1 Reply Latest reply on Jan 25, 2017 7:34 AM by Pradhap Rajamani

    "SigningKey cannot be null" when using keystore file in the sample apps

    mitusingh27 Newbie

      I installed and setup Picketlink for working with SAML. I was successfully able to use the sample applications with their default configurations. I want to use the sales-post-sig as the SP and my own IDP. For doing this, I created a new keystore file using this command

      keytool -genkey -alias myAlias -keyalg RSA -keystore keystore.jks

      I set keystore password to "password"

      I set Key password to "secret"


      I added my IDP's cert file to the keystore using this command:

      keytool import -trustcacerts -alias certAlias -file idp.cert -keystore keystore.jks


      The cert gets added. I checked this using:

      keytool -list -v -keystore keystore.jks


      I put this keystore.jks in the java/resources folder.


      I modified the picketlink.xml file with the following information:

                  <Auth Key="KeyStoreURL" Value="/keystore.jks" />

                  <Auth Key="KeyStorePass" Value="password" />

                  <Auth Key="SigningKeyPass" Value="secret" />

                  <Auth Key="SigningKeyAlias" Value="certAlias" />

                  <ValidatingAlias Key="localhost" Value="certAlias" />

                  <ValidatingAlias Key="" Value="certAlias" />


      i build sales-post-sig.war and deploy it on JBoss.It deploy correctly. When I try to access it using http://localhost:8080/sales-post-sig, I get the following error

      Caused by: javax.xml.crypto.dsig.XMLSignatureException: PLFED000100: Signing Process Failure

              at org.picketlink.identity.federation.PicketLinkLoggerImpl.signatureError(PicketLinkLoggerImpl.java:99) [picketlink-jbas7-2.1.5.Final.jar:2.1.5.Final]

              ... 18 more

      Caused by: java.lang.NullPointerException: signingKey cannot be null

              at javax.xml.crypto.dsig.dom.DOMSignContext.<init>(DOMSignContext.java:96) [xmlsec-1.5.1.jar:1.5.1]

              at org.picketlink.identity.federation.core.util.XMLSignatureUtil.sign(XM

      LSignatureUtil.java:345) [picketlink-core-2.1.5.Final.jar:2.1.5.Final]

              at org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature.sig

      n(SAML2Signature.java:190) [picketlink-core-2.1.5.Final.jar:2.1.5.Final]

              at org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature.sig

      nSAMLDocument(SAML2Signature.java:259) [picketlink-core-2.1.5.Final.jar:2.1.5.Fi




      Is there anything wrong with the keystore or cert file? Am I missing any step to set the sample sp with my IDP? What is signingkeyValue and where can I set it?


      Thanks in advance!


        • 1. Re: "SigningKey cannot be null" when using keystore file in the sample apps
          Pradhap Rajamani Newbie



          1)The above error you are getting because you have imported a certificate with alias name as "certAlia" and you have given the same in <Auth Key="SigningKeyAlias"   Value="certAlias" /> .This should not be done .Change the value to the alias name of the keystore which you might have given while creating the keystore


            2) If you are going with different keystores for your idp and sp ,create a certificate for idp using keytool and import it in sp's keystore .similarly create one certificate    for sp and import the same in idp's keystore.


             3)  <Auth Key="SigningKeyPass" Value="secret" />

                      <Auth Key="SigningKeyAlias" Value="certAlias" />    these attributes should be the alias name and key password  of your keystore file given by you while creating the    keystore file.You should not mention alias name of the certificate file.


            4)Once you are done with importing certificates in both your idp and sp keystore. add the line in both idp and sp's picketlink.xml file  <ValidatingAlias Key="localhost"  Value="certAlias" /> and here the value will be the alias name of the certificate you are importing .since you are doing this in your local "ValidatingAlias Key" is  "localhost". otherwise  it should be  your application url.