SungHoon_Kim

Adding CRL to CDS

Blog Post created by SungHoon_Kim Employee on Mar 29, 2016

While trying to import a CRL via SiteMinder AdminUI, getting the following exception.

(Before proceeding, the prerequisite is to import the Issuer certificate(CA) first. Following screenshot shows "geotrust" certificate is already imported as Trusted CA.)

 

CRL3.jpg

CRL1.jpg

 

server.log from AdminUI

2016-03-29 10:52:05,791 INFO  [com.ca.CertificateDataStore] (http-TESTMC1.sso.lab%2F192.168.0.1-8443-7) Logging initialized

2016-03-29 11:12:13,422 INFO  [STDOUT] (http-TESTMC1.sso.lab%2F192.168.0.1-8443-2) NavigationUtil.handleNavChange returning: fmCRLImport

2016-03-29 11:12:44,703 INFO  [STDOUT] (http-TESTMC1.sso.lab%2F192.168.0.1-8443-2) NavigationUtil.handleNavChange returning: fmCRLList

2016-03-29 11:16:45,182 ERROR [ims.ui] (http-TESTMC1.sso.lab%2F192.168.0.1-8443-2) Page cannot be found.  Please check the URL. (/iam/siteminder/console/ui7/nullback_month_2.png)

2016-03-29 11:16:45,185 ERROR [ims.ui] (http-TESTMC1.sso.lab%2F192.168.0.1-8443-2) Page cannot be found.  Please check the URL. (/iam/siteminder/console/ui7/nullforward_month_2.png)

2016-03-29 11:16:45,189 ERROR [ims.ui] (http-TESTMC1.sso.lab%2F192.168.0.1-8443-5) Page cannot be found.  Please check the URL. (/iam/siteminder/console/ui7/nullportlet16x16del.png)

2016-03-29 11:16:45,283 ERROR [ims.ui] (http-TESTMC1.sso.lab%2F192.168.0.1-8443-2) Page cannot be found.  Please check the URL. (/iam/siteminder/console/ui7/nullback_month_2.png)

2016-03-29 11:16:52,100 INFO  [STDOUT] (http-TESTMC1.sso.lab%2F192.168.0.1-8443-4) NavigationUtil.handleNavChange returning: fmCertImport

2016-03-29 11:17:56,418 INFO  [STDOUT] (http-TESTMC1.sso.lab%2F192.168.0.1-8443-5) NavigationUtil.handleNavChange returning: fmAuthorityList

2016-03-29 11:18:25,407 INFO  [STDOUT] (http-TESTMC1.sso.lab%2F192.168.0.1-8443-5) NavigationUtil.handleNavChange returning: fmCRLImport

2016-03-29 11:20:22,929 ERROR [com.ca.federation.adminui.backingbean.keystore.CRLImportBean] (http-TESTMC1.sso.lab%2F192.168.0.1-8443-5) **ERROR** java.security.cert.CertStoreException during UI operation.

java.security.cert.CertStoreException: java.lang.IllegalArgumentException: Invalid URI for CRL: http://crl.geotrust.com/crls/gtglobal.crl

  at com.ca.siteminder.security.SMCertDatabaseStore.addCRL(SMCertDatabaseStore.java:202)

  at com.ca.siteminder.security.SMCertDatabaseStore.engineGetCRLs(SMCertDatabaseStore.java:119)

  at java.security.cert.CertStore.getCRLs(CertStore.java:154)

  at com.ca.federation.adminui.backingbean.keystore.CRLImportBean.importCRL(CRLImportBean.java:285)

  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

  at java.lang.reflect.Method.invoke(Method.java:597)

  at org.apache.myfaces.el.MethodBindingImpl.invoke(MethodBindingImpl.java:132)

  at org.apache.myfaces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:61)

  at javax.faces.component.UICommand.broadcast(UICommand.java:109)

  at javax.faces.component.UIViewRoot._broadcastForPhase(UIViewRoot.java:97)

  at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:171)

  at org.apache.myfaces.lifecycle.InvokeApplicationExecutor.execute(InvokeApplicationExecutor.java:32)

  at org.apache.myfaces.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:95)

  at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:70)

  at com.netegrity.webapp.page.jsf.JSFParentPage.update(JSFParentPage.java:94)

  at com.netegrity.webapp.page.TaskController.update(TaskController.java:601)

  at com.netegrity.taglib.skin.TagUtilLocal.update(TagUtilLocal.java:268)

  at com.netegrity.taglib.skin.UpdateTag.doEndTag(UpdateTag.java:145)

  at idm_jsp.app.ui7.index_jsp._jspx_meth_skin_update_0(Unknown Source)

  at idm_jsp.app.ui7.index_jsp._jspService(Unknown Source)

  at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)

  at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)

  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

  at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:638)

  at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:444)

  at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:382)

  at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:310)

  at com.netegrity.webapp.filter.ConsolePageFilter.doFilter(ConsolePageFilter.java:531)

  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

  at com.netegrity.webapp.page.jsf.FacesFilter.doFilter2(FacesFilter.java:180)

  at com.netegrity.webapp.page.jsf.FacesFilter.doFilter(FacesFilter.java:151)

  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

  at org.apache.myfaces.webapp.filter.ExtensionsFilter.doFilter(ExtensionsFilter.java:147)

  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

  at com.netegrity.webapp.authentication.FrameworkLoginFilter.doFilter(FrameworkLoginFilter.java:322)

  at com.ca.siteminder.webadmin.configuration.ui.servlet.SiteMinderLoginFilter.doFilter(SiteMinderLoginFilter.java:457)

  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

  at com.netegrity.webapp.filter.LocaleFilter.doFilter(LocaleFilter.java:100)

  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

  at com.netegrity.webapp.filter.SessionFilter.doFilter(SessionFilter.java:103)

  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)

  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)

  at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)

  at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)

  at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)

  at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)

  at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)

  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

  at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)

  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)

  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)

  at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)

  at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)

  at java.lang.Thread.run(Thread.java:662)

Caused by: java.lang.IllegalArgumentException: Invalid URI for CRL: http://crl.geotrust.com/crls/gtglobal.crl

  at com.ca.siteminder.security.SMKeyDatabaseFacade.addRevocationInfoToDB(SMKeyDatabaseFacade.java:388)

  at com.ca.siteminder.security.SMCertDatabaseStore.addCRL(SMCertDatabaseStore.java:163)

  ... 65 more

 

If you look at the first screenshot above, it actually explains there are 2 options for importing CRL.

1. LDAP based URL ("LDAP://<server>/<path to crl>", for example "LDAP://crlserver:9100/cn=MasterCRL")

2. FILE based URL ("file:///<file path on the Policy Server machine>", for example "file://C:/CRLs/MasterCRL.crl")

 

It does not list HTTP based URL as an option.

So, if you entered the location as "http://crl.geotrust.com/crls/gtglobal.crl" then it is expected to throw an error.

 

Following is a sample import using FILE based URL.

In this sample, the the CRL file is downloaded to Policy Server machine and stored at "C:\revocation\gtglobal.crl" as below.

CRL8_177.jpg

CRL6.jpg

 

CRL7.jpg

 

Following is R12.52SP1 online documentation explaining the feature.

Check Certificate Validity with CRLs

Check Certificate Validity with CRLs

Check Certificate Validity with CRLs

A Certificate Revocation List (CRL) is issued by a Certificate Authority to its subscribers. The list contains serial numbers of certificates that are invalid or have been revoked. When a request to access a server is received, the server allows or denies access based on the CRL.

Federation can leverage CRLs for its certificate functions. For CA SiteMinder® to use a CRL, the certificate data store must point to a current CRL. If CA SiteMinder® tries using a revoked partner certificate, you see an error message. For legacy federation, the error message is in the SAML assertion. The message indicates that authentication failed.

Note: Federation features implement the use of CRLs differently than X.509 authentication schemes. The authentication schemes use an independent LDAP directory that stores CRLs. The authentication schemes do not use the certificate data store.

CA SiteMinder® supports the following CRL features:

  • File-based CRLs or LDAP CRLs

CA SiteMinder® stores CRLs in the certificate data store. File-based CRLs must be in Base64 or binary encoding. LDAP CRLs must be in binary encoding. Additionally, LDAP CRLs must include CRL data in one of the following attributes:

  • certificateRevocationList;binary
  • authorityRevocationList;binary

When a Certificate Authority publishes an LDAP CRL, it must return the CRL data in binary format, in accordance with RFC4522 and RFC4523. Otherwise, CA SiteMinder® cannot use it.

  • PEM and DER encoding formats for a file CRL
  • DER encoding format for an LDAP CRL

CA SiteMinder® does not validate an SSL server certificate against a CRL. The web server where the CA SiteMinder® web agent is installed manages the SSL server certificate.You are not required to have a CRL for each root CA in the system. If there is no CRL for the root CA, it is assumed that all certificates signed by that CA are trusted certificates.

Add a CRL for Certificate Management

Help ensure that only valid certificates are used for PKI functions by using CRLs. Verify the validity of certificates against a CRL.Important! CA SiteMinder® explicitly requests LDAP CRLs in binary encoding. Additionally, CRL data must be stored in the LDAP attribute named certificateRevocationList;binary or authorityRevocationList;binary. When a Certificate Authority (CA) publishes an LDAP CRL, it must return the CRL data in binary format, in accordance with RFC4522 and RFC4523. Otherwise, CA SiteMinder® cannot use it.The CRL location is required to use a CRL.Follow these steps:

  1. Log in to the Administrative UI.
  2. Select Infrastructure, X509 Certificate Management, Certificate Validity.
  3. Click Add.The Configure Revocation List dialog opens.
  4. Specify an alias for the CRL and the location (URL) of the certificate revocation list.The location has to be a file path for a file CRL and an LDAP search path for an LDAP CRL.
  5. Click Save.

The CRL is added to the certificate data store.

Update a CRL

Update a CRL to verify that the certificate data in use is current.Follow these steps:

  1. Log in to the Administrative UI.
  2. Select Infrastructure, X509 Certificate Management, Certificate Validity.
  3. Delete a CRL from the list.
  4. Do one of the following steps to add a CRL:
    • Click Add and complete the settings for the new CRL file or LDAP location. Click Save.
    • Navigate back to the Certificate Management dialog. Specify a value for the Default CRL Update Period setting. At the time of the next CRL update, the certificate data store automatically goes to the configured file or LDAP location and reloads the CRL.

 

In case if it is LDAP based, it could be upto date(for example, the Microsoft Certificate Services maintains the CRL itself) but if it is FILE based then it would mean the administrator must replace the CRL file in the same filepath manually each time (before the expiry days it was defined while importing the file crl).

 

How to check when this certificate will be updated next?

If you are logged on to AdminUI, it will be displayed as the screenshot above.

But if you need to check from command-line, you can do the same via XPSExplorer.

 

Logon to the Policy Server machine as smuser(or whichever user you run siteminder).

Run XPSExplorer.

 

Look for "CA --> CDS --> CRLRevocationData*".

In the above case, it is number 4.

Enter "4" and press "ENTER" key.

Enter "S" and press "ENTER" key to search the entries.

Now, you can see there is 1 entry.

Enter the entry number "1" and press "ENTER".

 

Here you can see the "ThisUpdate" timestamp and "NextUpdate" timestamp.

This is unix time(epoch).

 

You need to convert this timestamp.

You can google any unix time converter and following is a sample site http://www.epochconverter.com

The Unix Timestamp above, please remove the last 3 digits which would become "1467280294"

 

 

And you can also add the CRL from command-line as well.

If you run "smkeytool" without any switch, it will give you the following options.

The syntax would be:
smkeytool -addRevocationInfo -issueralias geotrust -type filecrl -location C:\revocation\gtglobal.crl -gracePeriod 90

addrevocationinfo

C:\Users\policyserver>smkeytool -addrevocationinfo -issueralias geotrust -type filecrl -location C:\revocation\gtglobal.crl -graceperiod 90

No certificates will be revoked if the CRL is added.

Do you still want to add the CRL information? [no]:

yes

Revocation Info successfully added to the Certificate Data Store.

Outcomes