Exception trying to extract entities from metadata

Document ID : KB000004849
Last Modified Date : 14/02/2018
Show Technical Document Details

We are trying to import a Remote Entity and getting this error in the siteminder wamui:

Error: Exception trying to extract entities from metadata.

We see following errors in the AdminUI logs:


07:43:55,590 ERROR [FedPkiKeyStore] **ERROR** java.security.cert.CertificateException commiting keystore change for alias moa.brz.gv.at.
java.security.cert.CertificateException: com.rsa.certj.cert.CertificateException: Invalid subject name:


Caused by: com.rsa.certj.cert.CertificateException: Invalid subject name:
at com.rsa.certj.cert.X509Certificate.setInnerDER(Unknown Source)
at com.rsa.certj.cert.X509Certificate.setCertBER(Unknown Source)
at com.rsa.certj.cert.X509Certificate.<init>(Unknown Source)
at com.ca.siteminder.security.SecurityUtil.convertCertificate(SecurityUtil.java:82)
... 67 more
Caused by: com.rsa.certj.cert.NameException: IA5String expected.

Policyserver Version: OS and Bit Version: RHEL 6.8 64-BitWebagent OS and Bit Version: RHEL 6.8 64-BitWebagent option pack:

The issue is caused by incorrect emailAddress format.

Cert details:

C:\OpenSSL-Win64\bin>openssl x509 -noout -subject -issuer -purpose -email -alias
-nameopt multiline,show_type -in abc.com.crt
organizationName = UTF8STRING:ABC
organizationalUnitName = UTF8STRING:XYZ
commonName = UTF8STRING:abc.com
serialNumber = PRINTABLESTRING:12345678912
emailAddress = UTF8STRING:abc@abc.com

RFC Specifications:

Legacy implementations exist where an electronic mail address is
embedded in the subject distinguished name as an emailAddress
attribute [RFC2985]. The attribute value for emailAddress is of type
IA5String to permit inclusion of the character '@', which is not part
of the PrintableString character set. emailAddress attribute values
are not case-sensitive (e.g., "subscriber@example.com" is the same as


Further information:

Simultaneous inclusion of the emailAddress attribute in
the subject distinguished name to support legacy implementations is
deprecated but permitted.

Electronic Mail addresses may be included in certificates and CRLs in
the subjectAltName and issuerAltName extensions, name constraints
extension, authority information access extension, subject
information access extension, issuing distribution point extension,
or CRL distribution points extension. Each of these extensions uses
the GeneralName construct; GeneralName includes the rfc822Name
choice, which is defined as type IA5String.


Please ensure that email attribute type is IA5String.