User authentications fails after upgrade if client certification authentication and CRL are configured

Document ID : KB000099847
Last Modified Date : 01/06/2018
Show Technical Document Details
Issue:
We have recently upgraded from R12.52 Sp1 CR4 to R12.7 Sp1.
We have configured Client Authentication with CRL checking enabled. This works on R12.52 SP1 CR4, When we upgraded to R12.7 Sp1 this stopped working. We currently have CRL checking disabled so the client authentication can continue to work.

Below errors are coming in smtrace log for CRL checking:

[01/10/2018][13:10:52.610][13:10:52][6421][140579394529024][SmAuthCert.cpp:1696][isRevoked][][][][][][][][][][][][][][][][][][][][][CURL CRL fetch at http://xyz.ca.com/xyz.crlC=us,O=u.s. government,OU=department of the treasury,OU=Certification Authorities,OU=Development OCIO CA,CN=CRL27 failed with code 7. Certificate is assumed to be revoked.][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[01/10/2018][13:10:52.611][13:10:52][6421][140579394529024][SmAuthCert.cpp:1486][isRevoked][][][][][][][][xyz.ca.com][][][][][][][][][][][][][Could not find user directory for LDAP specified in distribution point (xyz.ca.com)][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[01/10/2018][13:10:52.611][13:10:52][6421][140579394529024][SmAuthCert.cpp:2380][isRevoked][][][][][][][][][][][][][][][][][][][][][Returning status: certificate is revoked][][][][][][][][][][1Q 87 4C 7B][][C=us,O=u.s. government,OU=department of the treasury,OU=Certification Authorities,OU=Development OCIO CA][][][][][][][][][][][][][][][][][][][][][][][][][]
[01/10/2018][13:10:52.611][13:10:52][6421][140579394529024][SmAuthCert.cpp:2391][isRevoked][][][][][][][][][][][][][TRUE][][][][][][][][Leave function isRevoked][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][00:00:00.140578574565][]
[01/10/2018][13:10:52.611][13:10:52][6421][140579394529024][SmAuthCert.cpp:1387][isCertificateRevoked][][][][][][][][][][][][][][][][][][][][][Certificate status is unkown.][][][][][][][][][][1Q 87 4C 7B][][C=us,O=u.s. government,OU=department of the treasury,OU=Certification Authorities,OU=Development OCIO CA][][][][][][][][][][][][][][][][][][][][][][][][][]
Environment:
SSO R12.7 SP1 and R12.7 SP2
 
Cause:
This is a bug in the product.
its ordering the CDPs correctly but is prepending the previous CDP (highlighted in red) to the next CDP (which is supposed to be just an LDAP DN).

[01/10/2018][13:10:41.367][13:10:41][6421][140579394529024][certcHelper.cpp:1164][RSA_GetCRLDistributionPoint][][][][][][][][][][][][][][][][][][][][][Enter function RSA_GetCRLDistributionPoint][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[01/10/2018][13:10:41.367][13:10:41][6421][140579394529024][certcHelper.cpp:1213][RSA_GetCRLDistributionPoint][][][][][][][][][][][][][][][][][][][][][CRL DPName = http://xyz.ca.com/xyz.crl][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[01/10/2018][13:10:41.368][13:10:41][6421][140579394529024][certcHelper.cpp:1213][RSA_GetCRLDistributionPoint][][][][][][][][][][][][][][][][][][][][][CRL DPName = http://xyz.ca.com/xyz.crlC=us,O=u.s. government,OU=department of the treasury,OU=Certification Authorities,OU=Development OCIO CA,CN=CRL27][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[01/10/2018][13:10:41.368][13:10:41][6421][140579394529024][certcHelper.cpp:1213][RSA_GetCRLDistributionPoint][][][][][][][][][][][][][][][][][][][][][CRL DPName = ldap://xyz.ca.com/cn=CRL27,ou=Development OCIO CA,ou=Certification Authorities,ou=department of the treasury,o=u.s. government,c=us?certificateRevocationList;binary][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[01/10/2018][13:10:41.368][13:10:41][6421][140579394529024][certcHelper.cpp:1233][RSA_GetCRLDistributionPoint][][][][][][][][][][][][][CDP's found in Cert][][][][][][][][Leave function RSA_GetCRLDistributionPoint][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][00:00:00.000247][]
 
Resolution:
We have done code changes so that 1st CDP Name will not be prepending before the 2nd CDP Name (which is supposed to be just an LDAP DN).
The fix will be available in next release of R12.7 and R12.8