X.509 Cert authentication fails returning the error NO_CERTMAP_OBJECT

book

Article ID: 14583

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction



We are configuring X.509 certificate authentication, and after we have setup certificates and created the certificate mapping, we cannot authenticate the users as they are rejected by the Policy Server. When checking the Policy Server traces, we see the following error:

[SmAuthenticate][][][][][][-2][][NO_CERTMAP_OBJECT][][][][][][Unable to find issuer DN in certificate mapping rules][][][][][]

[SmAuthenticate][][][][][][][][][][][][][][][Authentication failed][][][][][][][][][][][][][][][][]

What does the NO_CERTMAP_OBJECT mean? How can we solve this issue?

Environment

Release: ETRSBB99000-12.52-SiteMinder-B to B
Component:

Resolution

This error occurs when the Policy Server tries to match the certificate Issuer DN with the Certificate Mapping Issuer DN field, and does not succeed. If the mapping is not created, the same error will happen.

To solve the issue you need to ensure the Issuer DN field in the Certificate Mapping matches exactly the certificate Issuer DN, including spaces and other characters.

Additional Information

This problem has already identified in a previous tech note : https://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.tec529423.html. But this is more a authentication scheme issue.