Skip to main content

developerWorks >  SOA and Web services  >  Forums  >  IBM WebSphere DataPower SOA Appliance  >  developerWorks

Question about Validation Credentials and digital signatures    Point your RSS reader here for a feed of the latest messages in this thread


     
 
 
My developerWorks
 Welcome, Guest
Sign in or register
This question is not answered.

Reply to this Thread Reply to this Thread Post New Thread Post New Thread Watch list Watch list Forum settings Forum settings Help Help
Permlink Replies: 3 - Pages: 1 - Last Post: Nov 23, 2009 12:42 PM Last Post By: inestlerode
terza

Posts: 48
Registered: Feb 28, 2008 07:33:08 AM
Question about Validation Credentials and digital signatures
Posted: Nov 14, 2009 07:20:10 AM 		 
Click to report abuse...   Click to reply to this thread Reply
Hi,
I have a Web Service that is expecting a digitally signed soap message and a X509 (according to WS-security). To verify the signature I have configured a "Verify" action in to the processing policy and inside that action I have specified the necessary validation credentials.

My Validation Credentials consist of 3 CA certificates and for those 3 CA:s I have configured CRL update policies in to the default domain. This is working as supposed.

Now when I send a message to this service that is signed with a certificate that is not issued by any of my three CA:s I get an error saying:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
	<env:Body>
		<env:Fault>
			<faultcode>env:Client</faultcode>
			<faultstring>unable to get certificate CRL (from client)</faultstring>
		</env:Fault>
	</env:Body>
</env:Envelope>

Is this the expected behaviour? To me it feels strange that you would even look for a CRL list if the certificate issuing CA is not on the list of approved CA:s.
zhangcr

Posts: 45
Registered: Dec 04, 2007 04:13:12 PM
Re: Question about Validation Credentials and digital signatures
Posted: Nov 17, 2009 04:23:42 PM   in response to: terza in response to: terza's post 		 
Click to report abuse...   Click to reply to this thread Reply
Is the "Require CRLs" attribute of the Validation Credentials set to on? If so, you may need to set it to off.
terza

Posts: 48
Registered: Feb 28, 2008 07:33:08 AM
Re: Question about Validation Credentials and digital signatures
Posted: Nov 18, 2009 03:42:37 AM   in response to: zhangcr in response to: zhangcr's post 		 
Click to report abuse...   Click to reply to this thread Reply
But I do require CRL check for the approved certificates. If the CRL list expires and a new one can not be downloaded for some reason, I do want to block the access to the service. So I dont want to turn "Requre CRLs" attribute to off.
inestlerode

Posts: 37
Registered: Jul 03, 2008 11:24:02 AM
Re: Question about Validation Credentials and digital signatures
Posted: Nov 23, 2009 12:42:31 PM   in response to: terza in response to: terza's post 		 
Click to report abuse...   Click to reply to this thread Reply
> Is this the expected behaviour?

Yes (assuming that the valcred is set to use legacy mode). It may not be the most intuitive behavior, but it is the behavior that has always existed in legacy mode valcred validation.

> To me it feels strange that you would even look for a CRL list if the certificate issuing CA is not on the
> list of approved CA:s.

Legacy mode has always checked CRLs first. PKIX mode does the CRL check when you would normally expect it to be done (at the very end after all of the other checks have been performed).
Pages: 1
Go Back Back to Thread List

Update your My developerWorks profile and start connecting with others.

Point your RSS reader here for a feed of the latest messages in all forums