does anybody knows how IHS handles multiple CDPs in the URIDistributionPoint X509 extension of the client certificate ?
We have client Client Authentication enabled with CRL checking in httpd.conf:
SSLClientAuth required crl
Furthermore there is configured SSLCRLHostname for "backwards compatibility":
I do not exactly understand why, but may be there are some older client certificates in the field, that do not have a CDP extension in it.
The newer client certificates have a URIDistributionPoint X509 extension that looks like this (sorry some german words):
One LDAP ressource, one HTTP ressource:
Name des Verteilungspunktes:
The LDAP hostname in the certificate extension is the same as configured in httpd.conf SSLCRLHostname.
Normally this is working fine, but we had multiple failures of the non IBM LDAP ressource in the last months. So we expected the IHS to contact the http ressource as a kind of backup, if LDAP was not reachable.
Obviously this did not happen, and login to the application failed, because CRL checking was not possible.
But why there was no connection to the given HTTP server to check the crl after LDAP failed ?
Does anybody can explain this behaviour ?
How should it to be due to IBMs specifications. I did not find any documentation about this ?
Is there a possibility to configure IHS to follow multiple CDPs before failing ?
Thanks for any help.
Notice: We have upgraded developerWorks Community to the latest version of IBM Connections. For more information, read our upgrade FAQ.
Pinned topic CRL Checking with multiple CDPs in X509 certificate extension
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2012-03-30T11:59:35Z at 2012-03-30T11:59:35Z by SystemAdmin
SystemAdmin 110000D4XK3908 Posts
Re: CRL Checking with multiple CDPs in X509 certificate extension2012-03-29T15:05:27ZThis is the accepted answer. This is the accepted answer.Yes -- The LDAP stuff is even more legacy than CRL in general and used to be the only source of CRL info. Current CRL support is still tied to enabling the explicit LDAP stuff.
Have you reviewed the summary of the processing here?
robin_kaiser_dsv 2700054NXF2 Posts
Re: CRL Checking with multiple CDPs in X509 certificate extension2012-03-30T11:10:12ZThis is the accepted answer. This is the accepted answer.Hi Eric,
thanks for your reply.
Yes I already read the document you mentioned.
What I found there is:
... (For GSKit 22.214.171.124 and later, file:// and http:// CDP's are also followed)
But there is no comment on what happens if there are two different CDPs in X509 cert extension.
In our case, IHS only follows the LDAP ressource, not the HTTP ressource which are both given in the cert extension.
After IHS was not able to contact the LDAP ressource, because of the LDAP server beeing temporarily offline, we had expected, that the HTTP ressource will be contacted by IHS in terms of a redundancy configuration. This did not happen.
SystemAdmin 110000D4XK3908 Posts
Re: CRL Checking with multiple CDPs in X509 certificate extension2012-03-30T11:59:35ZThis is the accepted answer. This is the accepted answer.
- robin_kaiser_dsv 2700054NXF
Should be able to compress a trace of a single request and attach it, otherwise you can email to firstname.lastname@example.org.