Hi, @Piraveena Paralogarajah <[email protected]> @Tharindu Edirisinghe <[email protected]> : As per the CRL & OCSP implementation, all the certificate validator configurations in certificate-validation.xml file, will be added to tenant registry in /_system/governance/repository/security/certificate/validator on the initial server start up and tenant creation. There will be separate registry resources for each validator with properties as name, enable, priority etc. During the certification validation process, all the validator configs will be loaded from the registry and based on the enability and priority, corresponding validators will get invoked.
@Yvonne Wickramasinghe <[email protected]> : Seems all the necessary information in [1], has not been included into the WSO2 documentation. Can you please add all the information in there. @Yvonne Wickramasinghe <[email protected]> @Sherene Mahanama <[email protected]> @Nirdesha Munasinghe <[email protected]> @WSO2 Documentation Group <[email protected]> : This X509 Authenticator documentation is really not in good shape. The steps are not in order & not clear, we need to restructure the page. Can you guys please schedule a meeting to discuss on this matter. [1] https://docs.google.com/document/d/1_pJLEDMUn-lp_u3s6ebuHb0huArSFfydjMjjWRxmYIw/edit Thanks and Regards On Mon, Jan 28, 2019 at 8:21 AM Tharindu Edirisinghe <[email protected]> wrote: > Hi Indunil, > > Could you please confirm that the the CRL and OCSP validators should be > turned on/off from the registry resource after an initial server startup, > instead of making changes in certificate-validation.xml file? > > Thanks, > TharinduE > > On Fri, Jan 18, 2019 at 3:45 PM Piraveena Paralogarajah < > [email protected]> wrote: > >> Hi, >> >> I'm working on configuring x509Certificate Authenticator using WSO2 IS >> version 5.8.0. I did all configurations as mentioned in the doc [1] >> <https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator>, >> and I got the error as given below. >> >> org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: >> Validator: OCSPValidatorcouldn't validate the revocation status of >> certificate with serial num: 14756929408771586256 >> >> at >> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123) >> >> at >> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63) >> >> at >> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257) >> >> at >> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155) >> >> 2019-01-17 11:49:05,175] INFO >> {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} >> - X509 Certificate validation with CRLValidator >> >> [2019-01-17 11:49:05,176] DEBUG >> {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} >> - Certificate validation is not successful. >> >> org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: >> Validator: CRLValidatorcouldn't validate the revocation status of >> certificate with serial num: 14756929408771586256 >> >> at >> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123) >> >> at >> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63) >> >> at >> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257) >> >> at >> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155) >> >> >> So I disabled CRLValidator, and OCSPValidator >> in certificate-validation.xml file in ${IS_HOME}/repository/conf/security/ >> , but the changes were not getting updated. According to the >> implementation in RevocationValidationManagerImpl.java in >> identity-x509-revocation extension, the CRL and OCSP validators are read >> from the registry repository/security/certificate/validator. This makes >> quite confusion since we need to modify the certificate-validation.xml >> as well as the registry to disable CRLValidator, and OCSPValidator. >> >> >> The doc on Configuring x509Certificate Authenticator [1] >> <https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator> >> is not referring about the changes need to be done in configuration file and >> the registry to disable CRL and OCSP as well. >> >> >> [1] >> https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator >> >> Regards, >> Piraveena >> >> *Piraveena Paralogarajah* >> Software Engineer | WSO2 Inc. >> *(m)* +94776099594 | *(e)* [email protected] >> >> -- >> You received this message because you are subscribed to the Google Groups >> "WSO2 Documentation Group" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/a/wso2.com/d/optout. >> > > > -- > > Tharindu Edirisinghe > Associate Technical Lead | WSO2 Inc > Platform Security Team > Blog : http://tharindue.blogspot.com > mobile : +94 775181586 > -- Indunil Upeksha Rathnayake Senior Software Engineer | WSO2 Inc Email [email protected] Mobile 0772182255
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
