000014050 - FIM is unable to use a partner certificate for encryption

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014050
Applies ToFederated Identity Management Module 4.0
IssueFIM is unable to use a partner certificate for encryption

FIM throws the following exception:

com.rsa.fim.profile.sso.SSOProfileException: Error encrypting the nameid: Unable to encrypt data as this certificate is not meant for Encryption.


The FIM error log shows the following:


Caused by: com.rsa.fim.exception.CryptoUtilException: Unable to encrypt data as this certificate is not meant for Encryption.
        at
com.rsa.fim.util.crypto.EncryptionHelper.verifyCertificateCanBeUsedForDataEncryption(EncryptionHelper.java:159)
        at

CauseFIM 4.0 incorrectly requires certificates for XML encryption to have the Key Usage bit for DataEncipherment (3) instead of the Key Usage bit for KeyEncipherment (4) set.  The correct Key Usage is KeyEncipherment as XML data is always encrypted with AES, and the certificate is only used to encrypt the AES key not the data.T
ResolutionThis issue was fixed in the release version of FIM 4.1.   The fix was not back ported to FIM 4.0.  Upgrade to the latest hotfix for FIM 4.1
A work around is to use a V1 certificate without any extensions.  FIM 4.0 HF_17 or later will allow V1 certificates without checking extensions.
Legacy Article IDa53125

Attachments

    Outcomes