Access Manager x509 error "AM#200104053: Error processing CRL Response for certificate with subject"

  • Document ID:3502728
  • Creation Date:29-May-2007
  • Modified Date:26-Apr-2012
    • Micro Focus Products:
      Access Manager (NAM)

Environment


Novell Access Management 3 Linux Novell Identity Server

Situation

Users authenticating to IDP with client X509 certificates. The certificates all have

CRL DP attributes pointing to a CRL file on a local Web server that is updated at 5am

every day.

When the first user authenticates in the morning (after the CRL file has been

updated) and sends the client cert over, the user does not authenticate but

gets an error message indicating that the CRL is old eg. The user receives an

error web page with this text:

AM#200104004: User Certificate Authentication Failed : AM#200104053: Error

processing CRL Response for certificate with subject :
EMAILADDRESS=ncashell.novell@dub.ireland.emea.novell, CN=ncashell testuser,

UID=ncashell.novell, OU=Ireland, O=Novell

catalina.out file shows that the CRL is old (obviously we have cached version

from previous day that has expired) and we never download an updated one for

that user session.

* AM#200104020: CRL is too old (New version already available)...Revoking!

Exception message: "AM#200104053: Error processing CRL Response for certificate

with subject : EMAILADDRESS=ncashell.novell@dub.ireland.emea.novell,

CN=ncashell testuser,UID=ncashell.novell, OU=Ireland, O=Novell"

     y, Line: 1612, Method: ProcessX509Data

     y, Line: 2497, Method: authenticate

     y, Line: 613, Method: A

     y, Line: 3125, Method: A

     y, Line: 458, Method: execute

     y, Line: 2892, Method: executeContract

     y, Line: 3269, Method: spLogin

     y, Line: 2426, Method: doAuthentication

     y, Line: 1736, Method: handleAuthnRequest

     y, Line: 1474, Method: processAuthnRequest

     y, Line: 34, Method: processRequest

     y, Line: 2601, Method: handledInBoundRequest

     y, Line: 2488, Method: processSSOEndpoint

     y, Line: 1693, Method: D

     y, Line: 3341, Method: handleRequest

     y, Line: 3246, Method: myDoGet

     y, Line: 2944, Method: doGet

     HttpServlet.java, Line: 696, Method: service

     HttpServlet.java, Line: 809, Method: service

     ApplicationFilterChain.java, Line: 200, Method: internalDoFilter

     ApplicationFilterChain.java, Line: 146, Method: doFilter

     StandardWrapperValve.java, Line: 209, Method: invoke

Rather than throw an error, we need to download updated CRL and make sure cert

has not been revoked before allowing the authentication to succeed.

Resolution

Apply nidp.jar file from Access Manager 3 Support Pack 1 Beta 1 patch (nam3sp1b1.tar.gz)