Client certificate revocation status could not be determined
CDISC5400E Unexpected error while performing certificate authentication. Cause: CDISA5089E An unexpected error occurred. The error message is 'Authentication failed: The revocation status of the certificate with subject (EMAILADDRESS=streamsuser@us.ibm.com, CN=streamsuser, OU=Streams, O=IBM, ST=MN, C=US) could not be determined.'
- Display the certificate and review the extensions section, for
example:
openssl x509 -noout -text in /path-to-certificate/client_certificate.pem
- The certificate might include an Authority Information Access
extension with a URI to an OCSP responder, for example:
Authority Information Access: OCSP - URI:http://example.com:9080
- The certificate might include a CRL Distribution Points extension
with a URI to a CRL, for example:
X509v3 CRL Distribution Points: URI:http://example.com/crl.pem
If the client certificate includes URIs to an OCSP responder or CRL, every Teracloud® Streams resource in the domain that is configured to run the authentication and authorization service must be able to access these URIs. Access to URIs can be prevented by a firewall. You might need to configure your firewall to allow access.
To test access to an OCSP responder, use the openssl command in the following example:openssl ocsp -issuer certs/sub-ca.pem -cert user.pem -url http://example.com:9080 -CAfile certs/ca-chain.pem
The output of this command contains a line verifying a response and another line verifying the status of the certificate, for example:Response verify OK user.pem: good
To test access to a CRL, open a browser with the CRL URI or attempt to download the CRL by using the wget command, for example:wget http://example.com/crl.pem
- The certificate might include an Authority Information Access
extension with a URI to an OCSP responder, for example:
- Display the value of the Teracloud®
Streams security.revocationFile domain
property by entering the following command:
streamtool getdomainproperty -d domain-id security.revocationFile
If the value of this property is not undefined, ensure that the file path for the CRL is correct and accessible from every Teracloud® Streams resource in the domain that is configured to run the authentication and authorization service. - Display the value of the Teracloud®
Streams security.revocationLdapUrl domain
property by entering the following command:
streamtool getdomainproperty -d domain-id security.revocationLdapUrl
If the value of this property is not undefined, ensure that the URL value is correct and accessible from every Teracloud® Streams resource in the domain that is configured to run the authentication and authorization service. Access to the LDAP URL can be prevented by a firewall. You might need to configure your firewall to allow access.The format of the LDAP URL to a CRL isldap://host[:port]/dn?attribute.hostis the domain name or IP address of the resource that is running the LDAP server.portis the port number of the LDAP server, which is optional. The default port number is 389.dnis the distinguished name of the object in the LDAP directory that contains the attribute.attributeis named certificateRevocationList;binary and contains the CRL contents.
Search the LDAP directory using the ldapsearch command, for example:ldapsearch -xLLL -H ldap://host[:port] -b "dn" "attribute"
If the command does not return a CRL, you might need to contact your LDAP administrator for the correct URL. - Verify the client
certificate with the trusted certificates.
- Create a CA chain file, for example:
cat sub-ca.pem root-ca.pem > ca-chain.pem - Verify the client certificate with the trusted certificates,
for example:
openssl verify -CAfile ca-chain.pem user.pem
- Create a CA chain file, for example:
- Verify the client revocation status with the trusted
certificates, for
example:
openssl verify -crl_check -CAfile ca-chain.pem -CRLfile crl.pem user.pem