Certificate Validation

Contents

Overview

Whenever the Enterprise Gateway receives an X.509 certificate, either as part of the SSL handshake or as part of the XML message itself, it is important to be able to determine whether that certificate is legitimate or not. Certificates can be revoked by their issuers if it becomes apparent that the certificate is being used maliciously. Such certificates should never be trusted, and so it is very important that the Enterprise Gateway can perform certificate validation.

The Enterprise Gateway uses the following methods/protocols to validate certificates:

OCSP - Online Certificate Status Protocol
OCSP is an automated certificate checking network protocol. The Enterprise Gateway can query the OCSP responder for the status of a certificate. The responder returns whether the certificate is still trusted by the CA that issued it.

CRL - Certificate Revocation Lists
A CRL is a signed list indicating a set of certificates that are no longer considered valid (i.e. revoked certificates) by the certificate issuer. The Enterprise Gateway can query a CRL to find out if a given certificate has been revoked - if the certificate is present in the CRL, it should not be trusted.

XKMS - XML Key Management Services
XKMS is an XML-based protocol for (amongst other things) establishing the trustworthiness of a certificate over the Internet. The Enterprise Gateway can query an XKMS responder to determine whether or not a given certificate can be trusted or not.

Configuration

The Enterprise Gateway can check that the validity of a client certificate using any of the following methods:

  1. OCSP - Online Certificate Status Protocol
  2. CRL - Certificate Revocation Lists
  3. XKMS - XML Key Management Services

Note:- In order to validate a certificate using either an or CRL lookup, the issuing CA's certificate should be trusted by the Enterprise Gateway. This is because for a CRL lookup, the CA's public key is needed to verify the signature on the CRL, and for an OCSP request, the protocol stipulates that the CA's public key must be submitted as part of the request. The issuing CA's public key is not always present in issued certificates, so it is necessary to retrieve it from the Enterprise Gateway's certificate store instead.

OCSP - Online Certificate Status Protocol

  1. Enter or select a name for the validation rule in the Name field.
  2. Select OCSP from the Type dropdown.
  3. Optionally enter a description of the rule in the Description field.
  4. Select a group of OCSP Responders from the URL Group field. The Enterprise Gateway will attempt to connect to the Responders in the selected group in a round-robin fashion. It will attempt to connect to the Responders with the highest priority first, before connecting to Responders with a lower priority. URL Groups can be added, edited, and removed by selecting the Add, Edit, and Remove buttons respectively.
    Take a look at the Configuring URL Groups section below for more information on adding and editing URL groups.
  5. Enter the user name of a User whose key will be used to sign status requests sent to the OCSP responder in the User Name field.
  6. Enter the corresponding password for this user in the Password field.
  7. If the OCSP Responder signs the OCSP response, and you wish to validate this signature, select the Validate Response checkbox.

CRL - Certificate Revocation Lists

  1. Enter or select a name for the validation rule in the Name field.
  2. Select CRL from the Type dropdown.
  3. Optionally enter a description of the rule in the Description field.
  4. Select a previously configured LDAP directory from the LDAP directory dropdown list, or add a new one using the Add button.

XKMS - XML Key Management Services

  1. Enter or select a name for the validation rule in the Name field.
  2. Select XKMS from the Type dropdown.
  3. Optionally enter a description of the rule in the Description field.
  4. Enter the URL of the XKMS Responder in the URL field.
  5. Enter the user name of a User whose key will be used to sign status requests sent to the XKMS responder in the User Name field.
  6. Enter the corresponding password for this user in the Password field.

Configuring URL Groups

The Enterprise Gateway can make connections on a round-robin basis to the URLs listed in a URL group, thus enabling a high degree of failover to external servers. URL groups can be configured by selecting the Add and/or Edit buttons.

The Enterprise Gateway will attempt to connect to the listed servers according to the priorities assigned to them. So, for example, let's assume there are two "High" priority URLs, one "Medium" URL, and a single "Low" URL configured. Assuming the Enterprise Gateway can successfully connect to the two "High" priority URLs, it will alternate requests between these two URLs only in a round-robin fashion. The other group URLs will not be used at all. If, however, both of the "High" priority URLs become unavailable, the Enterprise Gateway will then try to use the "Medium" priority URL, and only if this fails will the "Low" priority URL be used.

So, in general, the Enterprise Gateway will attempt to round-robin requests over URLs of the same priority, but will use higher priority URLs before lower priority ones. When a new URL is added to the group it is automatically given the highest priority. Priorities can then be changed by selecting the URL and clicking the Up and Down buttons.

Individual URLs can be added and edited by selecting the URL from the table and clicking on the Add and Edit buttons respectively.

The following fields should be completed:

  • URL:
    Enter the full URL of the external server.
  • Timeout:
    Specify the timeout in seconds for connections to the specified server.
  • Time:
    Whenever the server becomes unavailable for whatever reason (maintenance, for example), no attempt will be made to connect to that server until the time specified here has elapsed. In other words, once a connection failure has been detected, the next connection to that URL will be made after this amount of time.
  • Username:
    If the specified server requires clients to authenticate to it over 2-way SSL, a User must be selected here for authentication.
  • Password:
    Enter the password for this user.
  • Host/IP:
    If the specified server sits behind a proxy server, the host name or IP address of the proxy server must be entered here.
  • Port:
    Enter the port on which the proxy is listening.