|Applies To||Federated Identity Management Module 4.0|
|Issue||FIM is unable to use a partner certificate for encryption|
FIM throws the following exception:
com.rsa.fim.profile.sso.SSOProfileException: Error encrypting the nameid: Unable to encrypt data as this certificate is not meant for Encryption.
The FIM error log shows the following:
|Cause||FIM 4.0 incorrectly requires certificates for XML encryption to have the Key Usage bit for DataEncipherment (3) instead of the Key Usage bit for KeyEncipherment (4) set. The correct Key Usage is KeyEncipherment as XML data is always encrypted with AES, and the certificate is only used to encrypt the AES key not the data.T|
|Resolution||This issue was fixed in the release version of FIM 4.1. The fix was not back ported to FIM 4.0. Upgrade to the latest hotfix for FIM 4.1|
A work around is to use a V1 certificate without any extensions. FIM 4.0 HF_17 or later will allow V1 certificates without checking extensions.
|Legacy Article ID||a53125|