Bug 445052

Summary: HTTP 1.1 support when fetching CRLs
Product: [Retired] Dogtag Certificate System Reporter: Bob Lord <blord>
Component: CAAssignee: Andrew Wnuk <awnuk>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: low Docs Contact:
Priority: urgent    
Version: 1.0CC: awnuk, benl, dpal, mharmsen
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-07-22 23:28:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 443788    
Attachments:
Description Flags
adding compression
none
small correction none

Description Bob Lord 2008-05-02 23:35:15 UTC 
Description of problem:
Earlier versions of CS did not allow clients to fetch CRLs via HTTP1.1.  They
were forced to use HTTP1.0.

Dogtag should allow the following features:
-compression of the CRLs
-byte ranges so clients that were only able to fetch part of the CRL can retry,
starting in the middle of the CRL file. 
-If-Modified-Since so clients do not refetch a CRL they have previously fetched
and cached.
Comment 1 Andrew Wnuk 2009-02-20 23:37:26 UTC 
attachment (id=330055)
allows to generate link to the latest CRL via file publishing.

attachment (id=330387)
minor modifications

Now you need to configure Tomcat to support Partial Content GET requests to retrieve latest CRL.
Comment 3 Andrew Wnuk 2009-03-13 00:18:32 UTC 
Here is the procedure:

1. Create target directory to be used by CRL file publisher.
   For example: /var/lib/pki-ca/webapps.ee/ca/ee/ca/crl

2. Create CRL file publisher using the same target directory
   with enabled link to the latest CRL. Default link name is derived
   from name of CRL issuing point and combined with extension entered
   via file publisher editor. Default link extension is 'der'.

3. Create file CRL rule using previously created CRL file publisher
   and NoMap mapper. Disable all unused rules.

4. Enable publishing but keep default LDAP connection disabled.

5. Modify /var/lib/pki-ca/conf/server.xml by adding context container
   in the EE section matching previously created target directory.
   For example:
     <Context path="/ca/ee/ca/crl"
      docBase="/var/lib/pki-ca/webapps.ee/ca/ee/ca/crl" allowLinking="true"/>

6. Missing part of CRL due to interrupted download can be retrieved
   wget -c http://<hostname>:9180/ca/ee/ca/crl/MasterCRL.bin

7. Interrupted download can be emulated by 
   wget http://<hostname>:9180/ca/ee/ca/crl/MasterCRL.bin
   mv MasterCRL.bin MasterCRL.bin.full
   dd if=MasterCRL.bin.full of=MasterCRL.bin count=100 bs=1
Comment 6 Andrew Wnuk 2009-03-26 20:23:32 UTC 
Created attachment 336885 [details]
adding compression
Comment 7 Andrew Wnuk 2009-03-26 20:40:55 UTC 
Created attachment 336891 [details]
small correction
Comment 8 Matthew Harmsen 2009-03-26 20:46:23 UTC 
attachment (id=336885)
attachment (id=336891) +mharmsen
Comment 9 Andrew Wnuk 2009-03-26 21:19:27 UTC 
svn commit pki/dogtag/util/pki-util.spec
Sending        pki/dogtag/util/pki-util.spec
Transmitting file data .
Committed revision 334.

svn commit pki/dogtag/common/pki-common.spec
Sending        pki/dogtag/common/pki-common.spec
Transmitting file data .
Committed revision 335.

svn commit pki/base/util/src/netscape/security/x509/X509CRLImpl.java
Sending        pki/base/util/src/netscape/security/x509/X509CRLImpl.java
Transmitting file data .
Committed revision 336.

svn commit pki/base/common/src/com/netscape/cms/publish/publishers/FileBasedPublisher.java
Sending        pki/base/common/src/com/netscape/cms/publish/publishers/FileBasedPublisher.java
Transmitting file data .
Committed revision 337.
Comment 10 Kashyap Chamarthy 2009-06-02 03:36:46 UTC 
Verified: Was able to successfully retrieve Ful CRL, new CRL, missing CRL(in case of interrupted download)