users@glassfish.java.net

GlassFish v2.1 CRL management questions

From: <glassfish_at_javadesktop.org>
Date: Thu, 15 Oct 2009 09:10:04 PDT

Hi,

Please excuse me if this is a "newbie" set of questions, but I could not find a complete set of information regarding the extent of support within GlassFish Enterprise Server v2.1 for SSL Certificate Revocation Lists.

I have read through a few articles, including the one at:

  http://weblogs.java.net/blog/2007/11/19/ssl-and-crl-checking-glassfish-v2#6

which are great and have helped understand a few things regarding this subject. I have a few more questions regarding the subject.


[b][CRL based Revocation Checking (Dynamic approach)][/b]

1) If the URI specified in the Certificate's CRL Distribution Points extension is an LDAP URI
     e.g. ldap://hostname[:portnumber]/...

   will GlassFish be able to retrieve the CRL from a directory using LDAP or LDAP/S?

   If so, what additional configuration properties need to be set to allow it to do so?


2) How does GlassFish manage the dynamic retrieval of the CRL?

   i.e. does it download the CRL at each connection; does it cache it for a while, and share it among several connections for a set length of time; ...

   The concern here is that the CRL in question is about 1.5 MB in size :-}



[b][CRL based Revocation Checking (Static CRL file approach)][/b]

3) If we opt to use a static CRL file, and manage updating that file via a script, how can a running GlassFish instance be notified of the change?

   i.e. is there a SIGHUP equivalent, does it actually need to be explicitly informed of the change, or will it pick it up automatically?


If anyone could please shed some light on this I would greatly appreciate it.

Many thanks in advance,

Kind Regards,

[b]Federico G. CIGOGNINI[/b]
[Message sent by forum member 'fcigognini' (fcigognini_at_yahoo.com)]

http://forums.java.net/jive/thread.jspa?messageID=368092