HTTP 500 internal server error after updating idp certificate

  • 7023901
  • 26-May-2019
  • 26-May-2019


Access Manager 4.4
Clustered IDP setup.
Clustered AG setup.


The IDP public certificate was due to expire and had been replaced.
Authentication from /nipd was successful but if a protected resource was accessed via an Access Gateway, the login page would be presented and after credentials were entered, the browser would give a HTTP 500 internal server error.


Careful examination and comparison of all the IDP keystores showed that the signing and encryption keystores still had the old certificate.

The following steps were performed.
1.    Added the new cert to the encryption and signing keystores.
2.    Removed the old cert from the ncryption and signing keystores.
3.    Update the IDP configuration.
4.    Restarted the IDP /etc/init.d/novell-idp restart

After this the openssl command to the IDP returned the new certificate and the problem was resolved


As the error appeared after the Access Gateway redirected to the IDP, the AG esp catalina.out was examined.
This showed the artifact being returned from the IDP

<amLogEntry> 2019-05-24T02:11:05Z INFO NIDS Application: AM#500105021: AMDEVICEID#esp-B557FFBC1E82C454: AMAUTHID#b73a52e55d405f2b72b8caec35b9c0f2c0cd78aef97809c69736f73b3ec8d5e7:  Sending artifact AAM7cjFX55KzYS0FXScw39b0yzpGG8usD7MmtMqWaueG5NJqTJP/qHZL to URL at IDP </amLogEntry>

The AG response to this was

<amLogEntry> 2019-05-24T02:11:05Z WARNING NIDS Application: AM#100105004: AMDEVICEID#esp-B557FFBC1E82C454:  Error in SOAP response format. Reason: Element [script: null] missing required child element Body. </amLogEntry>

followed by a null pointer exeception

May 24, 2019 12:11:05 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [NIDPServlet] in context with path [/nesp] threw exception
    at com.novell.nidp.common.xml.w3c.XMLUtil.documentToPrettyString(y:613)
    at com.novell.nidp.common.util.SOAPIO.doSOAPRequest(y:2040)
    at com.novell.nidp.common.profile.Profile.soapSend(y:1564)
    at com.novell.nidp.liberty.idff.profile.LibertyProfile.A(y:3435)
    at com.novell.nidp.liberty.idff.profile.LibertyProfile.handledInBoundResponse(y:3105)
    at com.novell.nidp.liberty.idff.profile.LibertySSOProfile.processResponse(y:2675)
    at com.novell.nidp.liberty.IDFFHandler.E(y:2289)
    at com.novell.nidp.liberty.IDFFHandler.handleRequest(y:3087)
    at com.novell.nidp.liberty.LibertyMeDescriptor.handleRequest(y:11)
    at com.novell.nidp.servlets.NIDPServlet.myDoGet(y:2505)
    at com.novell.nidp.servlets.NIDPBaseServlet.doGet(y:21)
    at javax.servlet.http.HttpServlet.service(
    at javax.servlet.http.HttpServlet.service(

This pointed to a certificate error.
Running the command

openssl s_client -connect | openssl x509 -text

showed that a certificate was being returned but carefully checking the serial number proved that it was the old idp certificate, not the new one

If a browser went directly to the idpurl, the new certificate was returned.
If the hosts file on the AG and browser was modifed to point to a single IDP, then the HTTP 500 internal server error was not returned and the backend web site was accessed. The problem only occurred when the AD and browser accessed the cluster via the L5 switch.