Access Manager Admin Console returns empty CRL list from within the Manage Tasks and Roles Certificate Server Authority config

  • Document ID:7023739
  • Creation Date:21-Feb-2019
  • Modified Date:19-Mar-2019
    • Micro Focus Products:
      Access Manager (NAM)

Environment

  • Access Manager 4.4.1
  • Access Manager 4.4.2
  • Access Manager 4.4.3
  • Access Manager 4.4.4

Situation

  • CRL administration does not work from within the iManager  => Manage Tasks and Roles => NetIQ Certificate Server => Configure Certificate Authority => CRL

  • CRL list on the CA object is empty

  • creating a new entry returns as well an empty list without reporting any problem during the process of creating the list

  • all CRLs are available below the "CRL Container.Security" container (even the test CRLs created)

Resolution

  • this issue has been addressed to engineering
  • use any LDAP browser or iManager (modify object / other tab) to add the "ndspkiCRLContainerDN" attribute on the Certificate Authority Object
  • the certificate Authority Object is store in the Security Container with the name "[%Your Tree Name %] CA"

  • Note: ECC Certificate are not supported with NAM 4.4.4 and most likely be available with post NAM 4.5 Fresh installations of future NAM releases (post 4.4.4) will not maintain or create any CRLs nor issue internal Certificates storing a CDP or AIA as the certificate are used for internal services only.

Cause

The reference to the CRL Container is missing on the Certificate Authority Object

Additional Information

  • AC => Access Manager Console
  • CRL => Certificate Revocation List
  • RSA => RSA public /  private Key
  • ECDSA = Elliptic Curve key
  • With NAM 4.4.X there are two certificate Revocation Lists available
    • cn=One - Configuration,cn=CRL Container,cn=Security # used for revoked RSA Certificates
    • cn=One - Configuration EC,cn=CRL Container,cn=Security # used for revoked ECDSA Certificates

  • per default all new Certificates created with iManager will have a CRL entry

  • the default CRL entries look like:

    • http://192.168.0.170:8028/crl/one.crl
    • ldap://192.168.0.170:389/CN=One,CN=One - Configuration,CN=CRL Container,CN=Security
    • https://192.168.0.170:8030/crl/one.crl
    • ldaps://192.168.0.170:636/CN=One,CN=One - Configuration,CN=CRL Container,CN=Security
    • CN=One.CN=One - Configuration.CN=CRL Container.CN=Security

  • http URLs will be serviced by the eDirectory iMonitor tool