000022883 - Upgrade from Keon Certificate Authority 6.5.1 to Keon CA 6.5.1 (same version) appears successful but upgraded Keon CA does not work properly

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022883
Applies ToKeon Certificate Authority 6.5.1
Sun Solaris 2.8
IssueUpgrade from Keon Certificate Authority 6.5.1 to Keon CA 6.5.1 (same version) appears successful but upgraded Keon CA does not work properly
The upgraded Keon CA seems to start up fine but CRLs (Certificate Revocation Lists) can only be generated for some of the CAs in the installation.  The CRL generation was attempted from the Keon CA administrative interface -> CA Operations workbench -> view a CA -> clicked 'Generate Complete CRL' button.
The Keon CA installation prior to the upgrade worked fine and CRLs could be generated for all CAs
CauseUpgrade.ldif file in package.tar, generated during the first phase of the upgrade, contained invalid/garbled values for the attribute 'keyid' for 'xuda_ca' objects that belonged to the non-working CAs.  The 'xuda_ca' objects for the working CAs, in the upgraded Keon CA, did not exhibit such problem.

A bug in one of the binaries, xu_ldbmcat, in the Keon CA 6.5.1 upgrader causes this issue when the db contains data in a certain format.
ResolutionThis issue has been fixed and an updated xu_ldbmcat binary (part of the Keon CA 6.5.1 upgrader) will be made available in the next hot fix (possibly build256 or later) for Keon CA 6.5.1.  This issue does not exist in RSA Certificate Manager 6.6 or later versions.  Contact RSA Customer Support for latest status on the fix.
WorkaroundKeon CA was upgraded following instructions in the RSA Keon CA 6.5.1 Installation Guide
Legacy Article IDa31668

Attachments

    Outcomes