hanish
Contributor
Contributor

"Signature Validation Failed" error with Java 7u25

I have upgraded my Java installation from Java 7u17 to Java 7u25. After that when I try to login to the web client, its giving the error "Signature validation failed". After uninstalling the update, its working fine. What can be the reason behind it?

17 Replies
laurentsd
VMware Employee
VMware Employee

Can you provide more details?

- version of the Web Client

- what is your setup

- what do you see in vsphere_client_virgo.log regarding this error (or attach the whole log).

0 Kudos
hanish
Contributor
Contributor

  • Web client version is 5.5.0 Build 1093996
  • I'm running it on a Windows 7 machine. Previously I had Java 7u17. When I  upgraded it to Java 7u25, it started giving error.
  • I'm sorry that I don't have the complete log since it got overwritten. I have a part of the exception that I noticed in the log "Caused by: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException:

Cannot resolve element with ID [some id goes here]   at com.sun.org.apache.xml.internal.security.utils.resolver.implementations.ResolverFragment.engineResolve(Unknown Source)"

0 Kudos
laurentsd
VMware Employee
VMware Employee

Thanks for the info.  We have an SSO issue with Java 7u25, so for now stick with 7u17.  I don't know when the issue will be resolved.

mmatloka
Contributor
Contributor

Is thare any update in this topic? One thing is it is not possible to update to newer java (where new versions fix security issues), and second thing is that it will not be possible to use Java 8 when such issue exists, and Java 8 according to latest info will be released in march as final.

0 Kudos
laurentsd
VMware Employee
VMware Employee

It should work with the latest JDK 1.7, like 7u45.   But you still need to compile with option -target 1.6.

0 Kudos
mmatloka
Contributor
Contributor

Hi,

I will quote one source https://stackoverflow.com/questions/17168184/java-7-language-backwards-compatibility'

"

You cant compile source with Java 7 features into Java 6 .class because this

javac -source 1.7 -target 1.6 Test.java

produces source release 1.7 requires target release 1.7 error. This is because some of the 1.7 features can work only with Java 7 classes. Eg try-with-resources usesThrowable.addSuppressed method available only since 1.7

"

I have checked this with our maven and gradle based project and that's true, we can't compile with target 1.6 using source 1.7.

Fact that we can't use latest JDK with this SDK is a major ussue!

0 Kudos
laurentsd
VMware Employee
VMware Employee

you need to use both -source 1.6 -target 1.6.  This is fine since your source is not using 1.7 specific features/

0 Kudos
mmatloka
Contributor
Contributor

My source is using java 7 specific features.

So what I understand there are two options:

1. Use jdk 7, max update 21

2. Use jdk 7, with update > 21 or jdk 8, but only with java 6 features  (source and target 1.6).

So I have to chose to use JDK without security fixes (u21) or downgrade to Java 6 features??

0 Kudos
laurentsd
VMware Employee
VMware Employee

In this release you have no choice but compile with -source 1.6 -target 1.6 for your java plugin because some of our libraries are still using Java 1.6.

You should remove the Java 1.7 specific features from your plugin source but still use the latest JDK 1.7.

Remember that the java plugin running on the Web Client server should be very lightweight, it is just a pass-through to connect to vCenter or your back-end server (see docs/FAQ.html).  All the business logic must run on your own server where you can use any Java version you want.

0 Kudos
mmatloka
Contributor
Contributor

Oh, sorry. It seems that when looking for help I have I landed on wrong forum with exactly the same symptoms. I get "Signature validation failed" when using VCO sdk with new JDKs

"

Caused by: com.vmware.vim.sso.client.exception.InvalidTokenException: Signature validation failed

  at com.vmware.vim.sso.client.impl.SamlTokenImpl.validateSignature(SamlTokenImpl.java:528)

  at com.vmware.vim.sso.client.impl.SamlTokenImpl.validateAndPopulate(SamlTokenImpl.java:450)

  at com.vmware.vim.sso.client.impl.SamlTokenImpl.<init>(SamlTokenImpl.java:213)

  at com.vmware.vim.sso.client.impl.SamlTokenImpl.<init>(SamlTokenImpl.java:264)

  at com.vmware.vim.sso.client.DefaultTokenFactory.parseToken(DefaultTokenFactory.java:37)

  at com.vmware.vim.sso.client.DefaultTokenFactory.parseToken(DefaultTokenFactory.java:62)

  at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl.acquireToken(SecurityTokenServiceImpl.java:122)

  at com.vmware.o11n.sdk.rest.client.impl.SsoTokenServiceAdaptor.acquireHokToken(SsoTokenServiceAdaptor.java:54)

  ... 53 more"

0 Kudos
AlfredoQuiroga
Contributor
Contributor

I also need some help regarding this issue. I've followed as per the other comments in this thread the suggestion of using jdk1.6 and even started the serenity client cmd line and confirmed that 1.6 is being used:

/backup/software/vmware/serenity-client/server/bin/dmk.sh start

/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home

When I go to the browser and try to login I am receiving a:

"Signature validation failed"

I have the client.properties file with:

ls.url=https://192.168.1.142:7444/lookupservice/sdk

ls.thumbprint=CD:FA:A2:B3:FF:D5:75:3F:76:EF:AE:F1:AD:D0:B5:68:89:CF:7F:B3

Log Exception:

[2014-01-24 10:12:43.072] INFO  [INFO ] http-bio-9443-exec-2         FA1103EB7D4D8DCCE7113D21BDB4A3AE com.vmware.vise.util.i18n.I18nFilter                              The preferred locale for session FA1103EB7D4D8DCCE7113D21BDB4A3AE is set to: en_US

[2014-01-24 10:12:43.076] INFO  [INFO ] http-bio-9443-exec-2         FA1103EB7D4D8DCCE7113D21BDB4A3AE com.vmware.vise.security.DefaultAuthenticationProvider            Authenticating user: root using authentication handler: com.sun.proxy.$Proxy359

[2014-01-24 10:12:43.079] INFO  [INFO ] http-bio-9443-exec-2         FA1103EB7D4D8DCCE7113D21BDB4A3AE com.vmware.vise.vim.security.sso.impl.SsoUtilInternal             Acquiring a SAML token for user root from https://192.168.1.142:7444/ims/STSService

[2014-01-24 10:12:43.369] INFO  [INFO ] http-bio-9443-exec-2         FA1103EB7D4D8DCCE7113D21BDB4A3AE com.vmware.vim.sso.client.impl.SoapBindingImpl                    Overriding host name verifier as the STS is contacted by IP address

[2014-01-24 10:12:43.746] ERROR [ERROR] http-bio-9443-exec-2         FA1103EB7D4D8DCCE7113D21BDB4A3AE com.vmware.vim.sso.client.impl.SamlTokenImpl                      Signature validation failed javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.URIReferenceException: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _65855186-28aa-4cd3-b343-03c3a255b141

  at org.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:412)

  at org.jcp.xml.dsig.internal.dom.DOMReference.validate(DOMReference.java:371)

  at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:265)

  at com.vmware.vim.sso.client.impl.SamlTokenImpl.validateSignature(SamlTokenImpl.java:522)

  at com.vmware.vim.sso.client.impl.SamlTokenImpl.validateAndPopulate(SamlTokenImpl.java:450)

  at com.vmware.vim.sso.client.impl.SamlTokenImpl.<init>(SamlTokenImpl.java:213)

  at com.vmware.vim.sso.client.impl.SamlTokenImpl.<init>(SamlTokenImpl.java:264)

  at com.vmware.vim.sso.client.DefaultTokenFactory.parseToken(DefaultTokenFactory.java:37)

  at com.vmware.vim.sso.client.DefaultTokenFactory.parseToken(DefaultTokenFactory.java:62)

  at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl.acquireToken(SecurityTokenServiceImpl.java:122)

  at com.vmware.vise.vim.security.sso.impl.SsoUtilInternal.acquireToken(SsoUtilInternal.java:403)

  at com.vmware.vise.vim.security.sso.impl.SsoServiceImpl.acquireToken(SsoServiceImpl.java:182)

  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

  at java.lang.reflect.Method.invoke(Method.java:597)

  at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:309)

  at org.springframework.osgi.service.importer.support.internal.aop.ServiceInvoker.doInvoke(ServiceInvoker.java:58)

  at org.springframework.osgi.service.importer.support.internal.aop.ServiceInvoker.invoke(ServiceInvoker.java:62)

  at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)

  at org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)

  at org.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)

  at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)

  at org.springframework.osgi.service.importer.support.LocalBundleContextAdvice.invoke(LocalBundleContextAdvice.java:59)

  at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)

  at org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)

  at org.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)

  at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)

  at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)

  at com.sun.proxy.$Proxy221.acquireToken(Unknown Source)

  at com.vmware.vsphere.client.security.sso.SsoAuthenticationHandler.authenticate(SsoAuthenticationHandler.java:98)

  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

  at java.lang.reflect.Method.invoke(Method.java:597)

  at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:309)

  at org.springframework.osgi.service.importer.support.internal.aop.ServiceInvoker.doInvoke(ServiceInvoker.java:58)

  at org.springframework.osgi.service.importer.support.internal.aop.ServiceInvoker.invoke(ServiceInvoker.java:62)

  at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)

  at org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)

  at org.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)

  at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)

  at org.springframework.osgi.service.importer.support.LocalBundleContextAdvice.invoke(LocalBundleContextAdvice.java:59)

  at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)

  at org.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:131)

  at org.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:119)

  at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)

  at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)

  at com.sun.proxy.$Proxy359.authenticate(Unknown Source)

  at com.vmware.vise.security.DefaultAuthenticationProvider.authenticate(DefaultAuthenticationProvider.java:145)

  at org.springframework.security.authentication.ProviderManager.doAuthentication(ProviderManager.java:130)

  at org.springframework.security.authentication.AbstractAuthenticationManager.authenticate(AbstractAuthenticationManager.java:48)

  at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:97)

  at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)

  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)

  at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)

  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)

  at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:79)

  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:380)

  at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:169)

  at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237)

  at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)

  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

  at com.vmware.vise.security.FlexLoginFilter.doFilterInternal(FlexLoginFilter.java:45)

  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)

  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

  at com.vmware.vise.util.i18n.I18nFilter.doFilterInternal(I18nFilter.java:43)

  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)

  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

  at com.vmware.vise.security.SessionManagementFilter.doFilterInternal(SessionManagementFilter.java:30)

  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)

  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

  at com.vmware.vsphere.client.logging.MDCLogFilter.doFilterInternal(MDCLogFilter.java:43)

  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)

  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

  at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)

  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)

  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)

  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)

  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)

  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)

  at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)

  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)

  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)

  at org.eclipse.virgo.web.tomcat.support.ApplicationNameTrackingValve.invoke(ApplicationNameTrackingValve.java:33)

  at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)

  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)

  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)

  at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:987)

  at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579)

  at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309)

  at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)

  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)

  at java.lang.Thread.run(Thread.java:695)

Caused by: javax.xml.crypto.URIReferenceException: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _65855186-28aa-4cd3-b343-03c3a255b141

  at org.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:124)

  at org.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:404)

  ... 98 common frames omitted

Caused by: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _65855186-28aa-4cd3-b343-03c3a255b141

  at com.sun.org.apache.xml.internal.security.utils.resolver.implementations.ResolverFragment.engineResolve(ResolverFragment.java:90)

  at com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolver.resolve(ResourceResolver.java:283)

  at org.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:117)

  ... 99 common frames omitted

0 Kudos
laurentsd
VMware Employee
VMware Employee

When using Java 1.6 you also need to install this jce_policy files to your SDK for SSO to work:

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6

0 Kudos
AlfredoQuiroga
Contributor
Contributor

Really appreciate the response.

In my local serenity client box (mac) I've replaced the original two files:

local_policy.jar             Unlimited strength local policy file

US_export_policy.jar         Unlimited strength US export policy file

with the downloaded ones. Still after restarting the serenity client server via the IDE and CMD line I still receive the same exception.

I still have the client.properties file with the two entries under server/config because the UI barks if it doesn't find it. Can you think of anything that can still be causing this?

Thanks in advance for all the help, really appreciate it.

Details shown below:

New java security files:

ls -ltr /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/security

total 72

lrwxr-xr-x  1 root  wheel     87 Jan 23 21:16 trusted.libraries -> /System/Library/Java/Support/Deploy.bundle/Contents/Home/lib/security/trusted.libraries

-rw-r--r--  1 root  wheel    347 Jan 23 21:16 sunpkcs11-macosx.cfg

-rw-r--r--  1 root  wheel  13458 Jan 23 21:16 java.security

-rw-r--r--  1 root  wheel   3443 Jan 23 21:16 java.policy

lrwxr-xr-x  1 root  wheel     81 Jan 23 21:16 cacerts -> /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts

lrwxr-xr-x  1 root  wheel     79 Jan 23 21:16 blacklist -> /System/Library/Java/Support/Deploy.bundle/Contents/Home/lib/security/blacklist

-rw-r--r--  1 root  wheel   2469 Jan 24 12:04 US_export_policy.jar.orig

-rw-r--r--  1 root  wheel   2486 Jan 24 12:04 local_policy.jar.orig

-rw-r--r--@ 1 root  wheel   2465 Jan 24 12:05 US_export_policy.jar

-rw-r--r--@ 1 root  wheel   2481 Jan 24 12:05 local_policy.jar

Exception:

Caused by: javax.xml.crypto.URIReferenceException: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _cc2b77fc-5d81-4390-8c7b-27b460dac151

  at org.jcp.xml.dsig.internal.dom.DOMURIDereferencer.dereference(DOMURIDereferencer.java:124)

  at org.jcp.xml.dsig.internal.dom.DOMReference.dereference(DOMReference.java:404)

  ... 98 common frames omitted

Caused by: com.sun.org.apache.xml.internal.security.utils.resolver.ResourceResolverException: Cannot resolve element with ID _cc2b77fc-5d81-4390-8c7b-27b460dac151

0 Kudos
AlfredoQuiroga
Contributor
Contributor

I was finally able to resolve this issue. Below are the steps I took for mac:

1. Go to https://developer.apple.com/downloads

2. I searched in the filter box for all possible finds for "Java for OS X"

3. I took a guess after a friend mentioned he had the same dev environment working for _45 and downloaded:

javadeveloper_for_os_x_2012006__11m3909.dmg

4. Installed it.

5. export JAVA_HOME="/Library/Java/JavaVirtualMachines/1.6.0_37-b06-434.jdk/Contents/Home/"

6. sh /backup/software/vmware/serenity-client/server/bin/dmk.sh start clean

7. If running from the IDE, just make sure you configure in your preferences and under the Virgo Settings to point to that version or similar.

Laurent thanks for all the help and responding, really appreciate you pointing me in the right direction.

Regards.

Alfredo

laurentsd
VMware Employee
VMware Employee

No problem, thanks for posting your solution!

0 Kudos
viktorious
VMware Employee
VMware Employee

Hi,

I've just re-installed the vSphere WebClient what solved the problem for me.

Best regards, Viktor

0 Kudos
Punitsolanki
Enthusiast
Enthusiast

Do anyone know the same for windows version. I am using J7u21. Please advice.

Punit Solanki psolanki@vmware.com
0 Kudos