CRL Finder Plug-ins

The DirX Access cryptography service supports callouts during the certificate validation process and allows retrieving CRLs through a plug-in interface. This approach allows externalizing the CRL-finding task during validation of X.509 certificate credentials. This chapter describes the creation and deployment of a CRL finder callout handler that provides a way to handle this task.

About CRL Finder Plug-ins

According to the X.509 standard, CRLs are used for verification of X.509 certificates validity. DirX Access provides a way to retrieve the externally stored CRLs during the certificate validation. Certificate validation is invoked by following actions:

  • Logging in using the X.509 certificate authentication method.

  • Processing of a signed SAML assertion.

The CRL finder can supply the CRLs in validated (CRLFinderCallout#getCRLs) or unknown-validity state (CRLFinderCallout#fetchCRLs). In the validated state, all of the received CRLs can be used to validate the X.509 certificate/signature; in the unknown-validity state, the CRLs must be validated first. To complete the functionality, the validated CRLs are sent back via CRLFinderCallout#addCRLs. The decision about CRL validity check is left solely to the CRL finder implementation, while DirX Access Server unconditionally accepts it.

Developing a CRL Finder

This section describes the tasks necessary for developing a custom CRL finder.

Externalizing the CRL Finder from the DirX Access Server

The DirX Access Server allows externalizing the task of CRL retrieval. This method requires creating a CRL finder that implements the CRLFinderCallout interface (net.atos.dirx.access.crypto.api.callout.CRLFinderCallout). The implementing class must be contained within an exported package of an OSGi bundle.

Employing the CRL Finder

The steps needed to employ the custom finder are outlined in the section Employing External Plug-in Modules.

Using the CRL Finder

The following tasks need to be performed to use a CRL finder. Before starting to configure the DirX Access Server, make sure to run through all the steps in the section Employing External Plug-in Modules.

Prerequisites

To successfully employ the custom CRL finder, the OSGi bundle exporting the package containing the callout implementation must be installed on the DirX Access Server. To accomplish this task, make sure you have performed all of the steps described in the section Employing External Plug-in Modules.

Configuring the Custom CRL Finder at the DirX Access Server

To configure the custom CRL finder at the DirX Access Server:

  • In DirX Access Manager, go to Configuration | Extension modules.

  • Create the callout handler <CalloutIdentifier>.

    • Go to Callout handlers and click the “add” icon to create a new callout handler.

    • Identifier: <CalloutIdentifier>.

    • Description: arbitrary.

    • Type: select CrlFinderEvents.

    • Class name: enter the fully-qualified Java class name of the callout implementation.

    • Click Save.

  • In DirX Access Manager, go to Servers | Cluster.

    • Select a server identifier for which the custom CRL finder shall be added.

    • In CRL callout handler identifier in the Crypto Service section, select <CalloutIdentifier>.

    • Click Save.