ISSUE:
Impacts all RadiantOne Identity Data Management versions < v7.4.18.
When running in FIPS-mode, and using CRL checking leveraging OCSP, the following error is reported and CRL checking does not work:
javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException
SOLUTION:
Issue has been fixed in 7.4.18. Update to this version.
Since the new library is currently being recertified by NIST CMVP for FIPS 140-3, customers can use it at their discretion. ccj-4.0.0-fips.jar is the current, default NIST-certified library for FIPS 140-3 used in v7.4, and ccj-4.0.1-prevalidation-fips.jar is the newer library that contains the CRL checking via OCSP fix. To use the new ccj-4.0.1-prevalidation-fips.jar library, patch to v7.4.18 and update the following property in Zookeeper (at /radiantone/<version>/<clusterName>/config/vds_server.conf) to a value of true and restart all RadiantOne services. E.g. usingPrevalidationFipsJar: true
Comments
Please sign in to leave a comment.