Win a copy of Functional Reactive Programming this week in the Other Languages forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

OCSP with web/application servers - Experieice? Does it work as expected?

 
Dejan Mratinkovic
Ranch Hand
Posts: 65
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Is there anyone with experience of usage of OSCP feature J2SE with Tomcat, Jboss, etc?

Documentation states it should work right away by just setting a property "ocsp.enable" to "true" if certificate has all what is required.
As application servers use standard classes in background, it should all just work.

Does it? I just want to get info sooner as I currently do not have proper certificates to test with.

J2SE has support for OCSP since version 5.0. Please check:
http://java.sun.com/j2se/1.5.0/docs/guide/security/pki-tiger.html

Did someone try to combine this with Jboss? Was it working as expected?

There is some useful info on article discussing this topic on glassfish:
http://weblogs.java.net/blog/kumarjayanti/archive/2007/11/ssl_and_crl_che.html

But, most of that article is just copied form the first one.



Any info regarding this is welcomed.
 
Dejan Mratinkovic
Ranch Hand
Posts: 65
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As no answers arrived, I will answer my own questions, for further reference if someone needs it.

Security setup in Tomcat's server.xml does not respond to Java security parameter. I have introduced my own certificate verifier class (which I put instead of JBoss default "AnyCertVerifier").

All worked fine, and as expected. Only issues I cam into are misleading error messages, in case CRL lists are missing etc.
 
Guillermo Suchicital
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi, I am trying to implement an OCSP solution on Tomcat and I saw your posting. Is there a way that you could post some of your code (java classes) and xml you used to test for cert validity with OCSP?
Thank you
 
Arshad Noor
Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have not personally tested the J2SE's OCSP Responder code, but I have no doubt that it should work if the configuration is correct.

Setting just "ocsp.enable" to "true" and expecting it to work implies that you have a full-blown OCSP Responder environment and that your certificates have the appropriate extensions (AIA) in them that provide all the information necessary for the OCSP code in J2SE to work. If the digital certificate does not have the extension, or if any of the values are incorrect or missing, then it is obviously not going to work until you explicitly specify all the other OCSP parameters specified.

Arshad Noor
StrongAuth, Inc.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic