CRL Checking Enable and Verify and CDS.log Enable

Document ID : KB000101369
Last Modified Date : 25/07/2018
Show Technical Document Details
Issue:
The CRL we configured under "Certificate Validity" initially with status "Loaded".  Later after a day it comes back with status "Out Of Date".
The following configuration has been set :
1) "EnableCRLUpdater" was set to "Yes" under CDS under XPSConfig on the policy server admin UI is connected to.
2) Policy server Restarted

still policy server is not checking for next update.
Environment:
12.52 ,12.6, 12.7, 12.8
Resolution:
In an environment, you may have multiple policy servers with some of them specifically handling Federation Traffic while other policy servers used to process regular transactions (such as auth and Az ..).
When Enabling the "EnableCRLUpdater", it must be enabled on all policy Servers that handles Federation Traffic.

To Verify the CRL Checking is enabled, please follow the below Steps :

1) Enable CDS logs 

* Stop Siteminder Policy Server 
* Go to <Siteminder Policy Server install location>/config/properties folder 
* Open cdslog4j.properties file and change below lines 

log4j.logger.com.ca.CertificateDataStore=INFO, CertificateDataStore 
log4j.logger.com.ca.siteminder.rpc.rpc.ClientDispatcher=OFF 
to look like below 

log4j.logger.com.ca.CertificateDataStore=ALL, CertificateDataStore 
log4j.logger.com.ca.siteminder.rpc.rpc.ClientDispatcher=ON 

* Save and close the file 
* Start Siteminder Policy Server 

Reference --> https://docops.ca.com/ca-single-sign-on/12-7/en/administrating/logs-for-administrating-ca-single-sign-on/certificate-data-store-logging 

NOTE --> The CDS.log will not show up unless a Federation Transaction is received and processed through the policy server

2) Make sure the below is configured in your XPSConfig

CA.CDS::$EnableCRLUpdater=Yes
CRL Update Period: days 1 1
CRL Updater Sleep Period: hours 1 1


3) After initiating a federation transaction to the policy server, the CDS.log will initialize and you should see the below 

[Apr 03 2018 00:11:17,682] CertificateDataStore [DEBUG] CertificateDataStoreImpl.initializeRevocation():  ENTER
[Apr 03 2018 00:11:17,682] CertificateDataStore [DEBUG] CertificateDataStoreImpl.initializeCRLUpdater():  ENTER
[Apr 03 2018 00:11:17,682] CertificateDataStore [DEBUG] CRLUpdater.CRLUpdater():  ENTER
[Apr 03 2018 00:11:17,682] CertificateDataStore [DEBUG] CRLUpdater.CRLUpdater():  EXIT
[Apr 03 2018 00:11:17,682] CertificateDataStore [DEBUG] CertificateDataStoreImpl.initializeCRLUpdater():  CRL Updater scheduled and started
[Apr 03 2018 00:11:17,682] CertificateDataStore [DEBUG] CertificateDataStoreImpl.initializeCRLUpdater():  EXIT.  Returning true.
[Apr 03 2018 00:11:17,682] CertificateDataStore [DEBUG] CertificateDataStoreImpl.initializeOCSPConfig():  ENTER
[Apr 03 2018 00:11:17,823] CertificateDataStore [DEBUG] CRLUpdater.run():  ENTER
[Apr 03 2018 00:11:17,823] CertificateDataStore [DEBUG] CRLUpdater.populateCRLsToUpdate():  ENTER


4) Once Initialized, Each hour, the policy server will now refresh the certificate validity file to update the Status. you should see the below in the CDS.log

[Apr 06 2018 23:09:13,995] CertificateDataStore [DEBUG] CertificateDataStoreImpl.hasCRLRegistered(): march18ca has registered CRL data 
[Apr 06 2018 23:09:13,995] CertificateDataStore [DEBUG] CertificateDataStoreImpl.hasLDAPCRLLocationChanged(): ENTER 
[Apr 06 2018 23:09:13,995] CertificateDataStore [DEBUG] CertificateDataStoreImpl.hasLDAPCRLLocationChanged(): Registered Provider Name= LDAP Database1 
[Apr 06 2018 23:09:13,995] CertificateDataStore [DEBUG] CertificateDataStoreImpl.hasLDAPCRLLocationChanged(): Registered Location = ldap://lod1800vm039.ca.com:10001/cn=mycrl3,o=security.com 
[Apr 06 2018 23:09:13,995] CertificateDataStore [DEBUG] CertificateDataStoreImpl.hasLDAPCRLLocationChanged(): Saved Location = ldap://lod1800vm039.ca.com:10001/cn=mycrl3,o=security.com 
[Apr 06 2018 23:09:13,995] CertificateDataStore [DEBUG] CertificateDataStoreImpl.hasLDAPCRLLocationChanged(): EXIT. Returning false. 
[Apr 06 2018 23:09:13,995] CertificateDataStore [DEBUG] CertificateDataStoreImpl.hasCRLRegistered(): EXIT. Returning true. 
[Apr 06 2018 23:09:13,995] CertificateDataStore [DEBUG] CertificateDataStoreImpl.retrieveCRLFromLDAP(): ENTER 
[Apr 06 2018 23:09:13,995] CertificateDataStore [DEBUG] CertificateDataStoreImpl.isCACertificate(alias): ENTER 
[Apr 06 2018 23:09:13,995] CertificateDataStore [DEBUG] CertificateDataStoreImpl.isCACertificate(): Checking to see if certificate with alias march18ca is a CA certificate 
[Apr 06 2018 23:09:13,996] CertificateDataStore [DEBUG] XPSCertificateDataStoreOpsImpl.isCACertificate(): ENTER 
[Apr 06 2018 23:09:13,996] CertificateDataStore [DEBUG] X509CertificateCache.getXPSCertificateData(alias): ENTER 
[Apr 06 2018 23:09:13,996] CertificateDataStore [DEBUG] X509CertificateCache.getXPSCertificateData(): Filtering on march18ca 
[Apr 06 2018 23:09:13,996] CertificateDataStore [DEBUG] X509CertificateCache.getXPSCertificateData(): EXIT 
[Apr 06 2018 23:09:13,996] CertificateDataStore [DEBUG] XPSCertificateDataStoreOpsImpl.isCACertificate(): EXIT. Returning true. 
[Apr 06 2018 23:09:13,996] CertificateDataStore [DEBUG] CertificateDataStoreImpl.isCACertificate(alias): EXIT. Returning true. 
[Apr 06 2018 23:09:13,996] CertificateDataStore [DEBUG] CertificateDataStoreImpl.retrieveCRLFromLDAP(): Retrieving CRL from LDAP for i


5) When a Federated transaction is initialized, The policy server will check for the certificate validity and if failed, you should see the following message in the policy server trace file 

[Assertion sig object - sigTypeAssn: com.netegrity.SAML2Gen.impl.SignatureImpl@458fdabb] 
[singleAssertion flag: false; singleAssertionStr: 1; passNumberStr: 1] 
[Getting Assertion by ID: _d20f3cc97b0a9b2d871803fe6de3fe292855] 
Primary certificate to verify signature: alias: "march18cert2"] 
Signature verification with primary certificate failed with message: Error in DSigVerifier: cert not found or sig not verified - Caught an Exception while verifying revocation status of the certificate. Certificate is revoked or revocation status can't be verified.][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] 
Checking for secondary certificate] 
Secondary certificate to verify signature: alias: "march18cert2"] 
[SAML20: Assertion rejected (_d20f3cc97b0a9b2d871803fe6de3fe292855): DSigException caught while verifying assertion: Error in DSigVerifier: cert not found or sig not verified - Caught an Exception while verifying revocation status of the certificate. Certificate is revoked or revocation status can't be verified.][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] 
[Plugin is configured? false][] 

6) When a Federated transaction is initialized, The policy server will check for the certificate validity and if successful , you should see the following message in the CDS.log file 

CertificateDataStore [DEBUG] CertificateDataStoreImpl.isCertificateValid(): The issuer for the certificate with issuer=cacert@ca.com,CN=cacert,OU=SBU,O=CA,L=HY,ST=TS,C=IN and Serial Number 0123 is not in the data store. Therefore the certificate is not revoked.