No Mutual exclusion on eDir User Store between "Extended Schema" and "Remote" types of credential storage

  • 7001915
  • 18-Nov-2008
  • 26-Apr-2012

Environment

Novell Access Manager 3 Access Administration
Novell Access Manager 3 Support Pack 4 applied

Situation

When using secret store with Access Manager, there are multiple operations that need to be performed in the credential profile ("Identity Servers->Edit->Liberty->Web Service Provider->Credential Profile") before the secrets can be used. Under the credential profile setup, alleDirectory User Stores that have been configured for the IDP show up in the selectable list in both the "Extended Schema User Store References" and "Novell Secret Store User Store References" sections. This is correct in that the resource should be allowed to be either one of the sections. However, the resource cannot appear in both.

Mutual exclusion of eDirectory User Stores has not been enforced between the "Extended Schema User Store References" and "Novell Secret Store User Store References" sections of the UI "Credential Profile". The expected behavior in the "Credential Profile" configuration section is that once an eDirectory User Store has been selected for either extended schema storage of secrets or remote storage of secrets (using SecretStore), that directory should no longer be selectable for addition to the other list.Administrators are then able to configure the user stores in a way that is logically inconsistent. It cannot work the way it may have been intended to work.

Resolution

Make sure that only one methods per user store has been configured for storing secrets. If you configure more than one method for a user store, the behavior cannot be predicted.

Access Manager 3.1 will address this confusion in the UI and make the selection mutually exclusive.