Introducing the all-new TIBCO Community site!

For current users, please click "Sign In" to reset your password and access the enhanced features. If you're a first-time visitor, we extend a warm welcome—click "Sign Up" to become a part of the TIBCO Community!

If you're seeking alternative community sites, explore ibi, Jaspersoft, and Spotfire.

Jump to content
  • Certificate revocation checking in TIBCO ActiveMatrix BusinessWorks? 5 (BW)


    Manoj Chaurasia

    How to enable certificate revocation checking in BW. How to enable debug logging of revocation checking.

    Revocation checking using CRLs

    By default, certificate revocation checking is disabled in BW. To enable revocation checking using CRLs, add the following properties to the deployed application .tra file/designer.tra file.

     java.property.com.sun.security.enableCRLDP=true java.property.com.tibco.security.CheckRevocation=true java.property.com.tibco.security.NoExplicitCAChain=true  

    Sample log

     certpath: RevocationChecker.check: checking cert   SN:     39252e20 e18cd90c 0a000000 00e8323f   Subject: CN=*.abc.com   Issuer: CN=ABC, O=ABC LLC, C=US certpath: RevocationChecker.checkCRLs() ---checking revocation status ... certpath: RevocationChecker.checkCRLs() possible crls.size() = 0 certpath: RevocationChecker.checkCRLs() approved crls.size() = 0 certpath: DistributionPointFetcher.getCRLs: Checking CRLDPs for CN=*.ABC.com certpath: Trying to fetch CRL from DP http://crls.pki.abc/abc/fVJxbV-Ktmk.crl certpath: CertStore URI:http://crls.pki.abc/abc/fVJxbV-Ktmk.crl certpath: Downloading new CRL... certpath: DistributionPointFetcher.verifyCRL: checking revocation status for   SN:     39252e20 e18cd90c 0a000000 00e8323f   Subject: CN=*.abc.com   Issuer: CN=ABC, O=ABC LLC, C=US certpath: idpName: URIName: http://crls.pki.abc/abc/fVJxbV-Ktmk.crl certpath: pointName: URIName: http://crls.pki.abc/abc/fVJxbV-Ktmk.crl certpath: Constraints.permits(): SHA256withRSA Variant: generic certpath: Returning 1 CRLs certpath: RevocationChecker.checkApprovedCRLs() starting the final sweep... certpath: RevocationChecker.checkApprovedCRLs() cert SN: 75959046339453363611227911452581444111 



    CRLs are cached for 30 seconds. Sample log that shows CRL being returned from cache -

     certpath: RevocationChecker.check: checking cert   SN:     39252e20 e18cd90c 0a000000 00e8323f   Subject: CN=*.abc.com   Issuer: CN=ABC, O=ABC LLC, C=US certpath: RevocationChecker.checkCRLs() ---checking revocation status ... certpath: RevocationChecker.checkCRLs() possible crls.size() = 0 certpath: RevocationChecker.checkCRLs() approved crls.size() = 0 certpath: DistributionPointFetcher.getCRLs: Checking CRLDPs for CN=*.abc.com certpath: Trying to fetch CRL from DP http://crls.pki.abc/abc/fVJxbV-Ktmk.crl certpath: CertStore URI:http://crls.pki.abc/abc/fVJxbV-Ktmk.crl certpath: URICertStore.getInstance: cache hit certpath: Returning CRL from cache certpath: DistributionPointFetcher.verifyCRL: checking revocation status for   SN:     39252e20 e18cd90c 0a000000 00e8323f   Subject: CN=*.abc.com   Issuer: CN=ABC, O=ABC LLC, C=US certpath: idpName: URIName: http://crls.pki.abc/abc/fVJxbV-Ktmk.crl certpath: pointName: URIName: http://crls.pki.abc/abc/fVJxbV-Ktmk.crl certpath: Constraints.permits(): SHA256withRSA Variant: generic certpath: Returning 1 CRLs certpath: RevocationChecker.checkApprovedCRLs() starting the final sweep... certpath: RevocationChecker.checkApprovedCRLs() cert SN: 75959046339453363611227911452581444111  

    Revocation checking using OCSP

    To enable revocation checking using OCSP, add the following properties to the deployed application .tra file/designer.tra file.

     java.property.com.sun.security.enableCRLDP=true java.property.com.tibco.security.CheckRevocation=true java.property.com.tibco.security.NoExplicitCAChain=true 



    In addition, uncomment the following property in TIBCO_HOME/tibcojre64/1.8.0/lib/security/java.security.

     ocsp.enable=true  

    Sample log

     certpath: RevocationChecker.check: checking cert   SN:     39252e20 e18cd90c 0a000000 00e8323f   Subject: CN=*.abc.com   Issuer: CN=ABC, O=ABC LLC, C=US certpath: connecting to OCSP service at: http://ocsp.pki.abc/abc certpath: OCSP response status: SUCCESSFUL certpath: OCSP response type: basic certpath: Responder ID: byKey: 8A747FAF85CDEE95CD3D9CD0E24614F371351D27 certpath: OCSP response produced at: Thu Jul 15 15:34:33 EDT 2018 certpath: OCSP number of SingleResponses: 1 certpath: thisUpdate: Thu Jul 15 15:34:32 EDT 2018 certpath: nextUpdate: Thu Jul 22 14:34:31 EDT 2018 certpath: Status of certificate (with serial number 75959046339453363611227911452581444111) is: GOOD certpath: OCSP response is signed by the target's Issuing CA certpath: Constraints.permits(): SHA256withRSA Variant: generic certpath: Verified signature of OCSP Response certpath: OCSP response validity interval is from Thu Jul 15 15:34:32 EDT 2018 until Thu Jul 22 14:34:31 EDT 2018 certpath: Checking validity of OCSP response on: Fri Jul 16 18:46:58 EDT 2018  

    Debug logging

    To enable debug logging, add the following property to the deployed application .tra file/designer.tra file.

     java.property.java.security.debug=certpath  

    References

    https://docs.oracle.com/javase/8/docs/technotes/guides/security/certpath...

    https://docs.oracle.com/javase/8/docs/technotes/guides/security/troubles...


    User Feedback

    Recommended Comments

    There are no comments to display.


×
×
  • Create New...