#1250 Missing RA subsystem module
Closed: Duplicate None Opened 9 years ago by edewata.

There are several Registration Authority subsystems:
1. Java-based RA subsystem "module" in Tomcat subsystems
2. Apache HTTPD-based RA subsystem which no longer exists
This ticket concerns about the Java-based RA subsystem "module" in Tomcat subsystems.

The RA subsystem "module" is supposed to be a class inheriting from the IRegistrationAuthority interface. This "module" is used by non-CA subsystems to check the certificate revocation status since they don't have direct access to the certificate database.

The problem is the "module" currently does not exist. There is no class inheriting the IRegistrationAuthority interface, and there is no RA subsystem "module" configured in any of the Tomcat subsystems. Currently the certificate-based authentication is failing silently and incorrectly passing all revoked certificates.

Proposed fix:
1. Change the code to fail the authentication if the RA subsystem "module" is missing.
2. Implement an RA subsystem "module" or change CMS.isRevoked() to verify the certificate against the CA directly without the RA subsystem "module".

This ticket is needed by the following tickets which are scheduled for 10.2.2:


Per discussion with jmagne and cfu, there are some options to fix issue #2:

  • Replace the RA subsystem "module" with an OCSP client to call CA's OCSP servlet.
  • Replace the RA subsystem "module" with a REST client to call a new REST service in CA that performs certificate validation.

The first option is preferable since it's more standard and probably can be implemented with existing OCSPClient.

This problem only affects non-CA subsystems running in shared instance. Non-CA subsystems running in separate instances can use OCSP to work with a remote OCSP responder.

If revocation checking in shared instance is critical, this ticket should be fixed in 10.2.2. Otherwise, this ticket (also #1134 and #1182) probably can be moved into 10.3.

Per triage meeting of 2/25/2015: 10.2.3

This ticket is merged into #1202.

Metadata Update from @edewata:
- Issue set to the milestone: 10.2.3

7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/1812

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata