Unable to import certificate/key pair in later version 12.8 admin UI: Failed creating object of class Certificate.

book

Article ID: 242200

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Federation (SiteMinder)

Issue/Introduction

SiteMinder admin can not import certificate/key pair in later version 12.8.4 admin UI, getting error "Failed creating object of class Certificate."

This seems only happening when Database is used as policy store choice. This was working in 12.8sp3 or earlier.

When tried smkeytool, it fails as well. However, when policy store is LDAP, the cert/key pair (.p12 file) can be imported successfully from admin ui.

E:\CA\siteminder\bin>smkeytool.bat -addPrivKey -alias servercert -keycertfile Cert.p12 -password xxxx
Please specify default key used for signing by associating it with "defaultenterpriseprivatekey" alias in the Certificate Data Store before adding a new key:

E:\CA\siteminder\bin>smkeytool.bat -addPrivKey -alias defaultenterpriseprivatekey -keycertfile Cert.p12 -password xxxx

An exception occurred while adding private key and certificate to the Certificate Data Store. Exception Message: Failed creating object of class Certificate.
An error occurred while performing the requested -addPrivKey operation. Error Message: com.netegrity.smkeydatabase.db.SmCertificateDataStoreException: An exception occurred while
adding private key and certificate to the Certificate Data Store. Exception Message: Failed creating object of class Certificate.

E:\CA\siteminder\bin>smkeytool.bat -addPrivKey -alias defaultenterpriseprivatekey -certfile ServerCert.crt -keyfile server.key -password xxxx
An exception occurred while adding private key and certificate to the Certificate Data Store. Exception Message: Failed creating object of class Certificate.
An error occurred while performing the requested -addPrivKey operation. Error Message: com.netegrity.smkeydatabase.db.SmCertificateDataStoreException: Error occurred while adding private key and certificate details to the Certificate Data Store. An exception occurred while adding private key and certificate to the Certificate Data Store. Exception Message: Failed creating object of class Certificate..

At the same time, Policy server smtracedefault.log shows:

[05/19/2022][22:43:54.058][22:43:54][6188][5460][CSmDbODBC.cpp:1472][CSmDbConnectionODBC::CheckForError][][][][][][][][][][][][22001][-1][[CA SSO][ODBC Oracle Wire Protocol driver]String data, right truncated. Error in parameter 6.][][][][][][][SQL Error.][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[05/19/2022][22:43:54.058][22:43:54][6188][5460][CSmDbODBC.cpp:1973][CSmDbConnectionODBC::DoExecute][][][][][][][][][][][][][-1][][][][][][][][Leave function CSmDbConnectionODBC::DoExecute][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[05/19/2022][22:43:54.058][22:43:54][6188][5460][CSmDbODBC.cpp:362][CSmDbConnectionODBC::MapResult][][][][][][][][][][][][-1][][[CA SSO][ODBC Oracle Wire Protocol driver]String data, right truncated. Error in parameter 6.][][][][][][][ODBC Error: State = 22001 Internal Code = 0 - s - MappedResult:-4007][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[05/19/2022][22:43:54.058][22:43:54][6188][5460][XPSIO.cpp:1735][CXPSIO::CreateObject][][][][][][][][][][][][][][][][][][][][][LogMessage:ERROR: Previous error occurred on object "CA.CDS::[email protected]"][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[05/19/2022][22:43:54.058][22:43:54][6188][5460][XPSPolicyData.cpp:1421][CXPSPolicyData::CommitOrTestRollback][][][][][][][][][][][][][][][][][][][][][LogMessage:ERROR: XPS Transaction COMMIT has failed.][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[05/19/2022][22:43:54.073][22:43:54][6188][5460][CSmDbConnection.cpp:241][CSmDbConnection::ReleaseReference][][][][][][][][][][][][][][][][][][][][][Release connection reference. ReferenceCount = '10'][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[05/19/2022][22:43:54.073][22:43:54][6188][5460][CSmDbConnection.cpp:200][CSmDbConnection::MakeInactive][][][][][][][][][][][][][][][][][][][][][Inactivate connection.][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[05/19/2022][22:43:54.073][22:43:54][6188][5460][CSmDbUtilities.cpp:806][CSmDbMonitoredClass::SetState][][][][][][][][][][][][][][][][][][][][][Connection Pstore_DSN: Changing object state 'Active' to state 'Available'.][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[05/19/2022][22:43:54.073][22:43:54][6188][5460][CSmDbConnection.cpp:241][CSmDbConnection::ReleaseReference][][][][][][][][][][][][][][][][][][][][][Release connection reference. ReferenceCount = '9'][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[05/19/2022][22:43:54.073][22:43:54][6188][5460][CSmDbConnection.cpp:241][CSmDbConnection::ReleaseReference][][][][][][][][][][][][][][][][][][][][][Release connection reference. ReferenceCount = '8'][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[05/19/2022][22:43:54.073][22:43:54][6188][5460][CSmDbConnection.cpp:241][CSmDbConnection::ReleaseReference][][][][][][][][][][][][][][][][][][][][][Release connection reference. ReferenceCount = '7'][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[05/19/2022][22:43:54.073][22:43:54][6188][5460][CSmDbConnection.cpp:241][CSmDbConnection::ReleaseReference][][][][][][][][][][][][][][][][][][][][][Release connection reference. ReferenceCount = '6'][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[05/19/2022][22:43:54.073][22:43:54][6188][5460][CSmDbConnection.cpp:241][CSmDbConnection::ReleaseReference][][][][][][][][][][][][][][][][][][][][][Release connection reference. ReferenceCount = '5'][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[05/19/2022][22:43:54.073][22:43:54][6188][5460][CSmDbConnection.cpp:241][CSmDbConnection::ReleaseReference][][][][][][][][][][][][][][][][][][][][][Release connection reference. ReferenceCount = '4'][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[05/19/2022][22:43:54.073][22:43:54][6188][5460][CSmDbConnection.cpp:241][CSmDbConnection::ReleaseReference][][][][][][][][][][][][][][][][][][][][][Release connection reference. ReferenceCount = '3'][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[05/19/2022][22:43:54.073][22:43:54][6188][5460][CSmDbConnection.cpp:241][CSmDbConnection::ReleaseReference][][][][][][][][][][][][][][][][][][][][][Release connection reference. ReferenceCount = '2'][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[05/19/2022][22:43:54.073][22:43:54][6188][5460][XPSPolicyData.cpp:581][CXPSPolicyData::CreateOrUpdateImpl][][][][][][][][][][][][][][][][][][][][][LogMessage:WARN: Assert failed: Commit()][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

 

Cause

Sometimes the limitation from the RDBMS database has 4000 character limit or lower, Policy server is unable to commit the cert/key pair data to policy store.

But after verification, the VARCHAR2 is already set to 4000. Increasing it did not help.

12.8 SP4 later policy server upgraded 3rd party Datadirect odbc driver, regardless on Linux or Windows platform, as long as Database is used as store, hence it will require an additional entry during data source creation.  

"EnableNcharSupport=0"

There could be other issues manifested when this setting is not present, such as:

Command "XPSImport smpolicy.xml -npass" failure

or

Failed to Insert Audit Records after upgrading to 12.8 SP4 and higher.
 
Please review other tech notes under additional information.

Environment

Release : 12.8

Component : SITEMINDER WAM UI

Resolution

The detailed configuration step is documented at section Create an Oracle Data Source on Windows, step 9.

Select Windows ODBC Data Sources in use for policy store, Click the Advanced tab and enter the following in the Extended Options field:

EnableNcharSupport=0

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/installing/install-a-policy-server/configure-odbc-databases-as-policy-session-key-and-audit-stores/configure-odbc-databases-as-audit-store/store-audit-logs-in-oracle.html

Recycle policy server and admin ui.

Additional Information

https://knowledge.broadcom.com/external/article?articleId=243304
https://knowledge.broadcom.com/external/article?articleId=221407
https://knowledge.broadcom.com/external/article?articleId=229835
https://knowledge.broadcom.com/external/article?articleId=241566

Attachments