Troubleshooting
Configuration
Use the PKI Services Manager test utility to determine if a certificate passes the validity tests. There is information on checking the validity and mapping on both Windows and Unix.
Tip
The certificate validation test applies only to end-entity certificates, not CA certificates. Valid CA-signed root and intermediate certificates will not pass the validation test.
If a valid certificate fails the validity test, check the following:
-
Is PKI Services Manager correctly configured to point to your certificate store(s)? (In the console, check the search order on the Trusted Chain pane. In pki_config, check CertSearchOrder.)
-
Has the required root CA been added to as a trust anchor? (In the console, check the trust anchor list on the Trusted Chain pane. In pki_config, check Trust Anchor.)
-
Is certificate revocation correctly configured? Try turning revocation checking off to see if validation succeeds. (In the console, edit the search order on the Revocation pane. In pki_config, edit RevocationCheckOrder.) If you need to modify your revocation checking, review the settings on the Revocation pane. In pki_config, review RevocationCheckOrder, CRLServers, OCSPCertificate, and/or OCSPResponders.
More information
- Certificate Attribute Requirements
Identity Mapping
Problem: Updates to identity mapping don't take effect
To ensure that your settings changes take effect, save your changes (File > Save) then reload your configuration (Server > Reload). To omit the need for reloading each time, enable Refresh rules from file before mapping operation. If you are running on a UNIX system, use pkid reload after you save a modified map file, or include DynamicFile = yes in the map file.
Problem: Users listed as allowed identities in some rules are denied access
This problem occurs when PKI Services Manager stops processing rules before it reaches a rule that would allow access. PKI Services Manager processes rules in order from top to bottom. It stops processing rules when a certificate meets the condition defined in a rule, or if the rule has no condition defined. This means that if you include any rule with no conditions, none of the rules that come after it will ever be processed. For example, the following configuration includes three rules with no conditions defined. In this example, the server will always stop after the first rule. The user in the first rule (joe) will always be allowed access with any valid certificate, but the other users will never be allowed access with any certificate, even if the certificate is valid.
{ joe }
{ don }
{ fred }
{ joe don fred }
-or-
{ %UPN.User% }
To support processing of multiple rules, you need to include conditions in these rules. Any rule with no conditions should be at the end of the list. For example:
{ joe } UPN.User Equals "joe"
{ don } UPN.User Equals "don"
{ fred } UPN.User Equals "fred"
{ guest }
Logging
Logging is enabled by default. Log files are created daily and saved to a directory called logs located in the PKI Services Manager data directory.
You can change the logging level to control the amount of information sent to the log. The log can contain both auditing messages (labeled "[audit]"), and debug messages (labeled "[debug]"). Auditing messages provide information about both successful and unsuccessful validation attempts. Debug messages are designed to help in troubleshooting.
The default log level is "Error". At this level, auditing messages are sent to the log, but debug messages are sent only if a PKI Services Manager error occurs, generally because PKI Services Manager is not correctly configured. The additional log levels 'Warning", "Information" and "Debug" provide increasing levels of detail. ("Trace" is also available, but provides more content than is generally useful.)
Note
Log level changes don't require a restart. If you change Maximum log files or Log output to file you must restart the server.
To set the level of detail in the log file from the console (Windows)
-
From the PKI Services Manager console, go to the General pane.
-
Specify a value for Log level.
-
Save (File >Save) and reload (Server > Reload).
To change the logging level by editing pki_config (Unix)
-
Open the PKI Services Manager configuration file in a text editor. The default name and location is:
/opt/microfocus/pkid/ config/pki_config
-
Use LogLevel to specify a level of detail. Allowed values are: 'error', 'warn', 'info', 'debug', and 'trace'.
-
Save the file and reload your settings.