Hi Piraveena and Indunil, As discussed, I added a new section called Disabling Certificate Validation <https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator#ConfiguringX509CertificateAuthenticator-DisablingCertificateValidation> with the steps required to disable CRL and OCSP validators. Please check and let me know if you require any further changes.
Regards, On Tue, Jan 29, 2019 at 10:08 AM Yvonne Wickramasinghe <[email protected]> wrote: > Hi Indunil, > > Scheduled a meeting for tomorrow (Jan 30, 2019) at 2:00 PM to discuss the > requirements in detail. > > Regards, > > On Mon, Jan 28, 2019 at 9:57 AM Piraveena Paralogarajah < > [email protected]> wrote: > >> Hi Indunil, >> >> CRL & OCSP validators are enabled in certificate-validation.xml file in >> IS 5.7.0 by default . So this triggers exceptions and X509 Authentication >> fails. So by default CRL & OCSP validators should be disabled. This step is >> not addressed in the documentation as well. >> >> To overcome this issue, now we need to >> disable /_system/governance/repository/security/certificate/validator >> registry. So Could you please confirm that whether is it necessary to to >> disable the the CRL and OCSP validators in the registry in IS 5.7.0 >> after server starts to make X509 Authentication to succeed? >> >> Thanks and Regards, >> Piraveena >> >> *Piraveena Paralogarajah* >> Software Engineer | WSO2 Inc. >> *(m)* +94776099594 | *(e)* [email protected] >> >> >> >> On Mon, Jan 28, 2019 at 9:42 AM Indunil Upeksha Rathnayake < >> [email protected]> wrote: >> >>> Hi, >>> >>> @Piraveena Paralogarajah <[email protected]> @Tharindu Edirisinghe >>> <[email protected]> : >>> As per the CRL & OCSP implementation, all the certificate validator >>> configurations in certificate-validation.xml file, will be added to tenant >>> registry in /_system/governance/repository/security/certificate/validator >>> on the initial server start up and tenant creation. There will be separate >>> registry resources for each validator with properties as name, enable, >>> priority etc. During the certification validation process, all the >>> validator configs will be loaded from the registry and based on the >>> enability and priority, corresponding validators will get invoked. >>> >>> @Yvonne Wickramasinghe <[email protected]> : Seems all the necessary >>> information in [1], has not been included into the WSO2 documentation. Can >>> you please add all the information in there. >>> >>> @Yvonne Wickramasinghe <[email protected]> @Sherene Mahanama >>> <[email protected]> @Nirdesha Munasinghe <[email protected]> @WSO2 >>> Documentation Group <[email protected]> : This X509 Authenticator >>> documentation is really not in good shape. The steps are not in order & not >>> clear, we need to restructure the page. Can you guys please schedule a >>> meeting to discuss on this matter. >>> >>> [1] >>> https://docs.google.com/document/d/1_pJLEDMUn-lp_u3s6ebuHb0huArSFfydjMjjWRxmYIw/edit >>> >>> Thanks and Regards >>> >>> On Mon, Jan 28, 2019 at 8:21 AM Tharindu Edirisinghe <[email protected]> >>> wrote: >>> >>>> Hi Indunil, >>>> >>>> Could you please confirm that the the CRL and OCSP validators should >>>> be turned on/off from the registry resource after an initial server >>>> startup, instead of making changes in certificate-validation.xml file? >>>> >>>> Thanks, >>>> TharinduE >>>> >>>> On Fri, Jan 18, 2019 at 3:45 PM Piraveena Paralogarajah < >>>> [email protected]> wrote: >>>> >>>>> Hi, >>>>> >>>>> I'm working on configuring x509Certificate Authenticator using WSO2 >>>>> IS version 5.8.0. I did all configurations as mentioned in the doc [1] >>>>> <https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator>, >>>>> and I got the error as given below. >>>>> >>>>> org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: >>>>> Validator: OCSPValidatorcouldn't validate the revocation status of >>>>> certificate with serial num: 14756929408771586256 >>>>> >>>>> at >>>>> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123) >>>>> >>>>> at >>>>> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63) >>>>> >>>>> at >>>>> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257) >>>>> >>>>> at >>>>> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155) >>>>> >>>>> 2019-01-17 11:49:05,175] INFO >>>>> {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} >>>>> - X509 Certificate validation with CRLValidator >>>>> >>>>> [2019-01-17 11:49:05,176] DEBUG >>>>> {org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl} >>>>> - Certificate validation is not successful. >>>>> >>>>> org.wso2.carbon.identity.x509Certificate.validation.CertificateValidationException: >>>>> Validator: CRLValidatorcouldn't validate the revocation status of >>>>> certificate with serial num: 14756929408771586256 >>>>> >>>>> at >>>>> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.isRevoked(RevocationValidationManagerImpl.java:123) >>>>> >>>>> at >>>>> org.wso2.carbon.identity.x509Certificate.validation.service.RevocationValidationManagerImpl.verifyRevocationStatus(RevocationValidationManagerImpl.java:63) >>>>> >>>>> at >>>>> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.isCertificateRevoked(X509CertificateUtil.java:257) >>>>> >>>>> at >>>>> org.wso2.carbon.identity.authenticator.x509Certificate.X509CertificateUtil.validateCertificate(X509CertificateUtil.java:155) >>>>> >>>>> >>>>> So I disabled CRLValidator, and OCSPValidator >>>>> in certificate-validation.xml file in ${IS_HOME}/repository/conf/security/ >>>>> , but the changes were not getting updated. According to the >>>>> implementation in RevocationValidationManagerImpl.java in >>>>> identity-x509-revocation extension, the CRL and OCSP validators are read >>>>> from the registry repository/security/certificate/validator. This >>>>> makes quite confusion since we need to modify the >>>>> certificate-validation.xml >>>>> as well as the registry to disable CRLValidator, and OCSPValidator. >>>>> >>>>> >>>>> The doc on Configuring x509Certificate Authenticator [1] >>>>> <https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator> >>>>> is not referring about the changes need to be done in configuration file >>>>> and >>>>> the registry to disable CRL and OCSP as well. >>>>> >>>>> >>>>> [1] >>>>> https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator >>>>> >>>>> Regards, >>>>> Piraveena >>>>> >>>>> *Piraveena Paralogarajah* >>>>> Software Engineer | WSO2 Inc. >>>>> *(m)* +94776099594 | *(e)* [email protected] >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "WSO2 Documentation Group" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> For more options, visit https://groups.google.com/a/wso2.com/d/optout. >>>>> >>>> >>>> >>>> -- >>>> >>>> Tharindu Edirisinghe >>>> Associate Technical Lead | WSO2 Inc >>>> Platform Security Team >>>> Blog : http://tharindue.blogspot.com >>>> mobile : +94 775181586 >>>> >>> >>> >>> -- >>> Indunil Upeksha Rathnayake >>> Senior Software Engineer | WSO2 Inc >>> Email [email protected] >>> Mobile 0772182255 >>> >> > > -- > > *Yvonne Wickramasinghe* | Senior Technical Writer | WSO2 Inc. > (m) +94 71 516 3732 | (w) +94 11 214 5354 | (e) [email protected] > GET INTEGRATION AGILE > Integration Agility for Digitally Driven Business > [image: https://wso2.com/signature] > -- *Yvonne Wickramasinghe* | Senior Technical Writer | WSO2 Inc. (m) +94 71 516 3732 | (w) +94 11 214 5354 | (e) [email protected] GET INTEGRATION AGILE Integration Agility for Digitally Driven Business [image: https://wso2.com/signature]
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
