"Exception caught getting attribute attribute CA.FED::Certificate Device" after upgrading to 12.9
search cancel

"Exception caught getting attribute attribute CA.FED::Certificate Device" after upgrading to 12.9

book

Article ID: 421078

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

After upgraded to 12.9, smps.log shows error below:

[813113/140001396369152][Thu mmm dd yyyy 03:35:31.989][CommonUtil.java][ERROR][sm-FedServer-01033] Transaction with ID: 66195cce-7104b982-cb654547-87a743f1-1fec8ec4-885 failed. Reason: Exception caught getting attribute attribute CA.FED::Certificate Device. Might be due to schema not updated. Returning null (, , )
[813113/140001530586880][Thu mmm dd yyyy 03:35:35.670][CommonUtil.java][ERROR][sm-FedServer-01033] Transaction with ID: c603f888-4542018a-a731eb42-0b7cedf5-0105b738-119 failed. Reason: Exception caught getting attribute attribute CA.FED::Certificate Device. Might be due to schema not updated. Returning null (, , )
[813113/140001387976448][Thu mmm dd yyyy 03:35:38.686][CommonUtil.java][ERROR][sm-FedServer-01033] Transaction with ID: 144f296a-aa143804-46326a0a-470527c6-62525e58-a7fc failed. Reason: Exception caught getting attribute attribute CA.FED::Certificate Device. Might be due to schema not updated. Returning null (, , )

However, there was no certificate problem when reading it from the store export file directly using store reader. And the same certificate was in use for several years.

Environment

OS: Red Hat Enterprise Linux Server release 9
Policy server version : 12.9; Update: 0.00; Build: 3079

Cause

The exception happens because the particular certificate object doesn't have the "Device" attribute populated.
 
When checking the concerned object CA.FED::Certificate@a29aa220-####-####-####-############  in policy store via XPSExplorer, it does not have the parameter field for "Device". Hence it is not possible to add any value into it.
 
This is the sign, the policy store schema was NOT updated (12.8sp6 or later should have this attribute) or not matching with policy server version.
 
Ideally, this is what the object should be looked like:
 
------------------------- Object Meta Data ------------------------
XID: CA.FED::Certificate@000e474f-####-####-####-############
Actual Class: (not set)
Base Class: CA.FED::Certificate
In Cache: yes 4
     Created: yyyy-mm-dd 20:12:44 GMT
     By: siteminder (via GUI)
--------------- Attributes from CA.FED::Certificate ---------------
    Alias                           = "sample-alias-ca"
    CertificateGUID         = CA.CDS::Certificate@000e302a-####-####-####-############
    Device                       = "Java"                              ==>  Comment: this line was missing, but should exist for 12.8sp6 onward
    FIPSApproved          = true
    ...
    Type                         = <KeyEntry>

When checking another working policy server in a different environment, the CA.FED::Certificate does have the parameter field for "Device".

Resolution

The CA.FED::Certificate.Device attribute exists in later version of the store schema (defined in FedObjects.xdd).  

It stores a string value indicating the device type (e.g., "HSM" or "Java").

Policy store schema needs to be updated by running 12.9 version XPSDDInstall SmMaster.xdd.

If "Device" attribute field is available, one can add value (e.g., "HSM" or "Java") via XPSExplorer.

Meanwhile, update to the latest patch of 12.9, so that these error are suppressed or mitigated.

 

Powered by Wolken Software