Error: UNDEF Unable to find issuer DN in Cert Mapping in Policy Server
search cancel

Error: UNDEF Unable to find issuer DN in Cert Mapping in Policy Server

book

Article ID: 259955

calendar_today

Updated On:

Products

CA Single Sign On Agents (SiteMinder) SITEMINDER CA Single Sign On Federation (SiteMinder)

Issue/Introduction

 

When running a Policy Server, and protecting an application with X509 Certificate Authentication Scheme, if the certificate has this element in the subject

  2.5.4.97=#0c0s222das33ww56541123131315446

then Policy Server replaces the value with 

  UNDEF=97=NUMB-9995555

and it can't find the certificate as shown in the Policy Server traces:

smtracedefault.log

[11/17/2022][12:47:38][24252][140662393534208][Sm_Auth_Message.cpp:780][CSm_Auth_Message::AuthenticateUser][0000000000000000000000001b08cd0a-222s-55s55w2a-95ff3700-2ff6418039f9][myWebAgent][/myapp][][][mywebagent][mywebagent][][][][][][][][][][][][][][Authenticating user.][0][][][][][][][][][][5][X.509 Client Certificate Authentication Scheme][][12:47:38.792][][][][][][][][][][][][06-41111s52-9752-128c-aba2-72100acb0000][][][][][][][][][][][][][]

[11/17/2022][12:47:38][24252][140662393534208][SmDsDir.cpp:66][CSmDsDir::CSmDsDir][][][][][][][][][][][][][][][][][][][About to initialize directory, Oid='0e-0111s2-sdsds-dsds-81e1-72100acb5a5a', Name='myUserStore'][][Start of call InitDir.][][][][][][][][][][][][][][12:47:38.792][][][][][][][][][][][][][][][][][][][][][][][][][]

[11/17/2022][12:47:38][24252][140662393534208][SmAuthCert.cpp:4360][parseCert][][][][][][][][][][][][][][][][][][][][][Parsed certificate for SubjectDN C=US,O=myCompany,CN=myCompany,UNDEF=97=NUMB-9995555][][][][][][][][][][][][][][12:47:38.793][][][][][0A 2C 39 68 B2 21 99 F5 8D C6][C=US,O=myCompany,CN=myCompany,UNDEF=97=NUMB-9995555][C=US,UNDEF=97=NUMB-9995555,O=myCompany,CN=myCompany][][][][][][][][][][][][][][][][][][]

[11/17/2022][12:47:38][24252][140662393534208][SmAuthCert.cpp:5667][SmAuthenticate][][][][][][][][][][][][][][][][][][][][][Print currentCert's serialNumber, subjectDN, issuerDN and CertDIstPt.][][][][][][][][][][][][][][12:47:38.793][][][][][0A 2C 39 68 B2 21 99 F5 8D C6][C=US,O=myCompany,CN=myCompany,UNDEF=97=NUMB-9995555][C=US,UNDEF=97=NUMB-9995555,O=myCompany,CN=myCompany][][][http://myhost.mydomain.com/sdasds.crl][][][][][][][][][][][][][][][]

[11/17/2022][12:47:38][24252][140662393534208][SmAuthCert.cpp:479][GetCertMapObject][][][][][][][][][][][][][][][][][][][][][Comparing to IssuerDN.][][][][][][][][][][][][][][12:47:38.793][][][][][][][C=US,O=myCompany,CN=myCompany][][][][][][][][][][][][][][][][][][]

[11/17/2022][12:47:38][24252][140662393534208][SmAuthCert.cpp:502][GetCertMapObject][][][][][][][][][][][][][][][][][][][][][Comparing to Reversed IssuerDN.][][][][][][][][][][][][][][12:47:38.793][][][][][][][CN=myCompany,O=myCompany,UNDEF=97=NUMB-9995555][][][][][][][][][][][][][][][][][][]

[11/17/2022][12:47:38][24252][140662393534208][SmAuthCert.cpp:479][GetCertMapObject][][][][][][][][][][][][][][][][][][][][][Comparing to IssuerDN.][][][][][][][][][][][][][][12:47:38.793][][][][][][][C=US,O=myCompany,CN=myCompany,2.5.4.97=#0c0s222das33ww56541123131315446][][][][][][][][][][][][][][][][][][]

[11/17/2022][12:47:38][24252][140662393534208][SmAuthCert.cpp:502][GetCertMapObject][][][][][][][][][][][][][][][][][][][][][Comparing to Reversed IssuerDN.][][][][][][][][][][][][][][12:47:38.793][][][][][][][CN=myCompany,O=myCompany,UNDEF=97=NUMB-9995555][][][][][][][][][][][][][][][][][][]

[11/17/2022][12:47:38][24252][140662393534208][SmAuthCert.cpp:479][GetCertMapObject][][][][][][][][][][][][][][][][][][][][][Comparing to IssuerDN.][][][][][][][][][][][][][][12:47:38.793][][][][][][][C=US,2.5.4.97=NUMB-9995555,O=myCompany][][][][][][][][][][][][][][][][][][]

[11/17/2022][12:47:38][24252][140662393534208][SmAuthCert.cpp:502][GetCertMapObject][][][][][][][][][][][][][][][][][][][][][Comparing to Reversed IssuerDN.][][][][][][][][][][][][][][12:47:38.793][][][][][][][CN=myCompany,O=myCompany,UNDEF=97=NUMB-9995555][][][][][][][][][][][][][][][][][][]

[11/17/2022][12:47:38][24252][140662393534208][SmAuthCert.cpp:5687][SmAuthenticate][][][][][][][][][][][][-2][][NO_CERTMAP_OBJECT][][][][][][][Unable to find issuer DN in certificate mapping rules][][][][][][][][][][][][][][12:47:38.793][][][][][][][][][][][][][][][][][][][][][][][][][]

[11/17/2022][12:47:38][24252][140662393534208][SmAuthCert.cpp:6411][SmAuthenticate][][][][][][][][][][][][][][][][][][][][][Authentication failed][][][][][][][][][][][][][][12:47:38.793][][][][][][][][][][][][][][][][][][][][][][][][][]

 

Environment

 

  Policy Server 12.8SP5 on Redhat 7;

 

Cause

 

An issue in the third-party CAPKI libraries is the culprit.

 

Resolution

 

Upgrade Policy Server to 12.8SP8 when this one is available to benefit from the fix DE551525.

Recall that when upgrading the Policy Server, an upgrade of the Policy Store and the AdminUI is also required.

 

Powered by Wolken Software