Bug 493122 - Proper invocation and use of mod_revocator
Proper invocation and use of mod_revocator
Status: CLOSED WONTFIX
Product: Dogtag Certificate System
Classification: Community
Component: Fortitude (Show other bugs)
1.0
All Linux
urgent Severity medium
: ---
: ---
Assigned To: Matthew Harmsen
Chandrasekar Kannan
:
Depends On: 492503
Blocks: 445047
  Show dependency treegraph
 
Reported: 2009-03-31 13:34 EDT by Matthew Harmsen
Modified: 2015-01-04 18:37 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-10-12 13:40:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Base diffs to allow mod_revocator to be used on RHEL (4.07 KB, patch)
2009-04-16 19:58 EDT, Matthew Harmsen
no flags Details | Diff
Dogtag diffs to allow mod_revocator to be used on RHEL (5.64 KB, patch)
2009-04-16 19:59 EDT, Matthew Harmsen
no flags Details | Diff

  None (edit)
Description Matthew Harmsen 2009-03-31 13:34:49 EDT
Now that mod_revocator has been successfully integrated into RA and TPS subsystem, learn to successfully make use of it.
Comment 2 Asha Akkiangady 2009-04-13 14:33:42 EDT
I am able to visit secure website using a smart card token which has the revoked certs (The tps agent has put the token in temporarily lost status). Jack mentioned that its a mod revocator issue., related to this bug.

Expected behavior: Should not allow authentication to secure websites when the certs are in revoked state.
Comment 3 Rob Crittenden 2009-04-13 14:46:17 EDT
And the website in question is running mod_revocator and is successfully downloading a CRL?
Comment 5 Matthew Harmsen 2009-04-16 19:58:33 EDT
Created attachment 339945 [details]
Base diffs to allow mod_revocator to be used on RHEL
Comment 6 Matthew Harmsen 2009-04-16 19:59:18 EDT
Created attachment 339946 [details]
Dogtag diffs to allow mod_revocator to be used on RHEL
Comment 7 Andrew Wnuk 2009-04-16 20:07:42 EDT
attachment (id=339945)
attachment (id=339946) 
+awnuk
Comment 8 Matthew Harmsen 2009-04-16 20:17:52 EDT
cd pki/base

% svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M      ra/lib/perl/PKI/RA/DonePanel.pm
M      tps/lib/perl/PKI/TPS/DonePanel.pm

% svn commit
Sending        base/ra/lib/perl/PKI/RA/DonePanel.pm
Sending        base/tps/lib/perl/PKI/TPS/DonePanel.pm
Transmitting file data ..
Committed revision 393.


cd pki/dogtag

% svn status | grep -v ^$ | grep -v ^P | grep -v ^X | grep -v ^?
M      setup/pki-setup.spec
M      ra/pki-ra.spec
M      tps/pki-tps.spec

% svn commit
Sending        dogtag/ra/pki-ra.spec
Sending        dogtag/setup/pki-setup.spec
Sending        dogtag/tps/pki-tps.spec
Transmitting file data ...
Committed revision 394.
Comment 9 Matthew Harmsen 2009-04-16 20:19:26 EDT
NOTE:  As "mod_revocator" can ONLY be enabled on RHEL platforms (and NOT) on
       Fedora platforms, this bug will be moved to 8.1 rather than being closed.
Comment 10 Matthew Harmsen 2009-10-05 12:45:30 EDT
For RHCS 8.0, it became necessary to port the "fork" changes made to the Fedora version of "mod_nss" to RHEL 5.  Consequently, these changes conflict with the way that "mod_revocator" works, and thus "mod_revocator" was dropped as a dependency requirement for RHCS 8.0 and later.

According to Rob, to fix "mod_revocator" would require serious re-architecting of the way that it worked, therefore, OCSP checking available via use of "mod_nss" was utilized instead for the purposes of RHCS 8.0 and later.
Comment 11 Chandrasekar Kannan 2009-10-12 13:40:46 EDT
we are not using mod_revocator at this point. 
per bug council, marking this is as closed/wontfix

Note You need to log in before you can comment on or make changes to this bug.