CRL download problem

Avatar

Avatar

Jaroslav_Pavlic

Avatar

Jaroslav_Pavlic

Jaroslav_Pavlic

03-02-2009

Hi,

my task is to setup logging to Rights mgmt server using certificates. I have certification authority, LDAP configured together and almost everything works nice. The problem is with CRL (list of revoked certificates) when the URL is like https and not http. When using http, it does work. When using https it doesn't. I gues, there is problem with web server certificate. I imported it's public key to jre/lib/security/cacerts. I imported public key of CA that issued it also. But it didn't solved the problem.



Server log is not much verbose:



2009-02-03 22:12:25,753 WARN [com.adobe.livecycle.signatures.pki.client.PKIException] ALC-DSS-310-002 Transport Error. (in the operation : obtainByURI)

Caused By: Exception from transport package (in the operation : internalSendReceive)

Caused By: java.security.cert.CertificateException(Alerts.java150)

Caused By: null(PKISocketFactory.java165)



If I use java utility like wget, that download a file from webserver, it doesn't complain any certificate problem. So why does the rights mgmg server do?

Replies

Avatar

Avatar

CraigHumphrey

Avatar

CraigHumphrey

CraigHumphrey

21-04-2010

Hey Jaroslav,

did you ever resolve this?  I'm now seeing the same thing, though with HTTP!

At first I thought it was my aging WinNT4.0 CA that was the issue, but now it's started happening to my Win2003R2 CA as well.

Thanks

Craig

Avatar

Avatar

CraigHumphrey

Avatar

CraigHumphrey

CraigHumphrey

09-05-2010

Hi Jaroslav,

OK, we've managed to sort it in our environment.

The main issue turned out to be that we had spaces in the name (CN) of the CA, which in turn put spaces in the path/URL for the CRL.

It looks like the CRL validation in LiveCyle doesn't properly escape the spaces (as %20) and so it is unable to download the CRL.

Depending on your environment, you may also need to check that the LiveCycle server can connect to the location of the CRL via HTTP.

We've got a firewall in the way which caused a secondary problem for us.

Hope that helps.

Regards

Craig

BTW Big ups to Uday at Adobe Support for getting me to the point where I was able to resolve this.