentService.java:233)
  at weblogic.deploy.service.internal.DeploymentService$1.run(DeploymentService.java:213)
  at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:670)
  at weblogic.invocation.ComponentInvocationContextManager._runAs(ComponentInvocationContextManager.java:352)
  at weblogic.invocation.ComponentInvocationContextManager.runAs(ComponentInvocationContextManager.java:337)
  at weblogic.work.LivePartitionUtility.doRunWorkUnderContext(LivePartitionUtility.java:57)
  at weblogic.work.PartitionUtility.runWorkUnderContext(PartitionUtility.java:41)
  at weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:644)
  at weblogic.work.ExecuteThread.execute(ExecuteThread.java:415)
  at weblogic.work.ExecuteThread.run(ExecuteThread.java:355)
Caused by: weblogic.descriptor.BeanUpdateRejectedException: [Security:096620]Invalid key information.
  at com.bea.security.saml2.config.impl.SAML2ConfigSpiImpl.checkKeyManagerConfig(SAML2ConfigSpiImpl.java:291)
  at com.bea.security.saml2.config.impl.SAML2ConfigSpiImpl.checkLocalConfig(SAML2ConfigSpiImpl.java:275)
  at com.bea.security.saml2.config.impl.SAML2ConfigSpiImpl.prepareUpdate(SAML2ConfigSpiImpl.java:261)
  at weblogic.descriptor.internal.DescriptorImpl$Update.prepare(DescriptorImpl.java:684)
  at weblogic.descriptor.internal.DescriptorImpl.prepareUpdateDiff(DescriptorImpl.java:257)
  at weblogic.management.provider.internal.RuntimeAccessDeploymentReceiverService.prepareUpdateDiff(RuntimeAccessDeploymentReceiverService.java:2113)
  at weblogic.management.provider.internal.RuntimeAccessDeploymentReceiverService.prepare(RuntimeAccessDeploymentReceiverService.java:400)


STEPS
The issue can be reproduced at will with the following steps:

- Generate Keystore

Generate a JKS keystore and SSO signing key (below is an example keytool command)

- Configure Keystores

  1. Log into the WebLogic Server console as an administrator.
  2. Click Lock & Edit.
  3. Click on Environment and then Servers and then click on the WebLogic server name.
  4. Under the Configuration tab, click the Keystores sub tab.
  5. Click the Change button and select Custom Identity and Custom Trust.
  6. For Custom Identity Keystore, enter the path to the JKS file generated earlier (e.g. file SpIdentity.jks in the example keytool command above).
  7. For Custom Identity Keystore Type, enter jks.
  8. Enter and confirm the Custom Identity Keystore Passphrase (e.g. welcome1 in the example keytool command above).
  9. Click Save.
  10. Under the Configuration tab, click the Federation Services sub tab and then click the SAML 2.0 General sub tab.
  11. Fill the fields in the Site Info section.
  12. In the Single Sign-On section, for Single Sign-on Signing Key Alias enter the key alias (e.g. sp in the example keytool command above). Enter and confirm the Single Sign-on Signing Key Pass Phrase (e.g. welcome1 in the example keytool command above).
  13. Click Save.
  14. Under the Configuration tab, click the Federation Services sub tab and then click the SAML 2.0 Service Provider sub tab.
  15. Set the Enabled checkbox. In the Default URL field, input the Agile PLM web client URL
  16. Click Save and then click Activate Changes.



Changes

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution
References


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.