Symantec Access Management

CA Security Tuesday Tip:  Product Siteminder   Subject: CURL CRL fetch .crl failed errors list for information and troubleshooting

  • 1.  CA Security Tuesday Tip:  Product Siteminder   Subject: CURL CRL fetch .crl failed errors list for information and troubleshooting

    Posted 08-27-2015 04:20 PM

    CA Siteminder Tuesday Tip by Terence Mills   Principal Support Engineer   August 27 2015

     

    You might see the following errors in the smdefaulttrace.log from the logs folder on a siteminder policy server

     

    CURL CRL fetch at (crl issuer website) failed with code 23  This is siteminder's general interpretation of the curl generated error 23. These errors are not initially  generated  by siteminder.  

     

    The actual curl error for code 23 is

    CURLE_WRITE_ERROR (23)

    An error occurred when writing received data to a local file, or an error was returned to libcurl from a write callback.

    Again, Curl generates this error code and siteminder receives the error code from curl.

     

    The code 23 error could have a lot of causes on the crl side . I will list 1 of them that we know of so far. I will continue to add code errors to this discussion  if and when I find other causes for each of the code errors.

     

    For a code 23 error, I would 1st check the size of your crl's of this particular crl involved in the code 23 error and then other crl's in your environment.

     

    By default, Siteminder has Size Limits for CRLs

     

    The Policy Server caches CRLs. The Policy Server default cache size is up to 2 MB. If your CRLs exceed the default cache size, increase the cache size up to a maximum of 1 GB. To increase the cache size, add the MaxCRLBufferMB registry key. For example, if your crl is 3.2 mb, you would need to increase  your MaxCRLBufferMB to at least 4mb

    Follow these steps:

    -Access the Policy Server and follow the step for your operating platform:

      Windows: Open the Registry Editor and navigate to HKEY_LOCAL_MACHINE\Software\Wow6432Node\Netegrity\siteminder\CurrentVersion\PolicyServer.

      UNIX: Open the sm.registry file. The default location of this file is siteminder_home/registry.

      Siteminder_home specifies the Policy Server installation path.

     

    -Add MaxCrlBufferMB with a registry value type of REG_DWORD.

      Unit of measurement: Megabytes

      Base: Decimal

    Default value: 2

      Minimum value: 1

      Maximum value: 1023

    __

    Change the default value above to,  for this example 4 ,   which is 4mb

     

    -Complete one of the following steps:

       Windows: Exit the Registry Editor.

       UNIX: Save the sm.registry file.

     

      -Restart the Policy Server

    For more information on this and  Other Certificate Revocation List Validation information

    Please check this link

      https://wiki.ca.com/display/sm1252sp1/Certificate%20Revocation%20List%20Validation

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    Message was edited by: TERENCE MILLS

     

    Message was edited by: TERENCE MILLS