As mentioned by @Tharindu Edirisinghe <[email protected]>, configurations in the registry also need to be added in the document [1]. After the very first server startup, even if we modify the certificate-validation.xml, the configurations will be read from the registry. So we have to disable the configuration in the ocspvalidator registry and crlvalidator registry in _system/governance/repository/security/certificate/validator/.
@Indunil Upeksha Rathnayake <[email protected]> - Please confirm above. [1] https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator#ConfiguringX509CertificateAuthenticator-DisablingCertificateValidation Thanks, Piraveena *Piraveena Paralogarajah* Software Engineer | WSO2 Inc. *(m)* +94776099594 | *(e)* [email protected] On Wed, Feb 13, 2019 at 8:09 AM Tharindu Edirisinghe <[email protected]> wrote: > In [1], the configuration mentioned for disabling the validators will work > only if the server is never started up. Because at very first server > startup, it reads this file and creates a registry resource. So, if it is > already created, later even if you modify the file, it won't get reflected. > So, for turning off the validators, we need to browse the registry (of the > particular tenant) from Mgt Console and set the required properties of the > registry resource. > > So we need to include above info as well to docs. > @Piraveena Paralogarajah <[email protected]> , @Indunil Upeksha > Rathnayake <[email protected]> - Please confirm above. > > [1] > https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator#ConfiguringX509CertificateAuthenticator-DisablingCertificateValidation > > Thanks, > TharinduE > > On Tue, Feb 12, 2019 at 3:37 PM Yvonne Wickramasinghe <[email protected]> > wrote: > >> Hi Piraveena and Indunil, >> >> As discussed, I added a new section called Disabling Certificate >> Validation >> <https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator#ConfiguringX509CertificateAuthenticator-DisablingCertificateValidation> >> with >> the steps required to disable CRL and OCSP validators. Please check and let >> me know if you require any further changes. >> >> Regards, >> >> On Tue, Jan 29, 2019 at 10:08 AM Yvonne Wickramasinghe <[email protected]> >> wrote: >> >>> Hi Indunil, >>> >>> Scheduled a meeting for tomorrow (Jan 30, 2019) at 2:00 PM to discuss >>> the requirements in detail. >>> >>> Regards, >>> >>> On Mon, Jan 28, 2019 at 9:57 AM Piraveena Paralogarajah < >>> [email protected]> wrote: >>> >>>> Hi Indunil, >>>> >>>> CRL & OCSP validators are enabled in certificate-validation.xml file in >>>> IS 5.7.0 by default . So this triggers exceptions and X509 Authentication >>>> fails. So by default CRL & OCSP validators should be disabled. This step is >>>> not addressed in the documentation as well. >>>> >>>> To overcome this issue, now we need to >>>> disable /_system/governance/repository/security/certificate/validator >>>> registry. So Could you please confirm that whether is it necessary to to >>>> disable the the CRL and OCSP validators in the registry in IS 5.7.0 >>>> after server starts to make X509 Authentication to succeed? >>>> >>>> Thanks and Regards, >>>> Piraveena >>>> >>>> *Piraveena Paralogarajah* >>>> Software Engineer | WSO2 Inc. >>>> *(m)* +94776099594 | *(e)* [email protected] >>>> >>>> >>>> >>>> On Mon, Jan 28, 2019 at 9:42 AM Indunil Upeksha Rathnayake < >>>> [email protected]> wrote: >>>> >>>>> Hi, >>>>> >>>>> @Piraveena Paralogarajah <[email protected]> @Tharindu Edirisinghe >>>>> <[email protected]> : >>>>> As per the CRL & OCSP implementation, all the certificate validator >>>>> configurations in certificate-validation.xml file, will be added to tenant >>>>> registry in /_system/governance/repository/security/certificate/validator >>>>> on the initial server start up and tenant creation. There will be separate >>>>> registry resources for each validator with properties as name, enable, >>>>> priority etc. During the certification validation process, all the >>>>> validator configs will be loaded from the registry and based on the >>>>> enability and priority, corresponding validators will get invoked. >>>>> >>>>> @Yvonne Wickramasinghe <[email protected]> : Seems all the necessary >>>>> information in [1], has not been included into the WSO2 documentation. Can >>>>> you please add all the information in there. >>>>> >>>>> @Yvonne Wickramasinghe <[email protected]> @Sherene Mahanama >>>>> <[email protected]> @Nirdesha Munasinghe <[email protected]> @WSO2 >>>>> Documentation Group <[email protected]> : This X509 >>>>> Authenticator documentation is really not in good shape. The steps are not >>>>> in order & not clear, we need to restructure the page. Can you guys please >>>>> schedule a meeting to discuss on this matter. >>>>> >>>>> [1] >>>>> https://docs.google.com/document/d/1_pJLEDMUn-lp_u3s6ebuHb0huArSFfydjMjjWRxmYIw/edit >>>>> >>>>> Thanks and Regards >>>>> >>>>> On Mon, Jan 28, 2019 at 8:21 AM Tharindu Edirisinghe < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi Indunil, >>>>>> >>>>>> Could you please confirm that the the CRL and OCSP validators should >>>>>> be turned on/off from the registry resource after an initial server >>>>>> startup, instead of making changes in certificate-validation.xml file >>>>>> ? >>>>>> >>>>>> Thanks, >>>>>> TharinduE >>>>>> >>>>>> On Fri, Jan 18, 2019 at 3:45 PM Piraveena Paralogarajah < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I'm working on configuring x509Certificate Authenticator using WSO2 >>>>>>> IS version 5.8.0. I did all configurations as mentioned in the doc >>>>>>> [1] >>>>>>> <https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator>, >>>>>>> and I got the error as given below. >>>>>>> >>>>>>> org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: >>>>>>> Validator: OCSPValidatorcouldn't validate the revocation status of >>>>>>> certificate with serial num: 14756929408771586256 >>>>>>> >>>>>>> at >>>>>>> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123) >>>>>>> >>>>>>> at >>>>>>> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63) >>>>>>> >>>>>>> at >>>>>>> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257) >>>>>>> >>>>>>> at >>>>>>> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155) >>>>>>> >>>>>>> 2019-01-17 11:49:05,175] INFO >>>>>>> {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} >>>>>>> - X509 Certificate validation with CRLValidator >>>>>>> >>>>>>> [2019-01-17 11:49:05,176] DEBUG >>>>>>> {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} >>>>>>> - Certificate validation is not successful. >>>>>>> >>>>>>> org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: >>>>>>> Validator: CRLValidatorcouldn't validate the revocation status of >>>>>>> certificate with serial num: 14756929408771586256 >>>>>>> >>>>>>> at >>>>>>> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123) >>>>>>> >>>>>>> at >>>>>>> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63) >>>>>>> >>>>>>> at >>>>>>> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257) >>>>>>> >>>>>>> at >>>>>>> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155) >>>>>>> >>>>>>> >>>>>>> So I disabled CRLValidator, and OCSPValidator >>>>>>> in certificate-validation.xml file in >>>>>>> ${IS_HOME}/repository/conf/security/ >>>>>>> , but the changes were not getting updated. According to the >>>>>>> implementation in RevocationValidationManagerImpl.java in >>>>>>> identity-x509-revocation extension, the CRL and OCSP validators are read >>>>>>> from the registry repository/security/certificate/validator. This >>>>>>> makes quite confusion since we need to modify the >>>>>>> certificate-validation.xml >>>>>>> as well as the registry to disable CRLValidator, and OCSPValidator. >>>>>>> >>>>>>> >>>>>>> The doc on Configuring x509Certificate Authenticator [1] >>>>>>> <https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator> >>>>>>> is not referring about the changes need to be done in configuration >>>>>>> file and >>>>>>> the registry to disable CRL and OCSP as well. >>>>>>> >>>>>>> >>>>>>> [1] >>>>>>> https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator >>>>>>> >>>>>>> Regards, >>>>>>> Piraveena >>>>>>> >>>>>>> *Piraveena Paralogarajah* >>>>>>> Software Engineer | WSO2 Inc. >>>>>>> *(m)* +94776099594 | *(e)* [email protected] >>>>>>> >>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "WSO2 Documentation Group" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> For more options, visit >>>>>>> https://groups.google.com/a/wso2.com/d/optout. >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> Tharindu Edirisinghe >>>>>> Associate Technical Lead | WSO2 Inc >>>>>> Platform Security Team >>>>>> Blog : http://tharindue.blogspot.com >>>>>> mobile : +94 775181586 >>>>>> >>>>> >>>>> >>>>> -- >>>>> Indunil Upeksha Rathnayake >>>>> Senior Software Engineer | WSO2 Inc >>>>> Email [email protected] >>>>> Mobile 0772182255 >>>>> >>>> >>> >>> -- >>> >>> *Yvonne Wickramasinghe* | Senior Technical Writer | WSO2 Inc. >>> (m) +94 71 516 3732 | (w) +94 11 214 5354 | (e) [email protected] >>> GET INTEGRATION AGILE >>> Integration Agility for Digitally Driven Business >>> [image: https://wso2.com/signature] >>> >> >> >> -- >> >> *Yvonne Wickramasinghe* | Senior Technical Writer | WSO2 Inc. >> (m) +94 71 516 3732 | (w) +94 11 214 5354 | (e) [email protected] >> GET INTEGRATION AGILE >> Integration Agility for Digitally Driven Business >> [image: https://wso2.com/signature] >> > > > -- > > Tharindu Edirisinghe > Associate Technical Lead | WSO2 Inc > Platform Security Team > Blog : http://tharindue.blogspot.com > mobile : +94 775181586 >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
