Error: X509 Certificate Validation Root Exception: java.lang.ArrayIndexOutOfBoundsException

  • 7008975
  • 12-Jul-2011
  • 26-Apr-2012

Environment


Novell Access Manager 3.1 Administration Console

Situation

SAML2 trusted relationship setup and working well in staging environment. Successfully imported the signing and connector certificates used in the staging test to production, as well as the intermediate and root CA from test. After assigning them to the Identity (IDP) Server certificate and trusted root stores, and updating the IDP configuration, the following error was reported in the Admin Console IDP healthcheck 

Unable to validate SAML2 Trusted Service Provider. The trusted relationship with this entity will not be functional!
Error Validating X509 Certificate of Trusted Provider
Trusted Provider Type: SAML2 Trusted Service Provider
Trusted Provider Id: https://neil.nrgd.com/
Error Validating X509 Signing Certificate
X509 Certificate Version: 3
X509 Certificate Subject: CN=*.nrgd.com OU=NTS O="Novell Group Inc." L=Provo ST=UT C=US
X509 Certificate Issuer: CN=DigiCert High Assurance CA-3 OU=www.digicert.com O=DigiCert Inc C=US
X509 Certificate Serial Number: 2809533655270785396044727270567576017
X509 Certificate Start Date: 2011-01-18 16:00:00
X509 Certificate Expiration Date: 2012-01-25 15:59:59
X509 Certificate Validation Root Exception: java.lang.ArrayIndexOutOfBoundsException: 0

Resolution

Removed existing trusted root and added all the trusted roots associated with wildcard ssl cert (*.nrgd.com) ie. the trust root cert GTECyberTrustGlobalRoot, and the other two intermediate certs DigiCertHighAssuranceEVRootCA and DigiCertHighAssuranceCA-3.

Once done, we recreated the SAML2.0 relationship with the metadata from the SP vendor - no problems or errors were reported in the Admin Console after the update.


  and it's root cert (EV Root CA) is in there.  Can you remove them from the trust root store, delete the certs completely from the Admin Console and add them again?

Feedback service temporarily unavailable. For content questions or problems, please contact Support.