I have an application which authenticates users based on their grid credentials. It is deployed under Tomcat and uses (among others) following 2 libraries for user authentication
cog-jglobus-1.8.0.jar cog-tomcat-1.8.0.jar We have encountered a strange race condition on couple of application server nodes (not all of them) when fetch-crl is run to update the CRLs on these nodes. Error that we see is: "[JGLOBUS-116] Certificate validation failed. [Caused by: [Caused by: unknown object in factory: org.bouncycastle.a sn1.DERInteger]]" In process of troubleshooting this, I tried 2 different use cases o removed CRL file (for CA that I created the credentials under) o created empty CRL file (for CA that user created the credentials under) ( 1 ) In both cases, I could not reproduce the error message that I mentioned above So, my question #1 is: Do you know what could cause this error message to appear? ( 2 ) The server seemed to behave as expected (give an error like UnknownCA) only if I did the file removal/empty file creation before starting it. i.e. if I did these things while server was running, it *did not* seem to care - as if, it is not reloading the CRLs in memory So, my question #2 is: Can you explain to me how are these libraries designed to behave in these situations? Do the CRLs get loaded/reloaded on their own or do I need to explicitly specify some CRL reload interval in the code ? I see a relevant bug here - https://bugzilla.mcs.anl.gov/globus/show_bug.cgi?id=6891 ( 3 ) I also noticed that the cog-jglobus library does not complain if the TRUSTED_CERTIFICATES directory (in my case - /etc/grid-security/certificates) does not exist So, my question #3 is: Is that by design? I am just trying to figure out how to make sure my application loads/reloads the CRLs properly. Any help that you can provide is appreciated. Thanks ------------------------------------------------ Neha Sharma - Fermilab/FermiGrid/OSG Software - WH8E/x6791 -------------------------------------------------
smime.p7s
Description: S/MIME cryptographic signature
