Hi Indunil, Scheduled a meeting for tomorrow (Jan 30, 2019) at 2:00 PM to discuss the requirements in detail.
Regards, On Mon, Jan 28, 2019 at 9:57 AM Piraveena Paralogarajah <[email protected]> wrote: > Hi Indunil, > > CRL & OCSP validators are enabled in certificate-validation.xml file in IS > 5.7.0 by default . So this triggers exceptions and X509 Authentication > fails. So by default CRL & OCSP validators should be disabled. This step is > not addressed in the documentation as well. > > To overcome this issue, now we need to > disable /_system/governance/repository/security/certificate/validator > registry. So Could you please confirm that whether is it necessary to to > disable the the CRL and OCSP validators in the registry in IS 5.7.0 after > server starts to make X509 Authentication to succeed? > > Thanks and Regards, > Piraveena > > *Piraveena Paralogarajah* > Software Engineer | WSO2 Inc. > *(m)* +94776099594 | *(e)* [email protected] > > > > On Mon, Jan 28, 2019 at 9:42 AM Indunil Upeksha Rathnayake < > [email protected]> wrote: > >> Hi, >> >> @Piraveena Paralogarajah <[email protected]> @Tharindu Edirisinghe >> <[email protected]> : >> As per the CRL & OCSP implementation, all the certificate validator >> configurations in certificate-validation.xml file, will be added to tenant >> registry in /_system/governance/repository/security/certificate/validator >> on the initial server start up and tenant creation. There will be separate >> registry resources for each validator with properties as name, enable, >> priority etc. During the certification validation process, all the >> validator configs will be loaded from the registry and based on the >> enability and priority, corresponding validators will get invoked. >> >> @Yvonne Wickramasinghe <[email protected]> : Seems all the necessary >> information in [1], has not been included into the WSO2 documentation. Can >> you please add all the information in there. >> >> @Yvonne Wickramasinghe <[email protected]> @Sherene Mahanama >> <[email protected]> @Nirdesha Munasinghe <[email protected]> @WSO2 >> Documentation Group <[email protected]> : This X509 Authenticator >> documentation is really not in good shape. The steps are not in order & not >> clear, we need to restructure the page. Can you guys please schedule a >> meeting to discuss on this matter. >> >> [1] >> https://docs.google.com/document/d/1_pJLEDMUn-lp_u3s6ebuHb0huArSFfydjMjjWRxmYIw/edit >> >> Thanks and Regards >> >> On Mon, Jan 28, 2019 at 8:21 AM Tharindu Edirisinghe <[email protected]> >> wrote: >> >>> Hi Indunil, >>> >>> Could you please confirm that the the CRL and OCSP validators should be >>> turned on/off from the registry resource after an initial server startup, >>> instead of making changes in certificate-validation.xml file? >>> >>> Thanks, >>> TharinduE >>> >>> On Fri, Jan 18, 2019 at 3:45 PM Piraveena Paralogarajah < >>> [email protected]> wrote: >>> >>>> Hi, >>>> >>>> I'm working on configuring x509Certificate Authenticator using WSO2 IS >>>> version 5.8.0. I did all configurations as mentioned in the doc [1] >>>> <https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator>, >>>> and I got the error as given below. >>>> >>>> org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: >>>> Validator: OCSPValidatorcouldn't validate the revocation status of >>>> certificate with serial num: 14756929408771586256 >>>> >>>> at >>>> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123) >>>> >>>> at >>>> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63) >>>> >>>> at >>>> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257) >>>> >>>> at >>>> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155) >>>> >>>> 2019-01-17 11:49:05,175] INFO >>>> {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} >>>> - X509 Certificate validation with CRLValidator >>>> >>>> [2019-01-17 11:49:05,176] DEBUG >>>> {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} >>>> - Certificate validation is not successful. >>>> >>>> org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: >>>> Validator: CRLValidatorcouldn't validate the revocation status of >>>> certificate with serial num: 14756929408771586256 >>>> >>>> at >>>> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123) >>>> >>>> at >>>> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63) >>>> >>>> at >>>> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257) >>>> >>>> at >>>> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155) >>>> >>>> >>>> So I disabled CRLValidator, and OCSPValidator >>>> in certificate-validation.xml file in ${IS_HOME}/repository/conf/security/ >>>> , but the changes were not getting updated. According to the >>>> implementation in RevocationValidationManagerImpl.java in >>>> identity-x509-revocation extension, the CRL and OCSP validators are read >>>> from the registry repository/security/certificate/validator. This >>>> makes quite confusion since we need to modify the >>>> certificate-validation.xml >>>> as well as the registry to disable CRLValidator, and OCSPValidator. >>>> >>>> >>>> The doc on Configuring x509Certificate Authenticator [1] >>>> <https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator> >>>> is not referring about the changes need to be done in configuration file >>>> and >>>> the registry to disable CRL and OCSP as well. >>>> >>>> >>>> [1] >>>> https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator >>>> >>>> Regards, >>>> Piraveena >>>> >>>> *Piraveena Paralogarajah* >>>> Software Engineer | WSO2 Inc. >>>> *(m)* +94776099594 | *(e)* [email protected] >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "WSO2 Documentation Group" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/a/wso2.com/d/optout. >>>> >>> >>> >>> -- >>> >>> Tharindu Edirisinghe >>> Associate Technical Lead | WSO2 Inc >>> Platform Security Team >>> Blog : http://tharindue.blogspot.com >>> mobile : +94 775181586 >>> >> >> >> -- >> Indunil Upeksha Rathnayake >> Senior Software Engineer | WSO2 Inc >> Email [email protected] >> Mobile 0772182255 >> > -- *Yvonne Wickramasinghe* | Senior Technical Writer | WSO2 Inc. (m) +94 71 516 3732 | (w) +94 11 214 5354 | (e) [email protected] GET INTEGRATION AGILE Integration Agility for Digitally Driven Business [image: https://wso2.com/signature]
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
