Il giorno 20/mag/2014, alle ore 16:30, Jan Just Keijser <[log in to unmask]> ha scritto:
> On 20/05/14 15:03, Andrea Ceccanti wrote:
>> Hi,
>>
>> please open a GGUS ticket and request that is assigned to the Argus support unit.
>> It seems strange to me that OCSP is on on the PEPD (as it seems to be the case from
>> the log you're pasting).
> I hate to burst your bubble, but it seems that the canl library does use OCSP by default (rather, IF_AVAILABLE)
> https://github.com/eu-emi/canl-java/tree/master/src/main/java/eu/emi/security/authn/x509/helpers
>
> perhaps it's possible to turn this off in the pepd.ini file (like you can do for the STS service), e.g. by adding a line
> ocspCheckingMode = IF_AVAILABLE
> to the section [SECURITY] but the documentation on this is, errr, sparse.
You're right. VOMS uses CANL and disables OCSP, I assumed Argus relied on the utility in the VOMS API
to create the CANL certificate validator, while it seems Argus goes directly to CANL (and uses the default):
https://github.com/argus-authz/argus-pdp-pep-common/blob/EMI-3/src/main/java/org/glite/authz/common/config/AbstractIniConfigurationParser.java#L293
Looking at the code it seems this behaviour is not configurable.
Anyway, the best place to follow this up is GGUS.
Thanks!
A.
---------
Andrea Ceccanti
Via Ranzani 13/2 c 40127 Bologna, Italy
phone: +39 051 6092845, fax: +39 051 6092916
skype: andreaceccanti
[log in to unmask]
|