Environment
Novell Access Manager 3.1
Novell Access Manager 3.1 Service Pack 2
Novell Access Manager 3.1 Service Pack 2 Interim Release 2
Novell Access Manager 3.1 Service Pack 2
Novell Access Manager 3.1 Service Pack 2 Interim Release 2
Situation
Slow login for protected resources making use of the x509 authentication class
NIDP server downloads Certificate Revocation List (CRL) on each authentication request
NIDP server downloads Certificate Revocation List (CRL) on each authentication request
Resolution
This issue has been addressed to engineering and will be fixed with Novell Access Manager 3.1 Service Pack 2 Interim Release 3
Additional Information
X509v3 Certificate Revocation Lists (CRL) do have a lifetime defined which allows local caching
Example:
Example:
Certificate Revocation List (CRL): ersion 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=US/CN=Organizational CA/serialNumber=201002 Last Update: Sep 13 06:58:58 2010 GMT Next Update: Sep 20 06:58:58 2010 GMTDue to the size a CRL can grow up to the download might take some time. Requesting the donwload of a CRL for each and every user request will slow down the login process. If security is considered as not being strong enough during the lifetime of a given CRL the OCSP protocol should be used instead (given the fact that an OCSP provider would be available).