Patches for Apache Tomcat, relating to Certificate Verification functionality


In UOA university and in a number of GUNet projects, we deal a lot with the issue of Identity Management, and specially with Authentication and Authorization Infrastructure (AAI). Therefore, we have deployed shibboleth identity provider (idp) and single sing-on (SSO) Central Authentication Services (CAS). To implement these services we have chosen to use tomcat with tomcat native support, instead of the combination of tomcat with http server and the use of mod_ajp or mod_jk. The reason was the simplicity of the configuration, and the use of fewer components that are needed to be configured or provisioned. Up to now this configuration has served us well, without creating any issues both feature or performance wise.

In an AAI environment it is desirable for users and server to be able to authenticate also with use of certificates using the underlying PKI. One of the major issues on PKI is the life-cycle management of certificates, with an emphasis on the certificate revocation. Each party that participates in the infrastructure should be able to identify a revoked certificate as soon as possible, to reduce the opportunity window for an attack. The best solution is the combined use of Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP). By using OCSP the revocation information is propagated almost instantly, and the use of CRLs provides a safety measure in case of OCSP server failures.

However, tomcat with native and apr support, was lacking the desirable functionality to provide OCSP verification, and also an automatic reload of the CRL. For more information on the issues and the solutions we provided you can continue to the following pages.