Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-9645

CRL-only validation fails with "Responder's certificate is not authorized to sign OCSP responses"

    XMLWordPrintable

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 13.0.0
    • None
    • authentication
    • CentOS 6.4

      openjdk version "1.8.0_101"
      OpenJDK Runtime Environment (build 1.8.0_101-b13)
      OpenJDK 64-Bit Server VM (build 25.101-b13, mixed mode)

    • Rank:
      1|hzs28n:

    Description

      I only configured certificate module to check CRL, i.e. "Match Certificate to CRL" and not "OCSP Validation". I also not configured OCSP in the "security" section of "Server and Sites".
      However, OpenAM fails to validate certificate with an irreleveant ocsp-related error "ERROR: AMCertPath.verify: FAILED - Responder's certificate is not authorized to sign OCSP responses".
      Thas error means that ocsp is used for validation, but as the following log line shows ocsp is disabled:
      AMCertPath.verify: ocspEnabled ---> false

      I should also mention that openam successfully retrieves CRLs (user and CA's CRL) from the ldap directory and dumps them in the logs.
      Some other hints:

      • user certificates issuer field matches corresponding issuer field of ocsp responder's, and
      • our ocsp responder's certificate has "OCSP Signing" extended key usage.
      • I successfully imported the trustchain (CA's certificates) to Java keystore, i.e. "cacerts".

      Here is part of logs:

      amSecurity:09/05/2016 08:40:42:157 AM IRDT: Thread[http-nio-8443-exec-9,5,main]
      AMCertPath.verify: invoked !
      amSecurity:09/05/2016 08:40:42:157 AM IRDT: Thread[http-nio-8443-exec-9,5,main]
      AMCertPath.verify: {color:red}crlEnabled ---> true{color}
      amSecurity:09/05/2016 08:40:42:157 AM IRDT: Thread[http-nio-8443-exec-9,5,main]
      AMCertPath.verify: {color:red}ocspEnabled ---> false{color}
      amSecurity:09/05/2016 08:40:42:157 AM IRDT: Thread[http-nio-8443-exec-9,5,main]
      The policy-related state in the PKIXParameters passed to the PKIX CertPathValidator:
              getInitialPolicies: []
              isExplicitPolicyRequired: false
              isPolicyMappingInhibited: false
      
      amSecurity:09/05/2016 08:40:43:025 AM IRDT: Thread[http-nio-8443-exec-9,5,main]
      {color:red}ERROR: AMCertPath.verify: FAILED - Responder's certificate is not authorized to sign OCSP responses{color}
      amSecurity:09/05/2016 08:40:43:026 AM IRDT: Thread[http-nio-8443-exec-9,5,main]
      AMCertPath.verify: FAILED
      java.security.cert.CertPathValidatorException: Responder's certificate is not authorized to sign OCSP responses
              at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
              at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:219)
              at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140)
              at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
              at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
              at com.sun.identity.security.cert.AMCertPath.verify(AMCertPath.java:173)
              at com.sun.identity.authentication.modules.cert.Cert.doJCERevocationValidation(Cert.java:572)
              at com.sun.identity.authentication.modules.cert.Cert.process(Cert.java:483)
              at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1023)
              at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1093)
              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
              at java.lang.reflect.Method.invoke(Method.java:498)
              at com.sun.identity.authentication.jaas.LoginContext.invoke(LoginContext.java:210)
              at com.sun.identity.authentication.jaas.LoginContext.login(LoginContext.java:123)
              at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:558)
              at com.sun.identity.authentication.service.AMLoginContext.executeLogin(AMLoginContext.java:518)
              at com.sun.identity.authentication.server.AuthContextLocal.login(AuthContextLocal.java:544)
              at com.sun.identity.authentication.server.AuthContextLocal.login(AuthContextLocal.java:436)
              at com.sun.identity.authentication.server.AuthContextLocal.login(AuthContextLocal.java:287)
              at com.sun.identity.authentication.server.AuthContextLocal.login(AuthContextLocal.java:219)
      ...
      
      
      

      Attachments

        Activity

          People

            Unassigned Unassigned
            Ats Abb T [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated: