Federated Identity Manager RequestSecurityToken NullPointerException

When using IBM Security Federated Identity Manager (TFIM) for an LTPA junction, I ran into a NullpointerException.

STSLTPATokenM 3 com.tivoli.am.fim.trustserver.sts.modules.STSLTPATokenModule 
    consumeSTSUniversalUser Adding attribute to userMap: 
    AZN_CRED_PRINCIPAL_UUID:[e57142ba-37c7-11e2-935f-c0a82f84aa77]
STSLTPATokenM 3 com.tivoli.am.fim.trustserver.sts.modules.STSLTPATokenModule 
    consumeSTSUniversalUser Adding attribute to userMap: 
    AZN_CRED_VERSION:[0x00000611]
STSLTPATokenM 3 com.tivoli.am.fim.trustserver.sts.modules.STSLTPATokenModule 
    consumeSTSUniversalUser Adding attribute to userMap: 
    AZN_CRED_AUTH_METHOD:[password]
STSLTPATokenM 3 com.tivoli.am.fim.trustserver.sts.modules.STSLTPATokenModule 
    consumeSTSUniversalUser Adding attribute to userMap: 
    AZN_CRED_NETWORK_ADDRESS_STR:[10.21.10.163]
STSLTPATokenM 3 com.tivoli.am.fim.trustserver.sts.modules.STSLTPATokenModule 
    consumeSTSUniversalUser Adding attribute to userMap: 
    AZN_CRED_NETWORK_ADDRESS_BIN:[0x0a150aa3]
STSLTPATokenM < com.tivoli.am.fim.trustserver.sts.modules.STSLTPATokenModule 
    issue RETURN
STSLTPATokenM < com.tivoli.am.fim.trustserver.sts.modules.STSLTPATokenModule 
    invoke RETURN
RequestSecuri 1 com.tivoli.am.fim.trustserver.ws.was.RequestSecurityTokenImpl 
    requestSecurityToken Caught exception.
RequestSecuri I com.tivoli.am.fim.trustserver.ws.was.RequestSecurityTokenImpl 
    requestSecurityToken java.lang.NullPointerException
        at com.tivoli.am.fim.trustserver.sts.modules.STSLTPATokenModule.
            consumeSTSUniversalUser(STSLTPATokenModule.java:1210)
        at com.tivoli.am.fim.trustserver.sts.modules.STSLTPATokenModule.
            issue(STSLTPATokenModule.java:646)
        at com.tivoli.am.fim.trustserver.sts.modules.STSLTPATokenModule.
            invoke(STSLTPATokenModule.java:216)

After some investigation, I discovered it was linked to the lack of a type specified in the principal attributes I used in my mapping rule.

// Create the new principal attribute that's
// appropriate for a LTPA Credential.
//name, type, value
var attr = new Attribute
   ("name","urn:ibm:names:ITFIM:ltpa","uid=wasadmin,o=defaultWIMFileBasedRealm");
stsuu.addPrincipalAttribute(attr);

attr = new Attribute
    ("realm","urn:ibm:names:ITFIM:ltpa","defaultWIMFileBasedRealm");
stsuu.addAttribute(attr);

attr = new Attribute
    ("registryid","urn:ibm:names:ITFIM:ltpa","uid=wasadmin,o=defaultWIMFileBasedRealm");
stsuu.addAttribute(attr);

By adding the LTPA type for the attributes, the error disappeared.

You will likely encounter this if you use any of the helper classes:

stsuu.setPrincipalRegistryID("uid=wasadmin,o=defaultWIMFileBasedRealm");
stsuu.setPrincipalName("wasadmin");
stsuu.setPrincipalDomain("defaultWIMFileBasedRealm");

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: