Exception trying to extract entities from metadata

book

Article ID: 4849

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

We are trying to import a Remote Entity and getting this error in the siteminder wamui:

Error: Exception trying to extract entities from metadata.

We see following errors in the AdminUI logs:

adminui_importcert.log
===============

07:43:55,590 ERROR [FedPkiKeyStore] **ERROR** java.security.cert.CertificateException commiting keystore change for alias moa.brz.gv.at.
java.security.cert.CertificateException: com.rsa.certj.cert.CertificateException: Invalid subject name:

[...]

Caused by: com.rsa.certj.cert.CertificateException: Invalid subject name:
at com.rsa.certj.cert.X509Certificate.setInnerDER(Unknown Source)
at com.rsa.certj.cert.X509Certificate.setCertBER(Unknown Source)
at com.rsa.certj.cert.X509Certificate.<init>(Unknown Source)
at com.ca.siteminder.security.SecurityUtil.convertCertificate(SecurityUtil.java:82)
... 67 more
Caused by: com.rsa.certj.cert.NameException: IA5String expected.

Cause

The issue is caused by incorrect emailAddress format.

Cert details:
========

C:\OpenSSL-Win64\bin>openssl x509 -noout -subject -issuer -purpose -email -alias
-nameopt multiline,show_type -in abc.com.crt
subject=
countryName = PRINTABLESTRING:COM
organizationName = UTF8STRING:ABC
organizationalUnitName = UTF8STRING:XYZ
commonName = UTF8STRING:abc.com
serialNumber = PRINTABLESTRING:12345678912
emailAddress = UTF8STRING:[email protected]

RFC Specifications:
============

Legacy implementations exist where an electronic mail address is
embedded in the subject distinguished name as an emailAddress
attribute [RFC2985]. The attribute value for emailAddress is of type
IA5String to permit inclusion of the character '@', which is not part
of the PrintableString character set. emailAddress attribute values
are not case-sensitive (e.g., "[email protected]" is the same as
"[email protected]").

https://www.ietf.org/rfc/rfc5280.txt

Further information:

Simultaneous inclusion of the emailAddress attribute in
the subject distinguished name to support legacy implementations is
deprecated but permitted.

Electronic Mail addresses may be included in certificates and CRLs in
the subjectAltName and issuerAltName extensions, name constraints
extension, authority information access extension, subject
information access extension, issuing distribution point extension,
or CRL distribution points extension. Each of these extensions uses
the GeneralName construct; GeneralName includes the rfc822Name
choice, which is defined as type IA5String.

Environment

Policyserver Version: 12.52.105.2113Policyserver OS and Bit Version: RHEL 6.8 64-BitWebagent OS and Bit Version: RHEL 6.8 64-BitWebagent option pack: 12.52.100.499

Resolution

Please ensure that email attribute type is IA5String.