CertAP - client side CRL failover

Typically a CRL service is clustered at the network level using LDAP or a clustered HTTP CRL. In special cases, if an LDAP CRL service is not clustered in a failsafe manner, client side failover can be enabled and used. The end result is shown below.

Figure 1. Certificate Authentication Provider with Client side LDAP CRL failover

To enable the above configuration, use the model policy.xml file shown below in Listing 1. In the model configuration file, the CRL is stored at the addresses ldap://ldap1.fineid.fi:389 and ldap://ldap2.fineid.fi:389. The trusted certificate root has been truncated in the example.

The setting "java.naming.ldap.attributes.binary" forces the nominated attribute to be returned to binary format. This improves compatibility with older non-standard LDAP services, such as Netscape Directory Server 6.21, which does not by default return CRL information in binary format.

Client side failover of CRL lists as a HTTP resource is not supported. Use a standard configuration with standard HTTP load balancing techniques at the network level.

Listing 1. policy.xml for client side failover
<?xml version="1.0" encoding="iso-8859-1"?>
<Policy
    xmlns="http://ubisecure.com/schema/certagent.xsd">
  <PKI>
    <Trust>
      MIIFjDCCBHSgAwIBAgIDAYiZMA0GCSqGSIb3DQEBBQUAMI///certificate truncated
    </Trust>
    <CRL uri="ldap://ldap.fineid.fi:389/cn%3dVRK%20CA%20for%20Test%20Purposes,ou%3dTestivarmenteet,o%3dVaestorekisterikeskus%20TEST,dmdName%3dFINEID,c%3dFI?certificateRevocationList??objectClass=cRLDistributionPoint">
                <Property name="java.naming.factory.initial">com.ubisecure.util.ldap.jldap.JLDAP</Property>
                <Property name="java.naming.security.authentication">none</Property>
                <Property name="com.ubisecure.util.ldap.server.list">ldap://ldap1.fineid.fi:389 ldap://ldap2.fineid.fi:389</Property>
                <Property name="java.naming.ldap.attributes.binary">certificateRevocationList</Property>
    </CRL>
    </Trust>
  </PKI>
 
  <Subject KeyInfoConfirmationData="true"/>
 
  <Attributes>
    <Add name="username">
      <Digest source="subject" algorithm="sha1" />
    </Add>
    <Add name="username.dn">
      <Field source="subject"/>
    </Add>
    <Add name="ais">
      <Field source="subject" normalize="altSecurityIdentities"/>
    </Add>
    <Add name="satu">
      <Attribute source="subject" oid="2.5.4.5"/>
    </Add>
    <Add name="username.name">
      <Concat>
        <Attribute source="subject" oid="2.5.4.4"/>
        <Text content="&#32"/>
        <Attribute source="subject" oid="2.5.4.42"/>
      </Concat>
    </Add>
  </Attributes>
</Policy>