CRL checking at secured web service call, Metro 2.0.1, Metro 2.1

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

CRL checking at secured web service call, Metro 2.0.1, Metro 2.1

rudolf.lomniczi@gmail.com
Hi All,

I have a normal, Metro compliant web service. It is created in NetBeans, its configuration is based on WSIT. Web service security is enabled, security mechanism is Mutual Certificates Security.

I created a client certificate and I imported the issuer CA cert into the Glassfish's cacerts.jks truststore as a trusted cert. Public key of client cert was not imported into this truststore, only the CA. If I know well this is the suggested conception to this in production environment.

Running the client I saw everything was fine, client invoked webservice successful.

Client cert has CRLDistributionPoints extension, it contains a valid CRL URL (Cert of CA has not such extension). I revoked client cert, and I saw CRL was refreshed on referred URL, containing the serial of the client cert. So, it's ok.

But after revokation I experienced Metro does not use CRLDistributionPoints extension of client cert at all,web service call was successful, in spite of client certificate was revoked!

Analyzing server log I cannot any track of CRL validation. I debugged the certpath to this, I added this JVM parameter to the Glassfish: -Djava.security.debug=certpath

I also enabled Glassfish to check CRL in domain.xml:

-Dcom.sun.net.ssl.checkRevocation=true
-Dcom.sun.security.enableCRLDP=true

I also enabled revokation check in WSIT:

                <sc:ValidatorConfiguration wspp:visibility="private" revocationEnabled="true">

                </sc:ValidatorConfiguration>

But CRL check is still not working.

I cannot see any solution except to write own certificate validation and implement CRL check manually.

Do you have any idee?


Attached source of webservice: src.zip
Loading...