Description of problem: Earlier versions of CS did not allow clients to fetch CRLs via HTTP1.1. They were forced to use HTTP1.0. Dogtag should allow the following features: -compression of the CRLs -byte ranges so clients that were only able to fetch part of the CRL can retry, starting in the middle of the CRL file. -If-Modified-Since so clients do not refetch a CRL they have previously fetched and cached.
attachment (id=330055) allows to generate link to the latest CRL via file publishing. attachment (id=330387) minor modifications Now you need to configure Tomcat to support Partial Content GET requests to retrieve latest CRL.
Here is the procedure: 1. Create target directory to be used by CRL file publisher. For example: /var/lib/pki-ca/webapps.ee/ca/ee/ca/crl 2. Create CRL file publisher using the same target directory with enabled link to the latest CRL. Default link name is derived from name of CRL issuing point and combined with extension entered via file publisher editor. Default link extension is 'der'. 3. Create file CRL rule using previously created CRL file publisher and NoMap mapper. Disable all unused rules. 4. Enable publishing but keep default LDAP connection disabled. 5. Modify /var/lib/pki-ca/conf/server.xml by adding context container in the EE section matching previously created target directory. For example: <Context path="/ca/ee/ca/crl" docBase="/var/lib/pki-ca/webapps.ee/ca/ee/ca/crl" allowLinking="true"/> 6. Missing part of CRL due to interrupted download can be retrieved wget -c http://<hostname>:9180/ca/ee/ca/crl/MasterCRL.bin 7. Interrupted download can be emulated by wget http://<hostname>:9180/ca/ee/ca/crl/MasterCRL.bin mv MasterCRL.bin MasterCRL.bin.full dd if=MasterCRL.bin.full of=MasterCRL.bin count=100 bs=1
Created attachment 336885 [details] adding compression
Created attachment 336891 [details] small correction
attachment (id=336885) attachment (id=336891) +mharmsen
svn commit pki/dogtag/util/pki-util.spec Sending pki/dogtag/util/pki-util.spec Transmitting file data . Committed revision 334. svn commit pki/dogtag/common/pki-common.spec Sending pki/dogtag/common/pki-common.spec Transmitting file data . Committed revision 335. svn commit pki/base/util/src/netscape/security/x509/X509CRLImpl.java Sending pki/base/util/src/netscape/security/x509/X509CRLImpl.java Transmitting file data . Committed revision 336. svn commit pki/base/common/src/com/netscape/cms/publish/publishers/FileBasedPublisher.java Sending pki/base/common/src/com/netscape/cms/publish/publishers/FileBasedPublisher.java Transmitting file data . Committed revision 337.
Verified: Was able to successfully retrieve Ful CRL, new CRL, missing CRL(in case of interrupted download)