Exception trying to extract entities from metadata
search cancel

Exception trying to extract entities from metadata


Article ID: 4849


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


We are trying to import a Remote Entity and getting this error in the siteminder wamui:

Error: Exception trying to extract entities from metadata.

We see following errors in the AdminUI logs:


07:43:55,590 ERROR [FedPkiKeyStore] **ERROR** java.security.cert.CertificateException commiting keystore change for alias _host.example.com.
java.security.cert.CertificateException: com.rsa.certj.cert.CertificateException: Invalid subject name:


Caused by: com.rsa.certj.cert.CertificateException: Invalid subject name:
at com.rsa.certj.cert.X509Certificate.setInnerDER(Unknown Source)
at com.rsa.certj.cert.X509Certificate.setCertBER(Unknown Source)
at com.rsa.certj.cert.X509Certificate.<init>(Unknown Source)
at com.ca.siteminder.security.SecurityUtil.convertCertificate(SecurityUtil.java:82)
... 67 more
Caused by: com.rsa.certj.cert.NameException: IA5String expected.


Policyserver Version: OS and Bit Version: RHEL 6.8 64-BitWebagent OS and Bit Version: RHEL 6.8 64-BitWebagent option pack:


The issue is caused by incorrect emailAddress format.

Cert details:

C:\OpenSSL-Win64\bin>openssl x509 -noout -subject -issuer -purpose -email -alias
-nameopt multiline,show_type -in example.com.crt
organizationName = UTF8STRING:EXAMPLE
organizationalUnitName = UTF8STRING:_HOST
commonName = UTF8STRING:example.com
serialNumber = PRINTABLESTRING:12345678912
emailAddress = UTF8STRING:[email protected]

RFC Specifications:

Legacy implementations exist where an electronic mail address is
embedded in the subject distinguished name as an emailAddress
attribute [RFC2985]. The attribute value for emailAddress is of type
IA5String to permit inclusion of the character '@', which is not part
of the PrintableString character set. emailAddress attribute values
are not case-sensitive (e.g., "[email protected]" is the same as
"[email protected]").


Further information:

Simultaneous inclusion of the emailAddress attribute in
the subject distinguished name to support legacy implementations is
deprecated but permitted.

Electronic Mail addresses may be included in certificates and CRLs in
the subjectAltName and issuerAltName extensions, name constraints
extension, authority information access extension, subject
information access extension, issuing distribution point extension,
or CRL distribution points extension. Each of these extensions uses
the GeneralName construct; GeneralName includes the rfc822Name
choice, which is defined as type IA5String.


Please ensure that email attribute type is IA5String.