users@glassfish.java.net

Re: Setting a Certificate Revocation List

From: <glassfish_at_javadesktop.org>
Date: Mon, 22 Dec 2008 04:26:08 PST

Sorry for the delay. I just got to trying it out on my own today and here is what i have in my server side :

<sc:ValidatorConfiguration wspp:visibility="private" sc:revocationEnabled="true"/>


And it throws the following exception when running, because my certs do not have a CRLDP extension, neither do they have the ocsp extension.

WSS0223: Certificate validation failed
java.security.cert.CertPathValidatorException: Must specify the location of an OCSP Responder
        at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:139)
        at sun.security.provider.certpath.PKIXCertPathValidator.doValidate(PKIXCertPathValidator.java:316)
        at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:178)
        at java.security.cert.CertPathValidator.validate(CertPathValidator.java:206)
        at com.sun.xml.wss.impl.misc.WSITProviderSecurityEnvironment.validateCertificate(WSITProviderSecurityEnvironment.java:979)

Please note : the revocationEnabled attr is namespace qualified (xmlns:sc="http://schemas.sun.com/2006/03/wss/server"). You may have most likely specified it without any namespace qualifier (due to a bug in documentation).

Please try it and let me know if it worked.
[Message sent by forum member 'kumarjayanti' (kumarjayanti)]

http://forums.java.net/jive/thread.jspa?messageID=322930