Using OCSP with TLS in Apache CXF

The previous article showed how to enable OCSP for WS-Security based SOAP services in Apache CXF, by checking the revocation status of a certificate used for X.509 digital signature. The article stated that OCSP is supported in Apache CXF when TLS is used to secure communication between a web service client and server, but didn't give any further information. In this post we will show how to enable OCSP when using TLS for both a web service (JAX-WS or JAX-RS) client and server.

The test-code is available on github here (also contains WS-Security OCSP tests):

• cxf-ocsp: This project contains a number of tests that show how a CXF service can validate client certificates using OCSP.

1) Enabling OCSP for web service clients

First we'll look at enabling OCSP for web service clients. The TLSOCSPTest shows how this can be done. Two Java security properties are set in the test-code to enable OCSP: 

• "ocsp.responderURL": The URL of the OCSP service
• "ocsp.enable": "true" to enable OCSP

The first property is required if the service certificate does not contain the URL of the OCSP service in a certificate extension. Before running the test, install openssl and run the following command from the "openssl" directory included in the project (use the passphrase "security"):

• openssl ocsp -index ca.db.index -port 12345 -text -rkey wss40CAKey.pem -CA wss40CA.pem -rsigner wss40CA.pem

Two options are available to get OCSP working for a web service client. The first is to configure TLS in code as shown in the first test contained in TLSOCSPTest. A PKIXBuilderParameters instance is created with the truststore and revocation is explicitly "enabled" on it. This is then wrapped in a CertPathTrustManagerParameters and used to initialise the TrustManagerFactory. 

The second test shows a new and alternative way of enabling OCSP if you want to configure your TLS keys in spring. This feature is only available from CXF 3.1.11 onwards.  The spring configuration file for the client contains a tlsClientParameters Element with the attribute "enableRevocation="true"". Once the "ocsp.enable" security property is set, then this will enable revocation checking on the certificate presented by the server during the TLS handshake.

2) Enabling OCSP for web service servers

We also show via the TLSOCSPClientAuthTest how to enable OCSP for web service servers that use CXF's Jetty transport. Openssl should be started as per the client tests. The server requires client authentication and then uses OCSP to verify the revocation status of the certificate presented by the client during the TLS handshake. The TLS configuration for the server is done in code. However it can also be done in spring using the "enableRevocation" attribute as per the client above.

Using OCSP with WS-Security in Apache CXF

The OCSP (Online Certificate Status Protocol) is a http-based protocol to check whether a given X.509 certificate is revoked or not. It is supported in Apache CXF when TLS is used to secure communication between a web service client and server. However, it is also possible to use with a SOAP request secured with WS-Security. When the client signs a portion of the SOAP request using XML digital signature, then the service can be configured to check whether the certificate in question is revoked or not via OCSP. We will cover some simple test-cases in this post that show how this can be done.

The test-code is available on github here:

• cxf-ocsp: This project contains a number of tests that show how a CXF service can validate client certificates using OCSP.

The project contains two separate test-classes for WS-Security in particular. Both are for a simple "double it" SOAP web service invocation using Apache CXF. The clients are configured with CXF's WSS4JOutInterceptor, to encrypt and sign the SOAP Body using credentials contained in keystores. For signature, the signing certificate is included in the security header of the request. On the receiving side, the services are configured to validate the signature and to decrypt the request. In particular, the property "enableRevocation" is set to "true" to enable revocation checking.

The first test, WSSecurityOCSPTest, is a conventional test of the OCSP functionality. Two Java security properties are set in the test-code to enable OCSP (the server runs in the same process as the client):

• "ocsp.responderURL": The URL of the OCSP service
• "ocsp.enable": "true" to enable OCSP

The first property is required if the client certificate does not contain the URL of the OCSP service in a certificate extension. Before running the test, install openssl and run the following command from the "openssl" directory included in the project (use the passphrase "security"):

• openssl ocsp -index ca.db.index -port 12345 -text -rkey wss40CAKey.pem -CA wss40CA.pem -rsigner wss40CA.pem

Now run the test (e.g.  mvn test -Dtest=WSSecurityOCSPTest). In the openssl console window you should see the OCSP request data.

The second test, WSSecurityOCSPCertTest, tests the scenario where the OCSP service signs the response with a different certificate to that of the issuer of the client certificate. Under ordinary circumstances, OCSP revocation checking will fail, and indeed this is tested in the test above. However it's also possible to support this scenario, by adding the OCSP certificate to the service truststore (this is already done in the test), and to set the following additional security properties:

• "ocsp.responderCertIssuerName": DN of the issuer of the cert
• "ocsp.responderCertSerialNumber": Serial number of the cert

Launch Openssl from the "openssl" directory included in the project:

• openssl ocsp -index ca.db.index -port 12345 -text -rkey wss40key.pem -CA wss40CA.pem -rsigner wss40.pem

and run the test via "mvn test -Dtest=WSSecurityOCSPCertTest".