Validating Certificates Using CRLs

NNMi uses CRLs to properly deny access to clients using a certificate that is no longer trusted.

Note During authentication, when a certificate's serial number is found in a CRL, NNMi does not accept that certificate and authentication fails.

NNMi checks CRLs by default when using X.509 authentication mode; however, you can specify a CRL by editing the nms-auth-config.xml file, as described in the following sections.

Note NNMi stores the CRL configuration in the following location:

  • Windows: %NnmDataDir%\nmsas\NNM\conf\nms-auth-config.xml
  • Linux: $NnmDataDir/nmsas/NNM/conf/nms-auth-config.xml

There is also a default version of the configuration file, which can be used for reference purposes to view new available options. The default configuration file is stored in the following location:

  • Windows: %NnmInstallDir%\newconfig\HPOvNnmAS\nmsas\conf\nms-auth-config.xml
  • Linux: $NnmInstallDir/newconfig/HPOvNnmAS/nmsas/conf/nms-auth-config.xml

Enabling and Disabling CRL Checking

By default, NNMi enables CRL checking.

To configure CRL checking, follow these steps:

  1. Edit the following file:

    Windows: %NnmDataDir%\nmsas\NNM\conf\nms-auth-config.xml

    Linux: $NnmDataDir/nmsas/NNM/conf/nms-auth-config.xml

  2. Within the <crl> section of the file (find the <crl> tag), search for the line that begins with the following text:

    <enabled>
  3. Do one of the following:

    • To enable CRL checking, change the line to read as follows:

      <enabled>true</enabled>
    • To disable CRL checking, change the line to read as follows:

      <enabled>false</enabled>
  4. Save the nms-auth-config.xml file.
  5. Run the following command for the change to take effect:

    nnmsecurity.ovpl -reloadAuthConfig

Changing the CRL Enforcement Mode

By default, NNMi is set to enforce CRLs.

To change the product’s enforcement of CRLs, follow these steps:

  1. Edit the following file:

    Windows: %NnmDataDir%\nmsas\NNM\conf\nms-auth-config.xml

    Linux: $NnmDataDir/nmsas/NNM/conf/nms-auth-config.xml

  2. Within the <crl> section of the file (find the <crl> tag), search for the line that begins with the following text:

    <mode>
  3. Change the line to read as one of the following:

    <mode><value></mode>

    where <value> is one of the following:

    • ENFORCE: Enforce CRLs where specified in the certificates
    • ATTEMPT: Check CRLs but allow access if the CRL is not available
    • REQUIRE: Require and enforce CRLs in certificates

    Note In REQUIRE mode, authentication will fail if there is no CRL specified or available for a user's certificate.

  4. Save the nms-auth-config.xml file.
  5. Run the following command for the change to take effect:

    nnmsecurity.ovpl -reloadAuthConfig

Changing How Often a CRL Should be Refreshed

To configure how often NNMi refreshes the CRL, follow these steps:

  1. Edit the following file:

    Windows: %NnmDataDir%\nmsas\NNM\conf\nms-auth-config.xml

    Linux: $NnmDataDir/nmsas/NNM/conf/nms-auth-config.xml

  2. Within the <crl> section of the file (find the <crl> tag), search for the line that begins with the following text:

    <refreshPeriod>
  3. Change the line to read as follows:

    <refreshPeriod><value></refreshPeriod>

    where <value> is the integer number of hours or days (the smallest value is 1h).

    For example, enter 24h for 24 hours; enter 2d for 2 days.

  4. Save the nms-auth-config.xml file.
  5. Run the following command for the change to take effect:

    nnmsecurity.ovpl -reloadAuthConfig

Changing the Maximum Idle Time for a CRL

You can configure how long NNMi keeps a CRL after the CRL has been idle (has not been used or accessed).

To change the maximum idle time for a CRL, follow these steps:

  1. Edit the following file:

    Windows: %NnmDataDir%\nmsas\NNM\conf\nms-auth-config.xml

    Linux: $NnmDataDir/nmsas/NNM/conf/nms-auth-config.xml

  2. Within the <crl> section of the file (find the <crl> tag), search for the line that begins with the following text:

    <maxIdleTime>
  3. Change the line to read as follows:

    <maxIdleTime><value></maxIdleTime>

    where <value> is the integer number of hours or days (the smallest value is 1h).

    For example, enter 24h for 24 hours; enter 2d for 2 days.

  4. Save the nms-auth-config.xml file.
  5. Run the following command for the change to take effect:

    nnmsecurity.ovpl -reloadAuthConfig

CRL Expiration Warnings

When CRL checking is enabled, if a CRL expires, users might be locked out of the NNMi console. To help avoid unwanted lockouts, NNMi provides health warning messages to alert administrators that a CRL has either expired or will be expiring soon.

The expired CRL warning (Major severity) occurs when one or more CRLs have expired.

The expiring CRL warning (Minor severity) occurs when one or more CRLs has less than 1/6th of its valid period remaining. For example, if a CRL is valid for 24 hours, NNMi displays a warning if the CRL expires in fewer than four hours.

Configure the refresh period such that CRLs are always kept fresh. A properly configured refresh period ensures that, if the CRL server is unavailable for a time, there is a sufficient valid period remaining for the downloaded CRLs. In this way, NNMi can continue normal operation until the CRL server is available. In this example, a refresh period of eight hours might be appropriate.

Changing the Location for a CRL

By default, NNMi downloads CRLs from the HTTP location embedded in the certificate. If this location is not accessible to the NNMi management server, the administrator can obtain the required CRLs some other way and configure NNMi to load those CRLs from the local file system.

Note Only CRLs signed by the certificate issuer are considered when evaluating the certificate.

To configure NNMi to load CRLs from the local file system, do the following:

  1. Edit the following file:

    Windows: %NnmDataDir%\nmsas\NNM\conf\nms-auth-config.xml

    Linux: $NnmDataDir/nmsas/NNM/conf/nms-auth-config.xml

  2. Within the <crl> section of the file (find the <crl> tag), search for the following text block:

    <!--

    Optional specification for the CRL location. If set NNMi will treat all certificates issued by the same CA as this CRL as having this CRL location. Multiple entries may be listed. <location>file:///var/opt/OV/shared/nnm/certificates/myco.crl</location>

    -->

  3. Insert a line after the --> tag, and enter the following, based on your operating system:

    Windows: <location>file:///C:/CRLS/<crlname>.crl</location>

    Linux: <location>file:///var/opt/OV/shared/nnm/certificates/<crlname>.crl
    </location>

  4. Save the nms-auth-config.xml file.
  5. Run the following command for the change to take effect:

    nnmsecurity.ovpl -reloadAuthConfig