Certificates Uploaded to Policy Store don't show up in WAMUI

Document ID : KB000009642
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

There is a known issue where imported certificates will not show up in the Siteminder Administrative UI, and the certificates cannot be listed using the smkeytool -listcerts command.

This is occasionally caused by certificates with non-alphanumeric characters in the alias.  Alphanumeric characters are A-Z, 1-9, and do not include dashes, hyphens, underscores, commas, periods, etc.

Background:

When certificates get imported using an import command but contain these characters in the alias, the Siteminder Administrative UI will not recognize the certificate, yet it will exist in the Certificate Data Store, and the smkeytool -listcerts command will fail.

This can pose a number of problems:

1. Certificate will exist in the CDS but cannot be used for Partnerships, etc.

2. Certificate won't show up in the Administrative UI, so it appears that it needs to still be imported.  Upon attempting to import, a "certificate already exists" message will appear.

3. The smkeytool -listcerts command will fail, so there isn't an easy way to identify which certs are not imported successfully.

Instructions:

The issue is caused by the certificate existing in the CDS, but due to the non-alphanumeric characters, it will not show up in the Siteminder Administrative UI.

1. Run XPSExplorer with elevated privileges

2. Take note of the following two menus: Under CDS: Certificate (should be option 3), and under FED: Certificate (should be option 27). These are in alphabetical order by section, so just make sure these two menus are investigated. 

3. Choose option 3 - Certificate, then type "S" to Search Objects. This will list all of the certificates that are in the CDS. It should show the Aliases under the Policy Store Object ID (OID), so you should be able to find the cert in question, example: "cert-example" 

Important!: Take note of the OID, as you may need to verify it later in the FED menu, as it does not show aliases in that list. 

4. Type the number on the left that corresponds to the cert to select it and move to that specific certificate menu i.e. if the cert shows something like the following: 

29-CA.CDS::Certificate@3ddcc1d3-3d55-4465-bb9d-2509ffd7d65c 

(I) Alias : "cert-example" 

Then type "29", and hit enter 

5. On this next screen, you will have the option to choose "D - Delete Object". Type D, then hit enter. 

6. This will bring you back to the previous menu of certificates stored in the CDS, the cert will likely still show up in the list, but simply type "Q" to quit back one more menu, then type "S" to search objects again, and you will see that it is removed. 

7. Go back two menus, and select option 27 - FED, and verify that the certificate is also removed from this menu. 

8. Go into the WAMUI and import the certificate manually, making sure to import it with an alias with ONLY alphanumeric characters. This should now succeed, and you should be able to view the certs for usage in Partnerships, etc.

Additional Information:

In certain circumstances, there can be issues with only removing one or two affected certificates.  In which case, it may be beneficial to simply remove all certificates on the original import using the method above, and then import all certs back manually using the Siteminder Administrative UI.