Certificate System 7.1 Agent Revocation Checking will not turn off
Environment
- Red Hat Certifiate System 7.1
- Red Hat Enterprise Linux 4
Issue
- In Certificate System 7.1, logs show agent revocation checking when uths.revocationChecking.enabled=false
Resolution
- This will be fixed in Certificate System 8.1
- There is no impact to a system from this. This only generates log entries
Diagnostic Steps
[07/Jan/2009:14:52:08 -0500] conn=1 op=24 SRCH base="cn=69,ou=certificateRepository, ou=ca, o=NetscapeCertificateServer" scope=0 filter="(objectClass=*)" attrs=ALL
and
[07/Jan/2009:14:52:08 -0500] conn=1 op=24 RESULT err=0 tag=101 nentries=1 etime=0
takes place in:
cms/classsrc/com/netscape/cmscore/authentication/SSLClientCertAuthentication.java
in
public IAuthToken authenticate(IAuthCredentials authCred)
and for
record = (ICertRecord) mCertDB.readCertificateRecord(serialNum);
it searches for the serial number of the certificate presented
once the attributes are retrieved, some processing is done for cert status verification, among other things, then there is another search to verify this certificate is somewhere in ou=People,o=NetscapeCertificateServer:
[07/Jan/2009:14:52:08 -0500] conn=2 op=8 SRCH base="ou=People,o=NetscapeCertificateServer" scope=2 filter="(description=2;69;CN=your cn)" attrs=ALL
to verify in which group it belongs to, on the CA's active configuration.
and:
[07/Jan/2009:14:52:08 -0500] conn=2 op=8 RESULT err=0 tag=101 nentries=1 etime=0
it is using
cms/classsrc/com/netscape/cmscore/usrgrp/ExactMatchCertUserLocator.java
and
public class ExactMatchCertUserLocator implements ICertUserLocator {
ou=People,o=NetscapeCertificateServer is to determine which groups the certificate belongs to, and what are its associated rights.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments