Thanks for the feedback! Updated the docs <https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator#ConfiguringX509CertificateAuthenticator-DisablingCertificateValidation> accordingly.
Regards, On Wed, Feb 13, 2019 at 9:34 AM Piraveena Paralogarajah <[email protected]> wrote: > As mentioned by @Tharindu Edirisinghe <[email protected]>, > configurations in the registry also need to be added in the document [1]. > After the very first server startup, even if we modify the > certificate-validation.xml, the configurations will be read from the > registry. So we have to disable the configuration in the ocspvalidator > registry and crlvalidator registry in > _system/governance/repository/security/certificate/validator/. > > @Indunil Upeksha Rathnayake <[email protected]> - Please confirm above. > > [1] > https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator#ConfiguringX509CertificateAuthenticator-DisablingCertificateValidation > > Thanks, > Piraveena > *Piraveena Paralogarajah* > Software Engineer | WSO2 Inc. > *(m)* +94776099594 | *(e)* [email protected] > > > > On Wed, Feb 13, 2019 at 8:09 AM Tharindu Edirisinghe <[email protected]> > wrote: > >> In [1], the configuration mentioned for disabling the validators will >> work only if the server is never started up. Because at very first server >> startup, it reads this file and creates a registry resource. So, if it is >> already created, later even if you modify the file, it won't get reflected. >> So, for turning off the validators, we need to browse the registry (of the >> particular tenant) from Mgt Console and set the required properties of the >> registry resource. >> >> So we need to include above info as well to docs. >> @Piraveena Paralogarajah <[email protected]> , @Indunil Upeksha >> Rathnayake <[email protected]> - Please confirm above. >> >> [1] >> https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator#ConfiguringX509CertificateAuthenticator-DisablingCertificateValidation >> >> Thanks, >> TharinduE >> >> On Tue, Feb 12, 2019 at 3:37 PM Yvonne Wickramasinghe <[email protected]> >> wrote: >> >>> Hi Piraveena and Indunil, >>> >>> As discussed, I added a new section called Disabling Certificate >>> Validation >>> <https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator#ConfiguringX509CertificateAuthenticator-DisablingCertificateValidation> >>> with >>> the steps required to disable CRL and OCSP validators. Please check and let >>> me know if you require any further changes. >>> >>> Regards, >>> >>> On Tue, Jan 29, 2019 at 10:08 AM Yvonne Wickramasinghe <[email protected]> >>> wrote: >>> >>>> Hi Indunil, >>>> >>>> Scheduled a meeting for tomorrow (Jan 30, 2019) at 2:00 PM to discuss >>>> the requirements in detail. >>>> >>>> Regards, >>>> >>>> On Mon, Jan 28, 2019 at 9:57 AM Piraveena Paralogarajah < >>>> [email protected]> wrote: >>>> >>>>> Hi Indunil, >>>>> >>>>> CRL & OCSP validators are enabled in certificate-validation.xml file >>>>> in IS 5.7.0 by default . So this triggers exceptions and X509 >>>>> Authentication fails. So by default CRL & OCSP validators should be >>>>> disabled. This step is not addressed in the documentation as well. >>>>> >>>>> To overcome this issue, now we need to >>>>> disable /_system/governance/repository/security/certificate/validator >>>>> registry. So Could you please confirm that whether is it necessary to >>>>> to >>>>> disable the the CRL and OCSP validators in the registry in IS 5.7.0 >>>>> after server starts to make X509 Authentication to succeed? >>>>> >>>>> Thanks and Regards, >>>>> Piraveena >>>>> >>>>> *Piraveena Paralogarajah* >>>>> Software Engineer | WSO2 Inc. >>>>> *(m)* +94776099594 | *(e)* [email protected] >>>>> >>>>> >>>>> >>>>> On Mon, Jan 28, 2019 at 9:42 AM Indunil Upeksha Rathnayake < >>>>> [email protected]> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> @Piraveena Paralogarajah <[email protected]> @Tharindu Edirisinghe >>>>>> <[email protected]> : >>>>>> As per the CRL & OCSP implementation, all the certificate validator >>>>>> configurations in certificate-validation.xml file, will be added to >>>>>> tenant >>>>>> registry in /_system/governance/repository/security/certificate/validator >>>>>> on the initial server start up and tenant creation. There will be >>>>>> separate >>>>>> registry resources for each validator with properties as name, enable, >>>>>> priority etc. During the certification validation process, all the >>>>>> validator configs will be loaded from the registry and based on the >>>>>> enability and priority, corresponding validators will get invoked. >>>>>> >>>>>> @Yvonne Wickramasinghe <[email protected]> : Seems all the necessary >>>>>> information in [1], has not been included into the WSO2 documentation. >>>>>> Can >>>>>> you please add all the information in there. >>>>>> >>>>>> @Yvonne Wickramasinghe <[email protected]> @Sherene Mahanama >>>>>> <[email protected]> @Nirdesha Munasinghe <[email protected]> @WSO2 >>>>>> Documentation Group <[email protected]> : This X509 >>>>>> Authenticator documentation is really not in good shape. The steps are >>>>>> not >>>>>> in order & not clear, we need to restructure the page. Can you guys >>>>>> please >>>>>> schedule a meeting to discuss on this matter. >>>>>> >>>>>> [1] >>>>>> https://docs.google.com/document/d/1_pJLEDMUn-lp_u3s6ebuHb0huArSFfydjMjjWRxmYIw/edit >>>>>> >>>>>> Thanks and Regards >>>>>> >>>>>> On Mon, Jan 28, 2019 at 8:21 AM Tharindu Edirisinghe < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Hi Indunil, >>>>>>> >>>>>>> Could you please confirm that the the CRL and OCSP validators >>>>>>> should be turned on/off from the registry resource after an initial >>>>>>> server >>>>>>> startup, instead of making changes in certificate-validation.xml >>>>>>> file? >>>>>>> >>>>>>> Thanks, >>>>>>> TharinduE >>>>>>> >>>>>>> On Fri, Jan 18, 2019 at 3:45 PM Piraveena Paralogarajah < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> I'm working on configuring x509Certificate Authenticator using WSO2 >>>>>>>> IS version 5.8.0. I did all configurations as mentioned in the doc >>>>>>>> [1] >>>>>>>> <https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator>, >>>>>>>> and I got the error as given below. >>>>>>>> >>>>>>>> org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: >>>>>>>> Validator: OCSPValidatorcouldn't validate the revocation status of >>>>>>>> certificate with serial num: 14756929408771586256 >>>>>>>> >>>>>>>> at >>>>>>>> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123) >>>>>>>> >>>>>>>> at >>>>>>>> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63) >>>>>>>> >>>>>>>> at >>>>>>>> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257) >>>>>>>> >>>>>>>> at >>>>>>>> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155) >>>>>>>> >>>>>>>> 2019-01-17 11:49:05,175] INFO >>>>>>>> {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} >>>>>>>> - X509 Certificate validation with CRLValidator >>>>>>>> >>>>>>>> [2019-01-17 11:49:05,176] DEBUG >>>>>>>> {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} >>>>>>>> - Certificate validation is not successful. >>>>>>>> >>>>>>>> org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: >>>>>>>> Validator: CRLValidatorcouldn't validate the revocation status of >>>>>>>> certificate with serial num: 14756929408771586256 >>>>>>>> >>>>>>>> at >>>>>>>> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123) >>>>>>>> >>>>>>>> at >>>>>>>> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63) >>>>>>>> >>>>>>>> at >>>>>>>> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257) >>>>>>>> >>>>>>>> at >>>>>>>> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155) >>>>>>>> >>>>>>>> >>>>>>>> So I disabled CRLValidator, and OCSPValidator >>>>>>>> in certificate-validation.xml file in >>>>>>>> ${IS_HOME}/repository/conf/security/ >>>>>>>> , but the changes were not getting updated. According to the >>>>>>>> implementation in RevocationValidationManagerImpl.java in >>>>>>>> identity-x509-revocation extension, the CRL and OCSP validators are >>>>>>>> read >>>>>>>> from the registry repository/security/certificate/validator. This >>>>>>>> makes quite confusion since we need to modify the >>>>>>>> certificate-validation.xml >>>>>>>> as well as the registry to disable CRLValidator, and OCSPValidator >>>>>>>> . >>>>>>>> >>>>>>>> >>>>>>>> The doc on Configuring x509Certificate Authenticator [1] >>>>>>>> <https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator> >>>>>>>> is not referring about the changes need to be done in configuration >>>>>>>> file and >>>>>>>> the registry to disable CRL and OCSP as well. >>>>>>>> >>>>>>>> >>>>>>>> [1] >>>>>>>> https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator >>>>>>>> >>>>>>>> Regards, >>>>>>>> Piraveena >>>>>>>> >>>>>>>> *Piraveena Paralogarajah* >>>>>>>> Software Engineer | WSO2 Inc. >>>>>>>> *(m)* +94776099594 | *(e)* [email protected] >>>>>>>> >>>>>>>> -- >>>>>>>> You received this message because you are subscribed to the Google >>>>>>>> Groups "WSO2 Documentation Group" group. >>>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected]. >>>>>>>> For more options, visit >>>>>>>> https://groups.google.com/a/wso2.com/d/optout. >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> Tharindu Edirisinghe >>>>>>> Associate Technical Lead | WSO2 Inc >>>>>>> Platform Security Team >>>>>>> Blog : http://tharindue.blogspot.com >>>>>>> mobile : +94 775181586 >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Indunil Upeksha Rathnayake >>>>>> Senior Software Engineer | WSO2 Inc >>>>>> Email [email protected] >>>>>> Mobile 0772182255 >>>>>> >>>>> >>>> >>>> -- >>>> >>>> *Yvonne Wickramasinghe* | Senior Technical Writer | WSO2 Inc. >>>> (m) +94 71 516 3732 | (w) +94 11 214 5354 | (e) [email protected] >>>> GET INTEGRATION AGILE >>>> Integration Agility for Digitally Driven Business >>>> [image: https://wso2.com/signature] >>>> >>> >>> >>> -- >>> >>> *Yvonne Wickramasinghe* | Senior Technical Writer | WSO2 Inc. >>> (m) +94 71 516 3732 | (w) +94 11 214 5354 | (e) [email protected] >>> GET INTEGRATION AGILE >>> Integration Agility for Digitally Driven Business >>> [image: https://wso2.com/signature] >>> >> >> >> -- >> >> Tharindu Edirisinghe >> Associate Technical Lead | WSO2 Inc >> Platform Security Team >> Blog : http://tharindue.blogspot.com >> mobile : +94 775181586 >> > -- *Yvonne Wickramasinghe* | Senior Technical Writer | WSO2 Inc. (m) +94 71 516 3732 | (w) +94 11 214 5354 | (e) [email protected] GET INTEGRATION AGILE Integration Agility for Digitally Driven Business [image: https://wso2.com/signature]
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
