Certificate Validation |
|
The Security Administation service validates Certificate Chains against the own Certificates store. The certificates are signed with a digital signature of a Certificate Authority (CA). The certificate of that CA is needed, henceforth till the root CA. A root CA is trusted only when it appears in a selective list of trust anchors. This list is managed in the Certificates store of the Security Administration task. Refer to Managing Certificates, for more information.
A CA can revoke a published certificate by publishing it in a Certificate Revocation List (CRL). A CRL contains a list of revoked certificates, and is protected with expiry and digital signature means. A certificate can contain a CRL location. The Security Administration service downloads the CRL (optional), and checks the revocation status of the certificates. The Security Administration service will mark a certificate as invalid when the CRL is not available. This is done to prevent the ddos attacks
on CRL servers that give attackers an advantage.
Online CRL retrieval might result in runtime stability issues. Refer to Deployment considerations for more information.
Also, refer to Troubleshooting Certificate Status and Revocation, Certificate Revocation List and Types of Certificates for more information.
Deployment considerations
For complete certificate validation it is necessary to have access to up-to-date CRLs. Normally the CRLs have an expiry period of few weeks and online access is needed too. Failing to download a CRL will cause the certificate validation to report an invalid certificate; hence, the UDDI request is blocked as a valid SSL connection is needed. This setup makes the functioning of the Process Platform solution dependent on third-party servers over the internet. This might result in the following:
- When Process Platform does not have internet access, this will cause failures
- Internet access interruptions will cause failures
- Unresponsiveness of CRL servers will cause failures
Because of above scenarios CRL checking is disabled by default.
Enabling CRL checking
CRL checking can be enabled by setting the following Security Administration property:
certificatemanager.validation.revocation.enabled=true
A more manageable way of CRL checking can be done through Online Certificate Status Protocol (OCSP). With OCSP the Security Adminstrationservice connects to a single (on-premise) server to fetch the certificate status. With such a setup, the Process Platform solution is not dependent anymore on a third-party services as it leverages the complete SSL security.
OCSP can be enabled by setting the following Security Administration property:
ocsp.responderURL=<ocsp responder endpoint>
Examples of OCSP responder products: