CA Siteminder Tuesday Tip by Terence Mills Principal Support Engineer August 27 2015
You might see the following errors in the smdefaulttrace.log from the logs folder on a siteminder policy server
CURL CRL fetch at (crl issuer website) failed with code 23 This is siteminder's general interpretation of the curl generated error 23. These errors are not initially generated by siteminder.
The actual curl error for code 23 is
An error occurred when writing received data to a local file, or an error was returned to libcurl from a write callback.
Again, Curl generates this error code and siteminder receives the error code from curl.
The code 23 error could have a lot of causes on the crl side . I will list 1 of them that we know of so far. I will continue to add code errors to this discussion if and when I find other causes for each of the code errors.
For a code 23 error, I would 1st check the size of your crl's of this particular crl involved in the code 23 error and then other crl's in your environment.
By default, Siteminder has Size Limits for CRLs
The Policy Server caches CRLs. The Policy Server default cache size is up to 2 MB. If your CRLs exceed the default cache size, increase the cache size up to a maximum of 1 GB. To increase the cache size, add the MaxCRLBufferMB registry key. For example, if your crl is 3.2 mb, you would need to increase your MaxCRLBufferMB to at least 4mb
Follow these steps:
-Access the Policy Server and follow the step for your operating platform:
Windows: Open the Registry Editor and navigate to HKEY_LOCAL_MACHINE\Software\Wow6432Node\Netegrity\siteminder\CurrentVersion\PolicyServer.
UNIX: Open the sm.registry file. The default location of this file is siteminder_home/registry.
Siteminder_home specifies the Policy Server installation path.
-Add MaxCrlBufferMB with a registry value type of REG_DWORD.
Unit of measurement: Megabytes
Default value: 2
Minimum value: 1
Maximum value: 1023
Change the default value above to, for this example 4 , which is 4mb
-Complete one of the following steps:
Windows: Exit the Registry Editor.
UNIX: Save the sm.registry file.
-Restart the Policy Server
For more information on this and Other Certificate Revocation List Validation information
Please check this link
Message was edited by: TERENCE MILLS