Issue in disabling CRL, and OCSP Validators when configuring x509 authenticator

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Issue in disabling CRL, and OCSP Validators when configuring x509 authenticator

Piraveena Paralogarajah
Hi,

I'm working on configuring x509Certificate Authenticator using WSO2 IS version 5.8.0. I did all configurations as mentioned in the doc [1], and I  got the error as given below.

org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: Validator: OCSPValidatorcouldn't validate the revocation status of certificate with serial num: 14756929408771586256

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123)

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155)

2019-01-17 11:49:05,175]  INFO {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} -  X509 Certificate validation with CRLValidator

[2019-01-17 11:49:05,176] DEBUG {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} -  Certificate validation is not successful.

org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: Validator: CRLValidatorcouldn't validate the revocation status of certificate with serial num: 14756929408771586256

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123)

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155)


So I disabled CRLValidator, and OCSPValidator in certificate-validation.xml file in ${IS_HOME}/repository/conf/security/ , but the changes were not getting updated.  According to the implementation in RevocationValidationManagerImpl.java  in identity-x509-revocation extension, the CRL and OCSP validators are read from the registry repository/security/certificate/validator. This makes quite confusion since we need to modify the certificate-validation.xml as well as the registry to disable CRLValidator, and OCSPValidator


The doc on Configuring x509Certificate Authenticator [1] is not referring about the changes need to be done in configuration file and the registry to disable CRL and OCSP as well. 




Regards,
Piraveena

Piraveena Paralogarajah
Software Engineer | WSO2 Inc.
(m) +94776099594 | (e) [hidden email]


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Issue in disabling CRL, and OCSP Validators when configuring x509 authenticator

tharindue
Hi Indunil,

Could you please confirm that the the CRL and OCSP validators should be turned on/off from the registry resource after an initial server startup, instead of making changes in certificate-validation.xml file?

Thanks,
TharinduE

On Fri, Jan 18, 2019 at 3:45 PM Piraveena Paralogarajah <[hidden email]> wrote:
Hi,

I'm working on configuring x509Certificate Authenticator using WSO2 IS version 5.8.0. I did all configurations as mentioned in the doc [1], and I  got the error as given below.

org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: Validator: OCSPValidatorcouldn't validate the revocation status of certificate with serial num: 14756929408771586256

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123)

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155)

2019-01-17 11:49:05,175]  INFO {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} -  X509 Certificate validation with CRLValidator

[2019-01-17 11:49:05,176] DEBUG {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} -  Certificate validation is not successful.

org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: Validator: CRLValidatorcouldn't validate the revocation status of certificate with serial num: 14756929408771586256

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123)

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155)


So I disabled CRLValidator, and OCSPValidator in certificate-validation.xml file in ${IS_HOME}/repository/conf/security/ , but the changes were not getting updated.  According to the implementation in RevocationValidationManagerImpl.java  in identity-x509-revocation extension, the CRL and OCSP validators are read from the registry repository/security/certificate/validator. This makes quite confusion since we need to modify the certificate-validation.xml as well as the registry to disable CRLValidator, and OCSPValidator


The doc on Configuring x509Certificate Authenticator [1] is not referring about the changes need to be done in configuration file and the registry to disable CRL and OCSP as well. 




Regards,
Piraveena

Piraveena Paralogarajah
Software Engineer | WSO2 Inc.
(m) +94776099594 | (e) [hidden email]

--
You received this message because you are subscribed to the Google Groups "WSO2 Documentation Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/a/wso2.com/d/optout.


--

Tharindu Edirisinghe
Associate Technical Lead | WSO2 Inc
Platform Security Team
Blog : http://tharindue.blogspot.com
mobile : +94 775181586


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Issue in disabling CRL, and OCSP Validators when configuring x509 authenticator

Indunil Upeksha Rathnayake
Hi,

As per the CRL & OCSP implementation, all the certificate validator configurations in certificate-validation.xml file, will be added to tenant registry in /_system/governance/repository/security/certificate/validator on the initial server start up and tenant creation. There will be separate registry resources for each validator with properties as name, enable, priority etc. During the certification validation process, all the validator configs will be loaded from the registry and based on the enability and priority, corresponding validators will get invoked.

[hidden email] : Seems all the necessary information in [1], has not been included into the WSO2 documentation. Can you please add all the information in there.

[hidden email] [hidden email] [hidden email] [hidden email] : This X509 Authenticator documentation is really not in good shape. The steps are not in order & not clear, we need to restructure the page. Can you guys please schedule a meeting to discuss on this matter.


Thanks and Regards

On Mon, Jan 28, 2019 at 8:21 AM Tharindu Edirisinghe <[hidden email]> wrote:
Hi Indunil,

Could you please confirm that the the CRL and OCSP validators should be turned on/off from the registry resource after an initial server startup, instead of making changes in certificate-validation.xml file?

Thanks,
TharinduE

On Fri, Jan 18, 2019 at 3:45 PM Piraveena Paralogarajah <[hidden email]> wrote:
Hi,

I'm working on configuring x509Certificate Authenticator using WSO2 IS version 5.8.0. I did all configurations as mentioned in the doc [1], and I  got the error as given below.

org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: Validator: OCSPValidatorcouldn't validate the revocation status of certificate with serial num: 14756929408771586256

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123)

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155)

2019-01-17 11:49:05,175]  INFO {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} -  X509 Certificate validation with CRLValidator

[2019-01-17 11:49:05,176] DEBUG {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} -  Certificate validation is not successful.

org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: Validator: CRLValidatorcouldn't validate the revocation status of certificate with serial num: 14756929408771586256

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123)

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155)


So I disabled CRLValidator, and OCSPValidator in certificate-validation.xml file in ${IS_HOME}/repository/conf/security/ , but the changes were not getting updated.  According to the implementation in RevocationValidationManagerImpl.java  in identity-x509-revocation extension, the CRL and OCSP validators are read from the registry repository/security/certificate/validator. This makes quite confusion since we need to modify the certificate-validation.xml as well as the registry to disable CRLValidator, and OCSPValidator


The doc on Configuring x509Certificate Authenticator [1] is not referring about the changes need to be done in configuration file and the registry to disable CRL and OCSP as well. 




Regards,
Piraveena

Piraveena Paralogarajah
Software Engineer | WSO2 Inc.
(m) +94776099594 | (e) [hidden email]

--
You received this message because you are subscribed to the Google Groups "WSO2 Documentation Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/a/wso2.com/d/optout.


--

Tharindu Edirisinghe
Associate Technical Lead | WSO2 Inc
Platform Security Team
Blog : http://tharindue.blogspot.com
mobile : +94 775181586



--
Indunil Upeksha Rathnayake
Senior Software Engineer | WSO2 Inc
Email    [hidden email]
Mobile   0772182255

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Issue in disabling CRL, and OCSP Validators when configuring x509 authenticator

Piraveena Paralogarajah
Hi Indunil,

CRL & OCSP validators are enabled in certificate-validation.xml file in IS 5.7.0 by default . So this triggers  exceptions and X509 Authentication fails. So by default CRL & OCSP validators should be disabled. This step is not addressed in the documentation as well.

To overcome this issue, now we need to disable  /_system/governance/repository/security/certificate/validator registry.  So Could you please confirm that  whether is it necessary to  to disable the the CRL and OCSP validators in the registry in IS 5.7.0 after server starts to make X509 Authentication to succeed? 

Thanks and Regards,
Piraveena

Piraveena Paralogarajah
Software Engineer | WSO2 Inc.
(m) +94776099594 | (e) [hidden email]



On Mon, Jan 28, 2019 at 9:42 AM Indunil Upeksha Rathnayake <[hidden email]> wrote:
Hi,

As per the CRL & OCSP implementation, all the certificate validator configurations in certificate-validation.xml file, will be added to tenant registry in /_system/governance/repository/security/certificate/validator on the initial server start up and tenant creation. There will be separate registry resources for each validator with properties as name, enable, priority etc. During the certification validation process, all the validator configs will be loaded from the registry and based on the enability and priority, corresponding validators will get invoked.

[hidden email] : Seems all the necessary information in [1], has not been included into the WSO2 documentation. Can you please add all the information in there.

[hidden email] [hidden email] [hidden email] [hidden email] : This X509 Authenticator documentation is really not in good shape. The steps are not in order & not clear, we need to restructure the page. Can you guys please schedule a meeting to discuss on this matter.


Thanks and Regards

On Mon, Jan 28, 2019 at 8:21 AM Tharindu Edirisinghe <[hidden email]> wrote:
Hi Indunil,

Could you please confirm that the the CRL and OCSP validators should be turned on/off from the registry resource after an initial server startup, instead of making changes in certificate-validation.xml file?

Thanks,
TharinduE

On Fri, Jan 18, 2019 at 3:45 PM Piraveena Paralogarajah <[hidden email]> wrote:
Hi,

I'm working on configuring x509Certificate Authenticator using WSO2 IS version 5.8.0. I did all configurations as mentioned in the doc [1], and I  got the error as given below.

org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: Validator: OCSPValidatorcouldn't validate the revocation status of certificate with serial num: 14756929408771586256

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123)

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155)

2019-01-17 11:49:05,175]  INFO {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} -  X509 Certificate validation with CRLValidator

[2019-01-17 11:49:05,176] DEBUG {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} -  Certificate validation is not successful.

org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: Validator: CRLValidatorcouldn't validate the revocation status of certificate with serial num: 14756929408771586256

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123)

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155)


So I disabled CRLValidator, and OCSPValidator in certificate-validation.xml file in ${IS_HOME}/repository/conf/security/ , but the changes were not getting updated.  According to the implementation in RevocationValidationManagerImpl.java  in identity-x509-revocation extension, the CRL and OCSP validators are read from the registry repository/security/certificate/validator. This makes quite confusion since we need to modify the certificate-validation.xml as well as the registry to disable CRLValidator, and OCSPValidator


The doc on Configuring x509Certificate Authenticator [1] is not referring about the changes need to be done in configuration file and the registry to disable CRL and OCSP as well. 




Regards,
Piraveena

Piraveena Paralogarajah
Software Engineer | WSO2 Inc.
(m) +94776099594 | (e) [hidden email]

--
You received this message because you are subscribed to the Google Groups "WSO2 Documentation Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/a/wso2.com/d/optout.


--

Tharindu Edirisinghe
Associate Technical Lead | WSO2 Inc
Platform Security Team
Blog : http://tharindue.blogspot.com
mobile : +94 775181586



--
Indunil Upeksha Rathnayake
Senior Software Engineer | WSO2 Inc
Email    [hidden email]
Mobile   0772182255

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Issue in disabling CRL, and OCSP Validators when configuring x509 authenticator

Yvonne Wickramasinghe
Hi Indunil,

Scheduled a meeting for tomorrow (Jan 30, 2019) at 2:00 PM to discuss the requirements in detail.

Regards,

On Mon, Jan 28, 2019 at 9:57 AM Piraveena Paralogarajah <[hidden email]> wrote:
Hi Indunil,

CRL & OCSP validators are enabled in certificate-validation.xml file in IS 5.7.0 by default . So this triggers  exceptions and X509 Authentication fails. So by default CRL & OCSP validators should be disabled. This step is not addressed in the documentation as well.

To overcome this issue, now we need to disable  /_system/governance/repository/security/certificate/validator registry.  So Could you please confirm that  whether is it necessary to  to disable the the CRL and OCSP validators in the registry in IS 5.7.0 after server starts to make X509 Authentication to succeed? 

Thanks and Regards,
Piraveena

Piraveena Paralogarajah
Software Engineer | WSO2 Inc.
(m) +94776099594 | (e) [hidden email]



On Mon, Jan 28, 2019 at 9:42 AM Indunil Upeksha Rathnayake <[hidden email]> wrote:
Hi,

As per the CRL & OCSP implementation, all the certificate validator configurations in certificate-validation.xml file, will be added to tenant registry in /_system/governance/repository/security/certificate/validator on the initial server start up and tenant creation. There will be separate registry resources for each validator with properties as name, enable, priority etc. During the certification validation process, all the validator configs will be loaded from the registry and based on the enability and priority, corresponding validators will get invoked.

[hidden email] : Seems all the necessary information in [1], has not been included into the WSO2 documentation. Can you please add all the information in there.

[hidden email] [hidden email] [hidden email] [hidden email] : This X509 Authenticator documentation is really not in good shape. The steps are not in order & not clear, we need to restructure the page. Can you guys please schedule a meeting to discuss on this matter.


Thanks and Regards

On Mon, Jan 28, 2019 at 8:21 AM Tharindu Edirisinghe <[hidden email]> wrote:
Hi Indunil,

Could you please confirm that the the CRL and OCSP validators should be turned on/off from the registry resource after an initial server startup, instead of making changes in certificate-validation.xml file?

Thanks,
TharinduE

On Fri, Jan 18, 2019 at 3:45 PM Piraveena Paralogarajah <[hidden email]> wrote:
Hi,

I'm working on configuring x509Certificate Authenticator using WSO2 IS version 5.8.0. I did all configurations as mentioned in the doc [1], and I  got the error as given below.

org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: Validator: OCSPValidatorcouldn't validate the revocation status of certificate with serial num: 14756929408771586256

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123)

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155)

2019-01-17 11:49:05,175]  INFO {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} -  X509 Certificate validation with CRLValidator

[2019-01-17 11:49:05,176] DEBUG {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} -  Certificate validation is not successful.

org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: Validator: CRLValidatorcouldn't validate the revocation status of certificate with serial num: 14756929408771586256

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123)

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155)


So I disabled CRLValidator, and OCSPValidator in certificate-validation.xml file in ${IS_HOME}/repository/conf/security/ , but the changes were not getting updated.  According to the implementation in RevocationValidationManagerImpl.java  in identity-x509-revocation extension, the CRL and OCSP validators are read from the registry repository/security/certificate/validator. This makes quite confusion since we need to modify the certificate-validation.xml as well as the registry to disable CRLValidator, and OCSPValidator


The doc on Configuring x509Certificate Authenticator [1] is not referring about the changes need to be done in configuration file and the registry to disable CRL and OCSP as well. 




Regards,
Piraveena

Piraveena Paralogarajah
Software Engineer | WSO2 Inc.
(m) +94776099594 | (e) [hidden email]

--
You received this message because you are subscribed to the Google Groups "WSO2 Documentation Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/a/wso2.com/d/optout.


--

Tharindu Edirisinghe
Associate Technical Lead | WSO2 Inc
Platform Security Team
Blog : http://tharindue.blogspot.com
mobile : +94 775181586



--
Indunil Upeksha Rathnayake
Senior Software Engineer | WSO2 Inc
Email    [hidden email]
Mobile   0772182255


--

Yvonne Wickramasinghe | Senior Technical Writer | WSO2 Inc.
(m) +94 71 516 3732 | (w) +94 11 214 5354 | (e) [hidden email] 
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
https://wso2.com/signature

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Issue in disabling CRL, and OCSP Validators when configuring x509 authenticator

Yvonne Wickramasinghe
Hi Piraveena and Indunil,

As discussed, I added a new section called Disabling Certificate Validation with the steps required to disable CRL and OCSP validators. Please check and let me know if you require any further changes.

Regards,

On Tue, Jan 29, 2019 at 10:08 AM Yvonne Wickramasinghe <[hidden email]> wrote:
Hi Indunil,

Scheduled a meeting for tomorrow (Jan 30, 2019) at 2:00 PM to discuss the requirements in detail.

Regards,

On Mon, Jan 28, 2019 at 9:57 AM Piraveena Paralogarajah <[hidden email]> wrote:
Hi Indunil,

CRL & OCSP validators are enabled in certificate-validation.xml file in IS 5.7.0 by default . So this triggers  exceptions and X509 Authentication fails. So by default CRL & OCSP validators should be disabled. This step is not addressed in the documentation as well.

To overcome this issue, now we need to disable  /_system/governance/repository/security/certificate/validator registry.  So Could you please confirm that  whether is it necessary to  to disable the the CRL and OCSP validators in the registry in IS 5.7.0 after server starts to make X509 Authentication to succeed? 

Thanks and Regards,
Piraveena

Piraveena Paralogarajah
Software Engineer | WSO2 Inc.
(m) +94776099594 | (e) [hidden email]



On Mon, Jan 28, 2019 at 9:42 AM Indunil Upeksha Rathnayake <[hidden email]> wrote:
Hi,

As per the CRL & OCSP implementation, all the certificate validator configurations in certificate-validation.xml file, will be added to tenant registry in /_system/governance/repository/security/certificate/validator on the initial server start up and tenant creation. There will be separate registry resources for each validator with properties as name, enable, priority etc. During the certification validation process, all the validator configs will be loaded from the registry and based on the enability and priority, corresponding validators will get invoked.

[hidden email] : Seems all the necessary information in [1], has not been included into the WSO2 documentation. Can you please add all the information in there.

[hidden email] [hidden email] [hidden email] [hidden email] : This X509 Authenticator documentation is really not in good shape. The steps are not in order & not clear, we need to restructure the page. Can you guys please schedule a meeting to discuss on this matter.


Thanks and Regards

On Mon, Jan 28, 2019 at 8:21 AM Tharindu Edirisinghe <[hidden email]> wrote:
Hi Indunil,

Could you please confirm that the the CRL and OCSP validators should be turned on/off from the registry resource after an initial server startup, instead of making changes in certificate-validation.xml file?

Thanks,
TharinduE

On Fri, Jan 18, 2019 at 3:45 PM Piraveena Paralogarajah <[hidden email]> wrote:
Hi,

I'm working on configuring x509Certificate Authenticator using WSO2 IS version 5.8.0. I did all configurations as mentioned in the doc [1], and I  got the error as given below.

org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: Validator: OCSPValidatorcouldn't validate the revocation status of certificate with serial num: 14756929408771586256

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123)

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155)

2019-01-17 11:49:05,175]  INFO {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} -  X509 Certificate validation with CRLValidator

[2019-01-17 11:49:05,176] DEBUG {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} -  Certificate validation is not successful.

org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: Validator: CRLValidatorcouldn't validate the revocation status of certificate with serial num: 14756929408771586256

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123)

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155)


So I disabled CRLValidator, and OCSPValidator in certificate-validation.xml file in ${IS_HOME}/repository/conf/security/ , but the changes were not getting updated.  According to the implementation in RevocationValidationManagerImpl.java  in identity-x509-revocation extension, the CRL and OCSP validators are read from the registry repository/security/certificate/validator. This makes quite confusion since we need to modify the certificate-validation.xml as well as the registry to disable CRLValidator, and OCSPValidator


The doc on Configuring x509Certificate Authenticator [1] is not referring about the changes need to be done in configuration file and the registry to disable CRL and OCSP as well. 




Regards,
Piraveena

Piraveena Paralogarajah
Software Engineer | WSO2 Inc.
(m) +94776099594 | (e) [hidden email]

--
You received this message because you are subscribed to the Google Groups "WSO2 Documentation Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/a/wso2.com/d/optout.


--

Tharindu Edirisinghe
Associate Technical Lead | WSO2 Inc
Platform Security Team
Blog : http://tharindue.blogspot.com
mobile : +94 775181586



--
Indunil Upeksha Rathnayake
Senior Software Engineer | WSO2 Inc
Email    [hidden email]
Mobile   0772182255


--

Yvonne Wickramasinghe | Senior Technical Writer | WSO2 Inc.
(m) +94 71 516 3732 | (w) +94 11 214 5354 | (e) [hidden email] 
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
https://wso2.com/signature


--

Yvonne Wickramasinghe | Senior Technical Writer | WSO2 Inc.
(m) +94 71 516 3732 | (w) +94 11 214 5354 | (e) [hidden email] 
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
https://wso2.com/signature

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Issue in disabling CRL, and OCSP Validators when configuring x509 authenticator

tharindue
In [1], the configuration mentioned for disabling the validators will work only if the server is never started up. Because at very first server startup, it reads this file and creates a registry resource. So, if it is already created, later even if you modify the file, it won't get reflected. So, for turning off the validators, we need to browse the registry (of the particular tenant) from Mgt Console and set the required properties of the registry resource.

So we need to include above info as well to docs.
[hidden email][hidden email]  - Please confirm above.


Thanks,
TharinduE

On Tue, Feb 12, 2019 at 3:37 PM Yvonne Wickramasinghe <[hidden email]> wrote:
Hi Piraveena and Indunil,

As discussed, I added a new section called Disabling Certificate Validation with the steps required to disable CRL and OCSP validators. Please check and let me know if you require any further changes.

Regards,

On Tue, Jan 29, 2019 at 10:08 AM Yvonne Wickramasinghe <[hidden email]> wrote:
Hi Indunil,

Scheduled a meeting for tomorrow (Jan 30, 2019) at 2:00 PM to discuss the requirements in detail.

Regards,

On Mon, Jan 28, 2019 at 9:57 AM Piraveena Paralogarajah <[hidden email]> wrote:
Hi Indunil,

CRL & OCSP validators are enabled in certificate-validation.xml file in IS 5.7.0 by default . So this triggers  exceptions and X509 Authentication fails. So by default CRL & OCSP validators should be disabled. This step is not addressed in the documentation as well.

To overcome this issue, now we need to disable  /_system/governance/repository/security/certificate/validator registry.  So Could you please confirm that  whether is it necessary to  to disable the the CRL and OCSP validators in the registry in IS 5.7.0 after server starts to make X509 Authentication to succeed? 

Thanks and Regards,
Piraveena

Piraveena Paralogarajah
Software Engineer | WSO2 Inc.
(m) +94776099594 | (e) [hidden email]



On Mon, Jan 28, 2019 at 9:42 AM Indunil Upeksha Rathnayake <[hidden email]> wrote:
Hi,

As per the CRL & OCSP implementation, all the certificate validator configurations in certificate-validation.xml file, will be added to tenant registry in /_system/governance/repository/security/certificate/validator on the initial server start up and tenant creation. There will be separate registry resources for each validator with properties as name, enable, priority etc. During the certification validation process, all the validator configs will be loaded from the registry and based on the enability and priority, corresponding validators will get invoked.

[hidden email] : Seems all the necessary information in [1], has not been included into the WSO2 documentation. Can you please add all the information in there.

[hidden email] [hidden email] [hidden email] [hidden email] : This X509 Authenticator documentation is really not in good shape. The steps are not in order & not clear, we need to restructure the page. Can you guys please schedule a meeting to discuss on this matter.


Thanks and Regards

On Mon, Jan 28, 2019 at 8:21 AM Tharindu Edirisinghe <[hidden email]> wrote:
Hi Indunil,

Could you please confirm that the the CRL and OCSP validators should be turned on/off from the registry resource after an initial server startup, instead of making changes in certificate-validation.xml file?

Thanks,
TharinduE

On Fri, Jan 18, 2019 at 3:45 PM Piraveena Paralogarajah <[hidden email]> wrote:
Hi,

I'm working on configuring x509Certificate Authenticator using WSO2 IS version 5.8.0. I did all configurations as mentioned in the doc [1], and I  got the error as given below.

org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: Validator: OCSPValidatorcouldn't validate the revocation status of certificate with serial num: 14756929408771586256

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123)

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155)

2019-01-17 11:49:05,175]  INFO {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} -  X509 Certificate validation with CRLValidator

[2019-01-17 11:49:05,176] DEBUG {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} -  Certificate validation is not successful.

org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: Validator: CRLValidatorcouldn't validate the revocation status of certificate with serial num: 14756929408771586256

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123)

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155)


So I disabled CRLValidator, and OCSPValidator in certificate-validation.xml file in ${IS_HOME}/repository/conf/security/ , but the changes were not getting updated.  According to the implementation in RevocationValidationManagerImpl.java  in identity-x509-revocation extension, the CRL and OCSP validators are read from the registry repository/security/certificate/validator. This makes quite confusion since we need to modify the certificate-validation.xml as well as the registry to disable CRLValidator, and OCSPValidator


The doc on Configuring x509Certificate Authenticator [1] is not referring about the changes need to be done in configuration file and the registry to disable CRL and OCSP as well. 




Regards,
Piraveena

Piraveena Paralogarajah
Software Engineer | WSO2 Inc.
(m) +94776099594 | (e) [hidden email]

--
You received this message because you are subscribed to the Google Groups "WSO2 Documentation Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/a/wso2.com/d/optout.


--

Tharindu Edirisinghe
Associate Technical Lead | WSO2 Inc
Platform Security Team
Blog : http://tharindue.blogspot.com
mobile : +94 775181586



--
Indunil Upeksha Rathnayake
Senior Software Engineer | WSO2 Inc
Email    [hidden email]
Mobile   0772182255


--

Yvonne Wickramasinghe | Senior Technical Writer | WSO2 Inc.
(m) +94 71 516 3732 | (w) +94 11 214 5354 | (e) [hidden email] 
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
https://wso2.com/signature


--

Yvonne Wickramasinghe | Senior Technical Writer | WSO2 Inc.
(m) +94 71 516 3732 | (w) +94 11 214 5354 | (e) [hidden email] 
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
https://wso2.com/signature


--

Tharindu Edirisinghe
Associate Technical Lead | WSO2 Inc
Platform Security Team
Blog : http://tharindue.blogspot.com
mobile : +94 775181586


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Issue in disabling CRL, and OCSP Validators when configuring x509 authenticator

Piraveena Paralogarajah
As mentioned by [hidden email], configurations in the registry also need to be added in the document [1]. After the very first server startup, even if we modify the certificate-validation.xml, the configurations will be read from the registry. So we have to disable the configuration in the ocspvalidator registry and crlvalidator registry in _system/governance/repository/security/certificate/validator/.

[hidden email]   - Please confirm above.


Thanks,
Piraveena 
Piraveena Paralogarajah
Software Engineer | WSO2 Inc.
(m) +94776099594 | (e) [hidden email]



On Wed, Feb 13, 2019 at 8:09 AM Tharindu Edirisinghe <[hidden email]> wrote:
In [1], the configuration mentioned for disabling the validators will work only if the server is never started up. Because at very first server startup, it reads this file and creates a registry resource. So, if it is already created, later even if you modify the file, it won't get reflected. So, for turning off the validators, we need to browse the registry (of the particular tenant) from Mgt Console and set the required properties of the registry resource.

So we need to include above info as well to docs.
[hidden email][hidden email]  - Please confirm above.


Thanks,
TharinduE

On Tue, Feb 12, 2019 at 3:37 PM Yvonne Wickramasinghe <[hidden email]> wrote:
Hi Piraveena and Indunil,

As discussed, I added a new section called Disabling Certificate Validation with the steps required to disable CRL and OCSP validators. Please check and let me know if you require any further changes.

Regards,

On Tue, Jan 29, 2019 at 10:08 AM Yvonne Wickramasinghe <[hidden email]> wrote:
Hi Indunil,

Scheduled a meeting for tomorrow (Jan 30, 2019) at 2:00 PM to discuss the requirements in detail.

Regards,

On Mon, Jan 28, 2019 at 9:57 AM Piraveena Paralogarajah <[hidden email]> wrote:
Hi Indunil,

CRL & OCSP validators are enabled in certificate-validation.xml file in IS 5.7.0 by default . So this triggers  exceptions and X509 Authentication fails. So by default CRL & OCSP validators should be disabled. This step is not addressed in the documentation as well.

To overcome this issue, now we need to disable  /_system/governance/repository/security/certificate/validator registry.  So Could you please confirm that  whether is it necessary to  to disable the the CRL and OCSP validators in the registry in IS 5.7.0 after server starts to make X509 Authentication to succeed? 

Thanks and Regards,
Piraveena

Piraveena Paralogarajah
Software Engineer | WSO2 Inc.
(m) +94776099594 | (e) [hidden email]



On Mon, Jan 28, 2019 at 9:42 AM Indunil Upeksha Rathnayake <[hidden email]> wrote:
Hi,

As per the CRL & OCSP implementation, all the certificate validator configurations in certificate-validation.xml file, will be added to tenant registry in /_system/governance/repository/security/certificate/validator on the initial server start up and tenant creation. There will be separate registry resources for each validator with properties as name, enable, priority etc. During the certification validation process, all the validator configs will be loaded from the registry and based on the enability and priority, corresponding validators will get invoked.

[hidden email] : Seems all the necessary information in [1], has not been included into the WSO2 documentation. Can you please add all the information in there.

[hidden email] [hidden email] [hidden email] [hidden email] : This X509 Authenticator documentation is really not in good shape. The steps are not in order & not clear, we need to restructure the page. Can you guys please schedule a meeting to discuss on this matter.


Thanks and Regards

On Mon, Jan 28, 2019 at 8:21 AM Tharindu Edirisinghe <[hidden email]> wrote:
Hi Indunil,

Could you please confirm that the the CRL and OCSP validators should be turned on/off from the registry resource after an initial server startup, instead of making changes in certificate-validation.xml file?

Thanks,
TharinduE

On Fri, Jan 18, 2019 at 3:45 PM Piraveena Paralogarajah <[hidden email]> wrote:
Hi,

I'm working on configuring x509Certificate Authenticator using WSO2 IS version 5.8.0. I did all configurations as mentioned in the doc [1], and I  got the error as given below.

org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: Validator: OCSPValidatorcouldn't validate the revocation status of certificate with serial num: 14756929408771586256

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123)

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155)

2019-01-17 11:49:05,175]  INFO {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} -  X509 Certificate validation with CRLValidator

[2019-01-17 11:49:05,176] DEBUG {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} -  Certificate validation is not successful.

org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: Validator: CRLValidatorcouldn't validate the revocation status of certificate with serial num: 14756929408771586256

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123)

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155)


So I disabled CRLValidator, and OCSPValidator in certificate-validation.xml file in ${IS_HOME}/repository/conf/security/ , but the changes were not getting updated.  According to the implementation in RevocationValidationManagerImpl.java  in identity-x509-revocation extension, the CRL and OCSP validators are read from the registry repository/security/certificate/validator. This makes quite confusion since we need to modify the certificate-validation.xml as well as the registry to disable CRLValidator, and OCSPValidator


The doc on Configuring x509Certificate Authenticator [1] is not referring about the changes need to be done in configuration file and the registry to disable CRL and OCSP as well. 




Regards,
Piraveena

Piraveena Paralogarajah
Software Engineer | WSO2 Inc.
(m) +94776099594 | (e) [hidden email]

--
You received this message because you are subscribed to the Google Groups "WSO2 Documentation Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/a/wso2.com/d/optout.


--

Tharindu Edirisinghe
Associate Technical Lead | WSO2 Inc
Platform Security Team
Blog : http://tharindue.blogspot.com
mobile : +94 775181586



--
Indunil Upeksha Rathnayake
Senior Software Engineer | WSO2 Inc
Email    [hidden email]
Mobile   0772182255


--

Yvonne Wickramasinghe | Senior Technical Writer | WSO2 Inc.
(m) +94 71 516 3732 | (w) +94 11 214 5354 | (e) [hidden email] 
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
https://wso2.com/signature


--

Yvonne Wickramasinghe | Senior Technical Writer | WSO2 Inc.
(m) +94 71 516 3732 | (w) +94 11 214 5354 | (e) [hidden email] 
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
https://wso2.com/signature


--

Tharindu Edirisinghe
Associate Technical Lead | WSO2 Inc
Platform Security Team
Blog : http://tharindue.blogspot.com
mobile : +94 775181586


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: Issue in disabling CRL, and OCSP Validators when configuring x509 authenticator

Yvonne Wickramasinghe
Thanks for the feedback! Updated the docs accordingly.

Regards,

On Wed, Feb 13, 2019 at 9:34 AM Piraveena Paralogarajah <[hidden email]> wrote:
As mentioned by [hidden email], configurations in the registry also need to be added in the document [1]. After the very first server startup, even if we modify the certificate-validation.xml, the configurations will be read from the registry. So we have to disable the configuration in the ocspvalidator registry and crlvalidator registry in _system/governance/repository/security/certificate/validator/.

[hidden email]   - Please confirm above.


Thanks,
Piraveena 
Piraveena Paralogarajah
Software Engineer | WSO2 Inc.
(m) +94776099594 | (e) [hidden email]



On Wed, Feb 13, 2019 at 8:09 AM Tharindu Edirisinghe <[hidden email]> wrote:
In [1], the configuration mentioned for disabling the validators will work only if the server is never started up. Because at very first server startup, it reads this file and creates a registry resource. So, if it is already created, later even if you modify the file, it won't get reflected. So, for turning off the validators, we need to browse the registry (of the particular tenant) from Mgt Console and set the required properties of the registry resource.

So we need to include above info as well to docs.
[hidden email][hidden email]  - Please confirm above.


Thanks,
TharinduE

On Tue, Feb 12, 2019 at 3:37 PM Yvonne Wickramasinghe <[hidden email]> wrote:
Hi Piraveena and Indunil,

As discussed, I added a new section called Disabling Certificate Validation with the steps required to disable CRL and OCSP validators. Please check and let me know if you require any further changes.

Regards,

On Tue, Jan 29, 2019 at 10:08 AM Yvonne Wickramasinghe <[hidden email]> wrote:
Hi Indunil,

Scheduled a meeting for tomorrow (Jan 30, 2019) at 2:00 PM to discuss the requirements in detail.

Regards,

On Mon, Jan 28, 2019 at 9:57 AM Piraveena Paralogarajah <[hidden email]> wrote:
Hi Indunil,

CRL & OCSP validators are enabled in certificate-validation.xml file in IS 5.7.0 by default . So this triggers  exceptions and X509 Authentication fails. So by default CRL & OCSP validators should be disabled. This step is not addressed in the documentation as well.

To overcome this issue, now we need to disable  /_system/governance/repository/security/certificate/validator registry.  So Could you please confirm that  whether is it necessary to  to disable the the CRL and OCSP validators in the registry in IS 5.7.0 after server starts to make X509 Authentication to succeed? 

Thanks and Regards,
Piraveena

Piraveena Paralogarajah
Software Engineer | WSO2 Inc.
(m) +94776099594 | (e) [hidden email]



On Mon, Jan 28, 2019 at 9:42 AM Indunil Upeksha Rathnayake <[hidden email]> wrote:
Hi,

As per the CRL & OCSP implementation, all the certificate validator configurations in certificate-validation.xml file, will be added to tenant registry in /_system/governance/repository/security/certificate/validator on the initial server start up and tenant creation. There will be separate registry resources for each validator with properties as name, enable, priority etc. During the certification validation process, all the validator configs will be loaded from the registry and based on the enability and priority, corresponding validators will get invoked.

[hidden email] : Seems all the necessary information in [1], has not been included into the WSO2 documentation. Can you please add all the information in there.

[hidden email] [hidden email] [hidden email] [hidden email] : This X509 Authenticator documentation is really not in good shape. The steps are not in order & not clear, we need to restructure the page. Can you guys please schedule a meeting to discuss on this matter.


Thanks and Regards

On Mon, Jan 28, 2019 at 8:21 AM Tharindu Edirisinghe <[hidden email]> wrote:
Hi Indunil,

Could you please confirm that the the CRL and OCSP validators should be turned on/off from the registry resource after an initial server startup, instead of making changes in certificate-validation.xml file?

Thanks,
TharinduE

On Fri, Jan 18, 2019 at 3:45 PM Piraveena Paralogarajah <[hidden email]> wrote:
Hi,

I'm working on configuring x509Certificate Authenticator using WSO2 IS version 5.8.0. I did all configurations as mentioned in the doc [1], and I  got the error as given below.

org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: Validator: OCSPValidatorcouldn't validate the revocation status of certificate with serial num: 14756929408771586256

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123)

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155)

2019-01-17 11:49:05,175]  INFO {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} -  X509 Certificate validation with CRLValidator

[2019-01-17 11:49:05,176] DEBUG {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} -  Certificate validation is not successful.

org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: Validator: CRLValidatorcouldn't validate the revocation status of certificate with serial num: 14756929408771586256

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123)

at org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257)

at org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155)


So I disabled CRLValidator, and OCSPValidator in certificate-validation.xml file in ${IS_HOME}/repository/conf/security/ , but the changes were not getting updated.  According to the implementation in RevocationValidationManagerImpl.java  in identity-x509-revocation extension, the CRL and OCSP validators are read from the registry repository/security/certificate/validator. This makes quite confusion since we need to modify the certificate-validation.xml as well as the registry to disable CRLValidator, and OCSPValidator


The doc on Configuring x509Certificate Authenticator [1] is not referring about the changes need to be done in configuration file and the registry to disable CRL and OCSP as well. 




Regards,
Piraveena

Piraveena Paralogarajah
Software Engineer | WSO2 Inc.
(m) +94776099594 | (e) [hidden email]

--
You received this message because you are subscribed to the Google Groups "WSO2 Documentation Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/a/wso2.com/d/optout.


--

Tharindu Edirisinghe
Associate Technical Lead | WSO2 Inc
Platform Security Team
Blog : http://tharindue.blogspot.com
mobile : +94 775181586



--
Indunil Upeksha Rathnayake
Senior Software Engineer | WSO2 Inc
Email    [hidden email]
Mobile   0772182255


--

Yvonne Wickramasinghe | Senior Technical Writer | WSO2 Inc.
(m) +94 71 516 3732 | (w) +94 11 214 5354 | (e) [hidden email] 
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
https://wso2.com/signature


--

Yvonne Wickramasinghe | Senior Technical Writer | WSO2 Inc.
(m) +94 71 516 3732 | (w) +94 11 214 5354 | (e) [hidden email] 
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
https://wso2.com/signature


--

Tharindu Edirisinghe
Associate Technical Lead | WSO2 Inc
Platform Security Team
Blog : http://tharindue.blogspot.com
mobile : +94 775181586



--

Yvonne Wickramasinghe | Senior Technical Writer | WSO2 Inc.
(m) +94 71 516 3732 | (w) +94 11 214 5354 | (e) [hidden email] 
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
https://wso2.com/signature

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev