Certificate Revocation Status

  • 7011033
  • 19-Apr-2011
  • 19-Oct-2012



I have a certificate where I've revoked a few entitlements. These revocations created work items which have been completed and the entitlements removed from the appropriate application accounts.

Account aggregation and identity refresh have both been run and I can see that the entitlements are no longer present on the Identity.

I then ran the "Perform Maintenance" task, with the "Scan for completed revocations" option checked.

However, when I examine the revoked entitlement within the certification, or if I run a "Revocation Report", the Status for the revoked entitlements continues to show "Open" instead of "Finished".


There are two scenarios that come into play here:

1) You did not check the "Enable Revocation Period" checkbox when you created the certification. Currently, the scanner will only check and update the status of a revoked entitlement if a revocation period has been enabled. ETN 8291 has been opened with engineering to allow the scanner to examine revocations regardless of enabling a revocation period.

2) If you have enabled a revocation period for your certification, the following describes how this process should function:

  • The certification must be in the remediation phase (phase="Remediation" in the certification object xml).
  • The "Perform Maintenance" task, with the "Scan for completed revocations" checkbox enabled, must be run.
  • Even though the perform maintenance task runs every five minutes, by default, it will only scan for completed revocations once per day, per certification, as defined in the System Configuration object:
    <entry key="remediationScanInterval" value="86400000"/>
    (Note 86400000 Milliseconds = 24 Hours)
  • For example, if the last remediation scan occurred on March 2, 2010 at 11pm central, the next scan will not occur until March 3, 2010 at 11pm central. So if you revoked an account and aggregated/refreshed on March 3, 2010 at 10am central, the Status will continue to show open until after March 3, 2010 at 11pm, when the scanner once again runs.
  • You can see what time the next remediation scan will occur by looking at the certification xml for the attribute named "nextRemediationScan". Use the value of this attribute with the "iiq console" date command (ex: date 1302235231965) to derive the next scan execution date/time.

Note: During this remediation scan, the Remediation Manager performs a targeted reaggregation on the identities link(s) affected by the certfication revocation and checks to see if the desired action has occurred on said native application. For this targeted reaggregation to properly run, applications either need to support random access (Active Directory, for example), or if they have the NO_RANDOM_ACCESS feature (JDBC applications, for example) they need the correct getObject methods implemented. This targeted reaggregation functionality can be tested via use of the following "iiq console" command:


connectorDebug [application name] get account [native application identity]

connectorDebug "Active Directory" get account cn=jdoe1,cn=Users,dc=example,dc=com