000019820 - Keon: Workaround to 'Enforce Profile Definitions' when certificate issued without 'Requestor can select' and 'Vettor can override' options enabled

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000019820
Applies ToKeon Certificate Authority 6.0.2
Keon Registration Authority 6.0.2
IssueKeon: Workaround to "Enforce Profile Definitions" when certificate issued without "Requestor can select" and "Vettor can override" options enabled
With the options "Requestor can select" and "Vettor can override" disabled in the Extension Profile configuration of the Jurisdiction, the user expected to see a list of the extension profiles to be enforced when the certificate was being issued (given that "Enforce Profile Definition" was enabled and at least one Extension Profile was selected). However, the XUDA Web interface displays "Profile: No Extensions" and "Extensions: No Extensions" and the certificate is created without extensions.
Error: "Profile: No Extensions"
Error: "Extensions: No Extensions"
Cause"Enforce Profile Definition" is a subset of "Vettor can override". Hence, if the later is disabled, no profile definitions will be enforced.
ResolutionAlthough the product is working as designed, here is a workaround to this issue:

1. Configure the following options for the Jurisdiction:
        a) Requestor can select = Disable
        b) Vettor can override = Disable
        c) Enforce profile definition = Enabled

2. Replace the entire contents of the "RSA_KeonCA\WebServer\x-templates\x-get-enroll-ca-pro.xuda" file with the following:

<!-- XUDA BEGIN -->

[@LDAP_ATTRIBUTES=]
<!-- LDAP SEARCH [ (&(objectclass=xuda_domain_config)(id=[domainID]))] -->
[@LDAP_ATTRIBUTES=]

!if [xuda_domain_config.profile_requestorcanselect]="true"

 <!-- Get the list of profiles -->
 <!-- LDAP PARSE ATTRIBUTE xuda_domain_config.profile_profileList -->
 [@profileArray=+[ATTRIBUTE]]
 [@profileArray=+"stop"]
 Certificate Profile: <SELECT NAME="PRO">

<OPTION value="No Extensions">No Extensions</OPTION>

 !for( i=0; (i)profileArray!"stop"; +i )
   <!-- LDAP SEARCH (&(objectclass=xuda_cert_profile)(id=[(i)profileArray])) -->
   [@bInclude=0]
        !if profileType!"CA"
     <!-- LDAP PARSE ATTRIBUTE xuda_cert_profile.type -->
       [][@bInclude=[?ATTRIBUTE="end-entity":1:0]]
        !else
     <!-- LDAP PARSE ATTRIBUTE xuda_cert_profile.type -->
       [][@bInclude=[?ATTRIBUTE="CA":1:0]]
        !endif
   !if bInclude=1
     <OPTION value="[(i)profileArray]">[xuda_cert_profile.name]</OPTION>
   !endif
 !next
 </SELECT><BR>
 <INPUT type="hidden" name="ManHidden" value="">
 <INPUT type="hidden" name="ExtHidden" value="">


!else


 <!-- Get the list of profiles -->
 <!-- LDAP PARSE ATTRIBUTE xuda_domain_config.profile_profileList -->
 [@profileArray=+[ATTRIBUTE]]
 [@profileArray=+"stop"]
 Certificate Profile: <SELECT NAME="PRO">

 !for( i=0; (i)profileArray!"stop"; +i )
   <!-- LDAP SEARCH (&(objectclass=xuda_cert_profile)(id=[(i)profileArray])) -->
   [@bInclude=0]
        !if profileType!"CA"
     <!-- LDAP PARSE ATTRIBUTE xuda_cert_profile.type -->
       [][@bInclude=[?ATTRIBUTE="end-entity":1:0]]
        !else
     <!-- LDAP PARSE ATTRIBUTE xuda_cert_profile.type -->
       [][@bInclude=[?ATTRIBUTE="CA":1:0]]
        !endif
   !if bInclude=1
     <OPTION value="[(i)profileArray]">[xuda_cert_profile.name]</OPTION>
   !endif
 !next
 </SELECT><BR>
 <INPUT type="hidden" name="ManHidden" value="">
 <INPUT type="hidden" name="ExtHidden" value="">

!endif


<!-- XUDA END -->
Legacy Article IDa12428

Attachments

    Outcomes