Hi Indunil, CRL & OCSP validators are enabled in certificate-validation.xml file in IS 5.7.0 by default . So this triggers exceptions and X509 Authentication fails. So by default CRL & OCSP validators should be disabled. This step is not addressed in the documentation as well.
To overcome this issue, now we need to disable /_system/governance/repository/security/certificate/validator registry. So Could you please confirm that whether is it necessary to to disable the the CRL and OCSP validators in the registry in IS 5.7.0 after server starts to make X509 Authentication to succeed? Thanks and Regards, Piraveena *Piraveena Paralogarajah* Software Engineer | WSO2 Inc. *(m)* +94776099594 | *(e)* [email protected] On Mon, Jan 28, 2019 at 9:42 AM Indunil Upeksha Rathnayake <[email protected]> wrote: > Hi, > > @Piraveena Paralogarajah <[email protected]> @Tharindu Edirisinghe > <[email protected]> : > As per the CRL & OCSP implementation, all the certificate validator > configurations in certificate-validation.xml file, will be added to tenant > registry in /_system/governance/repository/security/certificate/validator > on the initial server start up and tenant creation. There will be separate > registry resources for each validator with properties as name, enable, > priority etc. During the certification validation process, all the > validator configs will be loaded from the registry and based on the > enability and priority, corresponding validators will get invoked. > > @Yvonne Wickramasinghe <[email protected]> : Seems all the necessary > information in [1], has not been included into the WSO2 documentation. Can > you please add all the information in there. > > @Yvonne Wickramasinghe <[email protected]> @Sherene Mahanama > <[email protected]> @Nirdesha Munasinghe <[email protected]> @WSO2 > Documentation Group <[email protected]> : This X509 Authenticator > documentation is really not in good shape. The steps are not in order & not > clear, we need to restructure the page. Can you guys please schedule a > meeting to discuss on this matter. > > [1] > https://docs.google.com/document/d/1_pJLEDMUn-lp_u3s6ebuHb0huArSFfydjMjjWRxmYIw/edit > > Thanks and Regards > > On Mon, Jan 28, 2019 at 8:21 AM Tharindu Edirisinghe <[email protected]> > wrote: > >> Hi Indunil, >> >> Could you please confirm that the the CRL and OCSP validators should be >> turned on/off from the registry resource after an initial server startup, >> instead of making changes in certificate-validation.xml file? >> >> Thanks, >> TharinduE >> >> On Fri, Jan 18, 2019 at 3:45 PM Piraveena Paralogarajah < >> [email protected]> wrote: >> >>> Hi, >>> >>> I'm working on configuring x509Certificate Authenticator using WSO2 IS >>> version 5.8.0. I did all configurations as mentioned in the doc [1] >>> <https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator>, >>> and I got the error as given below. >>> >>> org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: >>> Validator: OCSPValidatorcouldn't validate the revocation status of >>> certificate with serial num: 14756929408771586256 >>> >>> at >>> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123) >>> >>> at >>> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63) >>> >>> at >>> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257) >>> >>> at >>> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155) >>> >>> 2019-01-17 11:49:05,175] INFO >>> {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} >>> - X509 Certificate validation with CRLValidator >>> >>> [2019-01-17 11:49:05,176] DEBUG >>> {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} >>> - Certificate validation is not successful. >>> >>> org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: >>> Validator: CRLValidatorcouldn't validate the revocation status of >>> certificate with serial num: 14756929408771586256 >>> >>> at >>> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123) >>> >>> at >>> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63) >>> >>> at >>> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257) >>> >>> at >>> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155) >>> >>> >>> So I disabled CRLValidator, and OCSPValidator >>> in certificate-validation.xml file in ${IS_HOME}/repository/conf/security/ >>> , but the changes were not getting updated. According to the >>> implementation in RevocationValidationManagerImpl.java in >>> identity-x509-revocation extension, the CRL and OCSP validators are read >>> from the registry repository/security/certificate/validator. This makes >>> quite confusion since we need to modify the certificate-validation.xml >>> as well as the registry to disable CRLValidator, and OCSPValidator. >>> >>> >>> The doc on Configuring x509Certificate Authenticator [1] >>> <https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator> >>> is not referring about the changes need to be done in configuration file and >>> the registry to disable CRL and OCSP as well. >>> >>> >>> [1] >>> https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator >>> >>> Regards, >>> Piraveena >>> >>> *Piraveena Paralogarajah* >>> Software Engineer | WSO2 Inc. >>> *(m)* +94776099594 | *(e)* [email protected] >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "WSO2 Documentation Group" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/a/wso2.com/d/optout. >>> >> >> >> -- >> >> Tharindu Edirisinghe >> Associate Technical Lead | WSO2 Inc >> Platform Security Team >> Blog : http://tharindue.blogspot.com >> mobile : +94 775181586 >> > > > -- > Indunil Upeksha Rathnayake > Senior Software Engineer | WSO2 Inc > Email [email protected] > Mobile 0772182255 >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
