Skip to main content

Certificate Revocation List (CRL) use in GlassFish v3

8 replies [Last post]
eliscinsky
Offline
Joined: 2010-08-18

I'd like to set up the CRL in my GlassFish v3.0.1(b22), however all the posts I am reading relate to GlassFish v.2.

Would someone please tell me "where and how" in the GlassFish v3 domain.xml file I need to add the information to point to my CRL file? Also, how and where in the admin console can the same information be set?

Thanks, Eric

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Kumar.Jayanti

On 01/10/10 11:24 PM, glassfish@javadesktop.org wrote:
> I'd like to set up the CRL in my GlassFish v3.0.1(b22), however all the posts I am reading relate to GlassFish v.2.
>
> Would someone please tell me "where and how" in the GlassFish v3 domain.xml file I need to add the information to point to my CRL file? Also, how and where in the admin console can the same information be set?
The same stuff as in V2 should work even though the structure of
domain.xml has changed a bit w.r.t listeners.




ssl3-enabled="false" cert-nickname="s1as">
*
value="${com.sun.aas.instanceRoot}/config/crl.pem"/>*

I will reconfirm after checking with our QE... But please try this and
let us know.

regards,
kumar
> Thanks, Eric
> [Message sent by forum member 'eliscinsky']
>
> http://forums.java.net/jive/thread.jspa?messageID=484136
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
> For additional commands, e-mail: users-help@glassfish.dev.java.net
>

[att1.html]

Kumar.Jayanti

On 04/10/10 6:19 PM, Kumar.Jayanti wrote:
> On 01/10/10 11:24 PM, glassfish@javadesktop.org wrote:
>> I'd like to set up the CRL in my GlassFish v3.0.1(b22), however all the posts I am reading relate to GlassFish v.2.
>>
>> Would someone please tell me "where and how" in the GlassFish v3 domain.xml file I need to add the information to point to my CRL file? Also, how and where in the admin console can the same information be set?
> The same stuff as in V2 should work even though the structure of
> domain.xml has changed a bit w.r.t listeners.
>
>
>
>
>

> > ssl3-enabled="false" cert-nickname="s1as">
> *
> value="${com.sun.aas.instanceRoot}/config/crl.pem"/>*
>
>
> I will reconfirm after checking with our QE... But please try this
> and let us know.
Ok.. ignore my previous message. It seems it should be crl-file
attribute inside element.




ssl3-enabled="false" cert-nickname="s1as"
*crl-file="${com.sun.aas.instanceRoot}/config/crl.pem"*>

Do let us know if it is working.

regards,
kumar

>
> regards,
> kumar
>> Thanks, Eric
>> [Message sent by forum member 'eliscinsky']
>>
>> http://forums.java.net/jive/thread.jspa?messageID=484136
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail:users-unsubscribe@glassfish.dev.java.net
>> For additional commands, e-mail:users-help@glassfish.dev.java.net
>>
>

[att1.html]

eliscinsky
Offline
Joined: 2010-08-18

> On 04/10/10 6:19 PM, Kumar.Jayanti wrote:

Kumar,

Thanks for the replies. First note that on 07/10/10 when I re-posted, I had not seen your replies - they where not present, so I thought that there were no replies.

After more and careful reading of various blogs - yours in particular - and the Sun GlassFish Enterprise Server v3 Domain File Format Reference (820-7694), I did find the attribute "crl-file" in the . The examples show the file name of "crl.pem" which would infer the use of a PEM encoded file. But alas, and please confirm / correct me, using a PEM encoded file seems to throw an exception (as noted in my replies in this thread). I tried using a DER encoded file and to my surprise the exception was no longer thrown. However I still have an issue. When I present a revoked cert, the CrlRevocationChecker.verifyRevocationStatus CRL entry DOES find the rovoked cert, but the process still shows "-checker6 validation succeeded" and the requested page/data is returned. Please advise. Is this a situation that needs to be addressed by application code or is GlassFish supposed to throw an exception on revoked certs too? Please note that when I use a cert that is expired GlassFish does throw an exception causing a browser to re-ask for a valid cert. Also of note the Cert path validation is using the "PKIX validation algorithm".

Thanks for your time and help.
Cheers, Eric.

eliscinsky
Offline
Joined: 2010-08-18

Kumar,

I was able to get everything working using your example http://weblogs.java.net/blog/2007/11/19/ssl-and-crl-checking-glassfish-v2#6

Now I'm replacing the keystore.jks & cacerts.jks (both include only 1 cert), and the crl.pem files. Please note these are files that work using HTTP Apache server.

> When I present a revoked cert, the CrlRevocationChecker.verifyRevocationStatus CRL entry DOES find the rovoked cert, but the process still shows "-checker6 validation succeeded" and the requested page/data is returned.

Here is the output from my server.log file ...

SEVERE: certpath: -Using checker6 ... [sun.security.provider.certpath.CrlRevocationChecker]
SEVERE: certpath: CrlRevocationChecker.verifyRevocationStatus() ---checking revocation status...
SEVERE: certpath: CrlRevocationChecker.verifyRevocationStatus() crls.size() = 1
SEVERE: certpath: CRLRevocationChecker.verifyPossibleCRLs: Checking CRLDPs for CN=User7 John John.User7, OU=TEST, O=xxxxxx, C=xx
SEVERE: certpath: CrlRevocationChecker.verifyRevocationStatus() approved crls.size() = 1
SEVERE: certpath: starting the final sweep...
SEVERE: certpath: CrlRevocationChecker.verifyRevocationStatus cert SN: 4098350723398757786823434502144507443043719918241735943196832223568800273443972745730
SEVERE: certpath: CrlRevocationChecker.verifyRevocationStatus CRL entry: SerialNumber: [ 021c11ff a5298740 2ff8fdd5 c09f5d2a 46621183 4ea8a316 031e0419 6f480202
026c8a02] On: Thu May 20 08:46:12 EDT 2010
CRL Entry Extensions: 1
[1]: ObjectId: 2.5.29.21 Criticality=false
Reason Code: Remove from CRL

SEVERE: certpath: -checker6 validation succeeded
SEVERE: certpath: checking for unresolvedCritExts
SEVERE: certpath:
cert1 validation succeeded.

SEVERE: certpath: Cert path validation succeeded. (PKIX validation algorithm)
SEVERE: certpath: --------------------------------------------------------------

What am I missing? Why does validation succeed? I have 8 certs for testing (5 good, 2 revoked, 1 expired) Same thing happens on the 2 revoked certs.

Thanks for your time and help.
Cheers, Eric.

Kumar.Jayanti

On 14/10/10 7:45 PM, glassfish@javadesktop.org wrote:
> Kumar,
>
> I was able to get everything working using your example http://weblogs.java.net/blog/2007/11/19/ssl-and-crl-checking-glassfish-v2#6
>
> Now I'm replacing the keystore.jks& cacerts.jks (both include only 1 cert), and the crl.pem files. Please note these are files that work using HTTP Apache server.
>
Just to be clear : with my example revocation works as expected, but
when you place your keystores and crl file it fails (i.e CRL checking
fails to detect a revoked cert).

regards,
kumar
>> When I present a revoked cert, the CrlRevocationChecker.verifyRevocationStatus CRL entry DOES find the rovoked cert, but the process still shows "-checker6 validation succeeded" and the requested page/data is returned.
> Here is the output from my server.log file ...
>
> SEVERE: certpath: -Using checker6 ... [sun.security.provider.certpath.CrlRevocationChecker]
> SEVERE: certpath: CrlRevocationChecker.verifyRevocationStatus() ---checking revocation status...
> SEVERE: certpath: CrlRevocationChecker.verifyRevocationStatus() crls.size() = 1
> SEVERE: certpath: CRLRevocationChecker.verifyPossibleCRLs: Checking CRLDPs for CN=User7 John John.User7, OU=TEST, O=xxxxxx, C=xx
> SEVERE: certpath: CrlRevocationChecker.verifyRevocationStatus() approved crls.size() = 1
> SEVERE: certpath: starting the final sweep...
> SEVERE: certpath: CrlRevocationChecker.verifyRevocationStatus cert SN: 4098350723398757786823434502144507443043719918241735943196832223568800273443972745730
> SEVERE: certpath: CrlRevocationChecker.verifyRevocationStatus CRL entry: SerialNumber: [ 021c11ff a5298740 2ff8fdd5 c09f5d2a 46621183 4ea8a316 031e0419 6f480202
> 026c8a02] On: Thu May 20 08:46:12 EDT 2010
> CRL Entry Extensions: 1
> [1]: ObjectId: 2.5.29.21 Criticality=false
> Reason Code: Remove from CRL
>
> SEVERE: certpath: -checker6 validation succeeded
> SEVERE: certpath: checking for unresolvedCritExts
> SEVERE: certpath:
> cert1 validation succeeded.
>
> SEVERE: certpath: Cert path validation succeeded. (PKIX validation algorithm)
> SEVERE: certpath: --------------------------------------------------------------
>
>
> What am I missing? Why does validation succeed? I have 8 certs for testing (5 good, 2 revoked, 1 expired) Same thing happens on the 2 revoked certs.
>
> Thanks for your time and help.
> Cheers, Eric.
> [Message sent by forum member 'eliscinsky']
>
> http://forums.java.net/jive/thread.jspa?messageID=485204
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
> For additional commands, e-mail: users-help@glassfish.dev.java.net
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net

eliscinsky
Offline
Joined: 2010-08-18

Kumar,

> Just to be clear : with my example revocation works as expected, but when you place your keystores and crl file it fails (i.e CRL checking fails to detect a revoked cert).

That is correct.

BTW, I discovered the crl.pem file in your example is outdated. I emailed you directly about that. Do you have a current file?

Also, I noted that your crl.pem file is
Signature Algorithm: md5WithRSAEncryption
and mine is
Signature Algorithm: sha1WithRSAEncryption
would that make any difference?

eliscinsky
Offline
Joined: 2010-08-18

I'm using the following in my domain.xml

and when I run & browse to the page I get the following in the server.log

[#|2010-10-07T13:23:01.441+0000|WARNING|glassfish3.0.1|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=18;_ThreadName=Thread-1;|SSL support could not be configured!
java.io.IOException: Sequence tag error
at com.sun.grizzly.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:183)
at com.sun.grizzly.config.SSLConfigHolder.initializeSSL(SSLConfigHolder.java:359)
at com.sun.grizzly.config.SSLConfigHolder.configureSSL(SSLConfigHolder.java:308)
at com.sun.grizzly.config.GrizzlyEmbeddedHttps$LazySSLInitializationFilter.execute(GrizzlyEmbeddedHttps.java:171)
at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:135)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:102)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:88)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
at com.sun.grizzly.NIOContext.execute(NIOContext.java:510)
at com.sun.grizzly.SelectorHandlerRunner.handleSelectedKey(SelectorHandlerRunner.java:358)
at com.sun.grizzly.SelectorHandlerRunner.handleSelectedKeys(SelectorHandlerRunner.java:258)
at com.sun.grizzly.SelectorHandlerRunner.doSelect(SelectorHandlerRunner.java:195)
at com.sun.grizzly.SelectorHandlerRunner.run(SelectorHandlerRunner.java:130)
at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:330)
at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:309)
at java.lang.Thread.run(Thread.java:619)
|#]

[#|2010-10-07T13:23:01.446+0000|SEVERE|glassfish3.0.1|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=18;_ThreadName=Thread-1;|ProtocolChain exception
java.lang.NullPointerException
at com.sun.grizzly.filter.SSLReadFilter.newSSLEngine(SSLReadFilter.java:347)
at com.sun.grizzly.filter.SSLReadFilter.obtainSSLEngine(SSLReadFilter.java:394)
at com.sun.grizzly.filter.SSLReadFilter.execute(SSLReadFilter.java:154)
at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:135)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:102)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:88)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
at com.sun.grizzly.NIOContext.execute(NIOContext.java:510)
at com.sun.grizzly.SelectorHandlerRunner.handleSelectedKey(SelectorHandlerRunner.java:358)
at com.sun.grizzly.SelectorHandlerRunner.handleSelectedKeys(SelectorHandlerRunner.java:258)
at com.sun.grizzly.SelectorHandlerRunner.doSelect(SelectorHandlerRunner.java:195)
at com.sun.grizzly.SelectorHandlerRunner.run(SelectorHandlerRunner.java:130)
at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:330)
at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:309)
at java.lang.Thread.run(Thread.java:619)

If I remove the crl-file attribute everything works fine. The browser ask me for a cert, and when presented it is verified and I get my page. Only problem is I can present a revoked cert and I still get my page.

Can someone help me, please.

Thanks, Eric.

Message was edited by: eliscinsky

eliscinsky
Offline
Joined: 2010-08-18

> I'm using the following in my domain.xml
>
>

Found my own solution. CRL needs to be DER format. PEM format would not work and threw the error. After converting CRL to DER format I'm now using the following.

Good Luck, Eric.

Correction - PEM format does work. I had a configuration and synchronization issue.

Message was edited by: eliscinsky