Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

CRL download problem

Avatar

Level 4
Level 4
‎03-02-2009 13:28 PST
Hi,

my task is to setup logging to Rights mgmt server using certificates. I have certification authority, LDAP configured together and almost everything works nice. The problem is with CRL (list of revoked certificates) when the URL is like https and not http. When using http, it does work. When using https it doesn't. I gues, there is problem with web server certificate. I imported it's public key to jre/lib/security/cacerts. I imported public key of CA that issued it also. But it didn't solved the problem.



Server log is not much verbose:



2009-02-03 22:12:25,753 WARN [com.adobe.livecycle.signatures.pki.client.PKIException] ALC-DSS-310-002 Transport Error. (in the operation : obtainByURI)

Caused By: Exception from transport package (in the operation : internalSendReceive)

Caused By: java.security.cert.CertificateException(Alerts.java150)

Caused By: null(PKISocketFactory.java165)



If I use java utility like wget, that download a file from webserver, it doesn't complain any certificate problem. So why does the rights mgmg server do?

Views

2.7K

Replies

2

Total Likes

Translate
Translate
2 Replies

Avatar

Level 2
Level 2
‎21-04-2010 16:21 PDT

Hey Jaroslav,

did you ever resolve this?  I'm now seeing the same thing, though with HTTP!

At first I thought it was my aging WinNT4.0 CA that was the issue, but now it's started happening to my Win2003R2 CA as well.

Thanks

Craig

Views

447

Replies

0

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
‎09-05-2010 17:21 PDT

Hi Jaroslav,

OK, we've managed to sort it in our environment.

The main issue turned out to be that we had spaces in the name (CN) of the CA, which in turn put spaces in the path/URL for the CRL.

It looks like the CRL validation in LiveCyle doesn't properly escape the spaces (as %20) and so it is unable to download the CRL.

Depending on your environment, you may also need to check that the LiveCycle server can connect to the location of the CRL via HTTP.

We've got a firewall in the way which caused a secondary problem for us.

Hope that helps.

Regards

Craig

BTW Big ups to Uday at Adobe Support for getting me to the point where I was able to resolve this.

Views

447

Replies

0

Total Likes

Translate
Translate