In [1], the configuration mentioned for disabling the validators will work only if the server is never started up. Because at very first server startup, it reads this file and creates a registry resource. So, if it is already created, later even if you modify the file, it won't get reflected. So, for turning off the validators, we need to browse the registry (of the particular tenant) from Mgt Console and set the required properties of the registry resource.
So we need to include above info as well to docs. @Piraveena Paralogarajah <[email protected]> , @Indunil Upeksha Rathnayake <[email protected]> - Please confirm above. [1] https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator#ConfiguringX509CertificateAuthenticator-DisablingCertificateValidation Thanks, TharinduE On Tue, Feb 12, 2019 at 3:37 PM Yvonne Wickramasinghe <[email protected]> wrote: > Hi Piraveena and Indunil, > > As discussed, I added a new section called Disabling Certificate > Validation > <https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator#ConfiguringX509CertificateAuthenticator-DisablingCertificateValidation> > with > the steps required to disable CRL and OCSP validators. Please check and let > me know if you require any further changes. > > Regards, > > On Tue, Jan 29, 2019 at 10:08 AM Yvonne Wickramasinghe <[email protected]> > wrote: > >> Hi Indunil, >> >> Scheduled a meeting for tomorrow (Jan 30, 2019) at 2:00 PM to discuss the >> requirements in detail. >> >> Regards, >> >> On Mon, Jan 28, 2019 at 9:57 AM Piraveena Paralogarajah < >> [email protected]> wrote: >> >>> Hi Indunil, >>> >>> CRL & OCSP validators are enabled in certificate-validation.xml file in >>> IS 5.7.0 by default . So this triggers exceptions and X509 Authentication >>> fails. So by default CRL & OCSP validators should be disabled. This step is >>> not addressed in the documentation as well. >>> >>> To overcome this issue, now we need to >>> disable /_system/governance/repository/security/certificate/validator >>> registry. So Could you please confirm that whether is it necessary to to >>> disable the the CRL and OCSP validators in the registry in IS 5.7.0 >>> after server starts to make X509 Authentication to succeed? >>> >>> Thanks and Regards, >>> Piraveena >>> >>> *Piraveena Paralogarajah* >>> Software Engineer | WSO2 Inc. >>> *(m)* +94776099594 | *(e)* [email protected] >>> >>> >>> >>> On Mon, Jan 28, 2019 at 9:42 AM Indunil Upeksha Rathnayake < >>> [email protected]> wrote: >>> >>>> Hi, >>>> >>>> @Piraveena Paralogarajah <[email protected]> @Tharindu Edirisinghe >>>> <[email protected]> : >>>> As per the CRL & OCSP implementation, all the certificate validator >>>> configurations in certificate-validation.xml file, will be added to tenant >>>> registry in /_system/governance/repository/security/certificate/validator >>>> on the initial server start up and tenant creation. There will be separate >>>> registry resources for each validator with properties as name, enable, >>>> priority etc. During the certification validation process, all the >>>> validator configs will be loaded from the registry and based on the >>>> enability and priority, corresponding validators will get invoked. >>>> >>>> @Yvonne Wickramasinghe <[email protected]> : Seems all the necessary >>>> information in [1], has not been included into the WSO2 documentation. Can >>>> you please add all the information in there. >>>> >>>> @Yvonne Wickramasinghe <[email protected]> @Sherene Mahanama >>>> <[email protected]> @Nirdesha Munasinghe <[email protected]> @WSO2 >>>> Documentation Group <[email protected]> : This X509 Authenticator >>>> documentation is really not in good shape. The steps are not in order & not >>>> clear, we need to restructure the page. Can you guys please schedule a >>>> meeting to discuss on this matter. >>>> >>>> [1] >>>> https://docs.google.com/document/d/1_pJLEDMUn-lp_u3s6ebuHb0huArSFfydjMjjWRxmYIw/edit >>>> >>>> Thanks and Regards >>>> >>>> On Mon, Jan 28, 2019 at 8:21 AM Tharindu Edirisinghe < >>>> [email protected]> wrote: >>>> >>>>> Hi Indunil, >>>>> >>>>> Could you please confirm that the the CRL and OCSP validators should >>>>> be turned on/off from the registry resource after an initial server >>>>> startup, instead of making changes in certificate-validation.xml file? >>>>> >>>>> Thanks, >>>>> TharinduE >>>>> >>>>> On Fri, Jan 18, 2019 at 3:45 PM Piraveena Paralogarajah < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I'm working on configuring x509Certificate Authenticator using WSO2 >>>>>> IS version 5.8.0. I did all configurations as mentioned in the doc >>>>>> [1] >>>>>> <https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator>, >>>>>> and I got the error as given below. >>>>>> >>>>>> org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: >>>>>> Validator: OCSPValidatorcouldn't validate the revocation status of >>>>>> certificate with serial num: 14756929408771586256 >>>>>> >>>>>> at >>>>>> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123) >>>>>> >>>>>> at >>>>>> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63) >>>>>> >>>>>> at >>>>>> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257) >>>>>> >>>>>> at >>>>>> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155) >>>>>> >>>>>> 2019-01-17 11:49:05,175] INFO >>>>>> {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} >>>>>> - X509 Certificate validation with CRLValidator >>>>>> >>>>>> [2019-01-17 11:49:05,176] DEBUG >>>>>> {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} >>>>>> - Certificate validation is not successful. >>>>>> >>>>>> org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: >>>>>> Validator: CRLValidatorcouldn't validate the revocation status of >>>>>> certificate with serial num: 14756929408771586256 >>>>>> >>>>>> at >>>>>> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123) >>>>>> >>>>>> at >>>>>> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63) >>>>>> >>>>>> at >>>>>> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257) >>>>>> >>>>>> at >>>>>> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155) >>>>>> >>>>>> >>>>>> So I disabled CRLValidator, and OCSPValidator >>>>>> in certificate-validation.xml file in >>>>>> ${IS_HOME}/repository/conf/security/ >>>>>> , but the changes were not getting updated. According to the >>>>>> implementation in RevocationValidationManagerImpl.java in >>>>>> identity-x509-revocation extension, the CRL and OCSP validators are read >>>>>> from the registry repository/security/certificate/validator. This >>>>>> makes quite confusion since we need to modify the >>>>>> certificate-validation.xml >>>>>> as well as the registry to disable CRLValidator, and OCSPValidator. >>>>>> >>>>>> >>>>>> The doc on Configuring x509Certificate Authenticator [1] >>>>>> <https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator> >>>>>> is not referring about the changes need to be done in configuration file >>>>>> and >>>>>> the registry to disable CRL and OCSP as well. >>>>>> >>>>>> >>>>>> [1] >>>>>> https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator >>>>>> >>>>>> Regards, >>>>>> Piraveena >>>>>> >>>>>> *Piraveena Paralogarajah* >>>>>> Software Engineer | WSO2 Inc. >>>>>> *(m)* +94776099594 | *(e)* [email protected] >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "WSO2 Documentation Group" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> For more options, visit https://groups.google.com/a/wso2.com/d/optout >>>>>> . >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> Tharindu Edirisinghe >>>>> Associate Technical Lead | WSO2 Inc >>>>> Platform Security Team >>>>> Blog : http://tharindue.blogspot.com >>>>> mobile : +94 775181586 >>>>> >>>> >>>> >>>> -- >>>> Indunil Upeksha Rathnayake >>>> Senior Software Engineer | WSO2 Inc >>>> Email [email protected] >>>> Mobile 0772182255 >>>> >>> >> >> -- >> >> *Yvonne Wickramasinghe* | Senior Technical Writer | WSO2 Inc. >> (m) +94 71 516 3732 | (w) +94 11 214 5354 | (e) [email protected] >> GET INTEGRATION AGILE >> Integration Agility for Digitally Driven Business >> [image: https://wso2.com/signature] >> > > > -- > > *Yvonne Wickramasinghe* | Senior Technical Writer | WSO2 Inc. > (m) +94 71 516 3732 | (w) +94 11 214 5354 | (e) [email protected] > GET INTEGRATION AGILE > Integration Agility for Digitally Driven Business > [image: https://wso2.com/signature] > -- Tharindu Edirisinghe Associate Technical Lead | WSO2 Inc Platform Security Team Blog : http://tharindue.blogspot.com mobile : +94 775181586
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
