my dog learned polymorphism*
The moose likes Security and the fly likes OCSP with web/application servers - Experieice? Does it work as expected? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "OCSP with web/application servers - Experieice? Does it work as expected?" Watch "OCSP with web/application servers - Experieice? Does it work as expected?" New topic
Author

OCSP with web/application servers - Experieice? Does it work as expected?

Dejan Mratinkovic
Ranch Hand

Joined: Nov 20, 2008
Posts: 65
Is there anyone with experience of usage of OSCP feature J2SE with Tomcat, Jboss, etc?

Documentation states it should work right away by just setting a property "ocsp.enable" to "true" if certificate has all what is required.
As application servers use standard classes in background, it should all just work.

Does it? I just want to get info sooner as I currently do not have proper certificates to test with.

J2SE has support for OCSP since version 5.0. Please check:
http://java.sun.com/j2se/1.5.0/docs/guide/security/pki-tiger.html

Did someone try to combine this with Jboss? Was it working as expected?

There is some useful info on article discussing this topic on glassfish:
http://weblogs.java.net/blog/kumarjayanti/archive/2007/11/ssl_and_crl_che.html

But, most of that article is just copied form the first one.



Any info regarding this is welcomed.
Dejan Mratinkovic
Ranch Hand

Joined: Nov 20, 2008
Posts: 65
As no answers arrived, I will answer my own questions, for further reference if someone needs it.

Security setup in Tomcat's server.xml does not respond to Java security parameter. I have introduced my own certificate verifier class (which I put instead of JBoss default "AnyCertVerifier").

All worked fine, and as expected. Only issues I cam into are misleading error messages, in case CRL lists are missing etc.
Guillermo Suchicital
Greenhorn

Joined: Jan 03, 2012
Posts: 1
Hi, I am trying to implement an OCSP solution on Tomcat and I saw your posting. Is there a way that you could post some of your code (java classes) and xml you used to test for cert validity with OCSP?
Thank you
Arshad Noor
Ranch Hand

Joined: Oct 06, 2011
Posts: 34
I have not personally tested the J2SE's OCSP Responder code, but I have no doubt that it should work if the configuration is correct.

Setting just "ocsp.enable" to "true" and expecting it to work implies that you have a full-blown OCSP Responder environment and that your certificates have the appropriate extensions (AIA) in them that provide all the information necessary for the OCSP code in J2SE to work. If the digital certificate does not have the extension, or if any of the values are incorrect or missing, then it is obviously not going to work until you explicitly specify all the other OCSP parameters specified.

Arshad Noor
StrongAuth, Inc.
 
 
subject: OCSP with web/application servers - Experieice? Does it work as expected?
 
Similar Threads
Comparison of Java Application Servers!
purpose of InitialContext?
JBoss Or Tomcat?
Certificate validation against CRL on Java EE - common scenario, experience?
JBoss vs. (WebLogic and Websphere)