Glassfish and OCSP

Question

We currently have Glassfish configured to work with CRL. We have a batch script that runs every night, downloads the latest CRL, and updates the our list. Lately we have been having trouble with the download not working, and thus causing problems for our users accessing our application.

We are looking into swapping over to OCSP instead, since it does not require us to download anything and process it. I have never used OCSP or much more configured an App Server to use OCSP. I have searched for information/tutorials on setting this up and have come up empty handed and have not even been able to verify that Glassfish supports OCSP.

Does anyone know if Glassfish supports OCSP? If it does can you point me in the right direction on setting this up in Glassfish?

Answer 1

Not commenting on Glassfish specifically, but on OpenJDK 6, there is built-in support for OCSP in the sun.security.provider.certpath package, so that should (hopefully) filter its way into your workflow somewhere.

But, in so saying, if the downloads didn't work then, this same issue may cause OCSP checking to fail too. After all, it actually requires talking to the OCSP endpoint to see if the certificate has been revoked. You should run a network monitor (e.g., tcpdump) to see if the required connections are being made.

Answer 2

Glassfish does support OCSP but with our environment and what we were doing we could not make it work. There are pretty decent directions on setting this up here. What we ended up doing was fronting Glassfish with Apache, and using Tumbleweed Server Validator to handle OCSP.

On the web there are directions for load balancing Glassfish by fronting it with Apache. Apache uses the Tomcat connector to work with Glassfish. If you are running Glassfish V2 the steps described here will work (this is what we are running). If you are using Glassfish v3 Prelude the steps described here will work. In V3 they have made it a little easier to front Glassfish with Apache, well at least on the Glassfish side of things.

I hope this may help someone else in the future as it took me a while to get this all working and find the information I needed.