8 Replies Latest reply on Dec 16, 2011 9:32 AM by adamkal

    JBoss CRL Configuration

    kpcowell

      Hi all,

       

      I am new to JBoss and am trying to find some information in the Certificate Revocation area. I have a CRL URL which allows me to download a file, that I presume I can reference in JBoss. The questions I have are as follows (please excuse my ignorance in this area if I am asking moronic questions);

       

      1. Is there a way of configuring JBoss to use the file dynamically i.e. read continuously (or is that not how CRL's are supposed to work?)?

      2. If I downloaded the file every x hours would JBoss need a restart to read the updated values?

      3. Presuming the crlFile is the file which contains the CRL entries, can I just add a URL to this??

       

      Any help much appreciated.

       

      TIA,

       

      Kevin

        • 1. Re: JBoss CRL Configuration
          kpcowell

          Is it fair to assume, judging by the silence, that this not supported? Any idea who I could contact within the JBoss area who could confirm this?

           

          Any help much appreciated.

          • 2. Re: JBoss CRL Configuration
            adamkal

            I've been investigating this and found the following attribute in the Web subsystem schema:

                <xs:attribute name="ca-revocation-url">

                  <xs:annotation>

                    <xs:documentation>

                      A file or URL to get the revocation list. (actually: crlFile is JSSE and SSLCARevocationFile in OpenSSL)

                    </xs:documentation>

                  </xs:annotation>

                </xs:attribute>

             

            This attribute is likely the attribute mislabeled as "ca-certificate-file" here:

            http://docs.jboss.org/jbossweb/7.0.x/config/ssl.html

             

            However, best I can tell, JBoss is completely ignoring this file, even after a restart.  I tried both crlFile and SSLCARevocationFile as well, but neither exist within the Web subsystem schema.  Could anyone confirm if this functionality is actually implemented?

            • 3. Re: JBoss CRL Configuration
              kpcowell

              Adam,

               

              Thanks for the reply. At least it is something I can take a look at. If I manage to get it working I will reply with how I did it.

               

              Many thanks,

               

              Kevin

              • 4. Re: JBoss CRL Configuration
                adamkal

                I went ahead and downloaded the latest sources and searched for every reference to the ca-revocation-url attribute.  As far as I can tell, the attribute is correctly parsed and stored, but never referenced.  Hopefully, I'm just missing something and there's a way to get this working without delving into the JBoss source.

                 

                Edit:

                Ok, there was something I missed: in WebConnectorService.java, the CA_REVOCATION_URL is used with OpenSSL but ignored with JSSE.  This appears to be a bug, since the documentation suggests otherwise.

                • 5. Re: JBoss CRL Configuration
                  adamkal

                  OK, as I mentioned, CA_REVOCATION_URL is ignored when using JSSE (the default).  I added the following code to WebConnectorService.java, line 231:

                   

                                          if (ssl.hasDefined(Constants.CA_REVOCATION_URL)) {

                                              Method m = connector.getProtocolHandler().getClass().getMethod("setAttribute", String.class, Object.class);

                                              m.invoke(connector.getProtocolHandler(), "crlFile", ssl.get(Constants.CA_REVOCATION_URL).asString());

                                          }

                   

                  After adding this code and recompiling the latest JBoss snapshot, the CA_REVOCATION_URL was correctly used to point to my CRL.

                  1 of 1 people found this helpful
                  • 6. Re: JBoss CRL Configuration
                    kpcowell

                    Adam,

                     

                    Thank you very much for your help. I will try this in the new year.

                     

                    Merry Christmas.

                     

                    Kevin

                    • 7. Re: JBoss CRL Configuration
                      jaikiran

                      Thanks for looking into this and proposing the fix. I have issued a pull request with your proposed fix https://github.com/jbossas/jboss-as/pull/927 so that this gets committed upstream.

                       

                      By the way, if you do fix issues like these then feel free to provide them as patches to the AS7 upstream. Here's how you can do that http://community.jboss.org/wiki/HackingonAS7

                      • 8. Re: JBoss CRL Configuration
                        adamkal

                        Thanks.  I actually just set up a git client yesterday and was planning on proposing the fix when I got a chance, but this saves me the trouble.