000014656 - Xudad crashes soon after renewing System CA certificate

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014656
Applies ToRSA Certificate Manager 6.6
RSA Certificate Manager 6.6 Database Plug-in
Oracle Internet Directory (OID)
Microsoft Windows Server 2003 SP2
IssueXudad crashes soon after renewing System CA certificate
LDAP error 53 (LDAP_UNWILLING_TO_PERFORM) is logged in the database plug-in log (if logging is enabled) which indicates that a non-index attribute (rcm-0pem-2x509) is used in the search filter.  The log entry looks like the following:

Search failed for filter: (&(objectclass=xudaobject)(&(rcm-0xudaClass=XUDA_CA)(rcm-0cert-2status=1)(rcm-0pem-2x509=MIICMZCCAGQCEQCW1KV7U6I5OPIKH3CVZU/UMA0GCSQGSABCDQEBBQUAMIGNMQSW
CABC......WUJZABCAOXYZ=
))) [LDAP error 53]

CauseRCM Secure Directory Server (Xudad) was unable to find the renewed System CA object in the database after it was renewed.  Xudad first searches based on a computed MD5 hash of the certificate (which only works for original certificate), and if it fails to find based on computed MD5 then Xudad searches based on PEM encoded certificate (this works if a CA certificate has been renewed).  However, Xudad failed to find the renewed System CA in the database (OID in this scenario) whether or not rcm-0pem-2x509 attribute is indexed on OID; the failure is caused due to either (1) RCM not able to handle LDAP error 53, or (2) OID did not return the object based on a search by rcm-0pem-2x509 attribute even though this attribute was indexed.
ResolutionThis issue has been fixed in RSA Certificate Manager 6.6 build 312.  The fix includes searching for the CA objects on a computed MD5 has of the CA certificate, if not found then searching on PEM encoded certificate, and if that fails then finally searching on serial number of the certificate. Contact RSA Customer Support to obtain build 312 or a later build for RSA Certificate Manager 6.6.
WorkaroundSystem CA certificate was about to expire.  The administrator attempted to renew the System CA certificate through RSA Certificate Manager (RCM) admin interface => CA Operations workbench.
Legacy Article IDa49358

Attachments

    Outcomes