• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

OCSP with web/application servers - Experieice? Does it work as expected?

 
Ranch Hand
Posts: 65
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Is there anyone with experience of usage of OSCP feature J2SE with Tomcat, Jboss, etc?

Documentation states it should work right away by just setting a property "ocsp.enable" to "true" if certificate has all what is required.
As application servers use standard classes in background, it should all just work.

Does it? I just want to get info sooner as I currently do not have proper certificates to test with.

J2SE has support for OCSP since version 5.0. Please check:
http://java.sun.com/j2se/1.5.0/docs/guide/security/pki-tiger.html

Did someone try to combine this with Jboss? Was it working as expected?

There is some useful info on article discussing this topic on glassfish:
http://weblogs.java.net/blog/kumarjayanti/archive/2007/11/ssl_and_crl_che.html

But, most of that article is just copied form the first one.



Any info regarding this is welcomed.
 
Dejan Mratinkovic
Ranch Hand
Posts: 65
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
As no answers arrived, I will answer my own questions, for further reference if someone needs it.

Security setup in Tomcat's server.xml does not respond to Java security parameter. I have introduced my own certificate verifier class (which I put instead of JBoss default "AnyCertVerifier").

All worked fine, and as expected. Only issues I cam into are misleading error messages, in case CRL lists are missing etc.
 
Greenhorn
Posts: 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi, I am trying to implement an OCSP solution on Tomcat and I saw your posting. Is there a way that you could post some of your code (java classes) and xml you used to test for cert validity with OCSP?
Thank you
 
Ranch Hand
Posts: 34
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I have not personally tested the J2SE's OCSP Responder code, but I have no doubt that it should work if the configuration is correct.

Setting just "ocsp.enable" to "true" and expecting it to work implies that you have a full-blown OCSP Responder environment and that your certificates have the appropriate extensions (AIA) in them that provide all the information necessary for the OCSP code in J2SE to work. If the digital certificate does not have the extension, or if any of the values are incorrect or missing, then it is obviously not going to work until you explicitly specify all the other OCSP parameters specified.

Arshad Noor
StrongAuth, Inc.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic