NIDP x509Class CRL caching does not work

  • 7007072
  • 19-Oct-2010
  • 26-Apr-2012

Environment

Novell Access Manager 3.1
Novell Access Manager 3.1 Service Pack 2
Novell Access Manager 3.1 Service Pack 2 Interim Release 2

Situation

Slow login for protected resources making use of the x509 authentication class
NIDP server downloads Certificate Revocation List (CRL) on each authentication request

Resolution

This issue has been addressed to engineering and will be fixed with Novell Access Manager 3.1 Service Pack 2 Interim Release 3

Additional Information

X509v3 Certificate Revocation Lists (CRL) do have a lifetime defined which allows local caching

Example:
Certificate Revocation List (CRL): ersion 2 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: /C=US/CN=Organizational CA/serialNumber=201002
        Last Update: Sep 13 06:58:58 2010 GMT
        Next Update: Sep 20 06:58:58 2010 GMT 
Due to the size a CRL can grow up to the download might take some time. Requesting the donwload of a CRL for each and every user request will slow down the login process. If security is considered as not being strong enough during the lifetime of a given CRL the OCSP  protocol should be used instead (given the fact that an OCSP provider would be available).

Feedback service temporarily unavailable. For content questions or problems, please contact Support.