Environment
Novell Access Management 3 Linux Novell Identity Server
Situation
Users authenticating to IDP with client X509 certificates. The certificates all have
CRL DP attributes pointing to a CRL file on a local Web server that is updated at 5am
every day.
When the first user authenticates in the morning (after the CRL file has been
updated) and sends the client cert over, the user does not authenticate but
gets an error message indicating that the CRL is old eg. The user receives an
error web page with this text:
AM#200104004: User Certificate Authentication Failed : AM#200104053: Error
processing CRL Response for certificate with subject :
EMAILADDRESS=ncashell.novell@dub.ireland.emea.novell, CN=ncashell testuser,
UID=ncashell.novell, OU=Ireland, O=Novell
catalina.out file shows that the CRL is old (obviously we have cached version
from previous day that has expired) and we never download an updated one for
that user session.
* AM#200104020: CRL is too old (New version already available)...Revoking!
Exception message: "AM#200104053: Error processing CRL Response for certificate
with subject : EMAILADDRESS=ncashell.novell@dub.ireland.emea.novell,
CN=ncashell testuser,UID=ncashell.novell, OU=Ireland, O=Novell"
y, Line: 1612, Method: ProcessX509Data
y, Line: 2497, Method: authenticate
y, Line: 613, Method: A
y, Line: 3125, Method: A
y, Line: 458, Method: execute
y, Line: 2892, Method: executeContract
y, Line: 3269, Method: spLogin
y, Line: 2426, Method: doAuthentication
y, Line: 1736, Method: handleAuthnRequest
y, Line: 1474, Method: processAuthnRequest
y, Line: 34, Method: processRequest
y, Line: 2601, Method: handledInBoundRequest
y, Line: 2488, Method: processSSOEndpoint
y, Line: 1693, Method: D
y, Line: 3341, Method: handleRequest
y, Line: 3246, Method: myDoGet
y, Line: 2944, Method: doGet
HttpServlet.java, Line: 696, Method: service
HttpServlet.java, Line: 809, Method: service
ApplicationFilterChain.java, Line: 200, Method: internalDoFilter
ApplicationFilterChain.java, Line: 146, Method: doFilter
StandardWrapperValve.java, Line: 209, Method: invoke
Rather than throw an error, we need to download updated CRL and make sure cert
has not been revoked before allowing the authentication to succeed.
Resolution
Apply nidp.jar file from Access Manager 3 Support Pack 1 Beta 1
patch (nam3sp1b1.tar.gz)