Java security configuration to look at CRL for revocation checking

Sean Mullan sean.mullan at oracle.com
Tue Jan 5 18:38:12 UTC 2016


On 01/05/2016 12:28 PM, Seshadri, Usha wrote:
> Hi,
>
> I am using Java 8, and am trying to configure JVM to go to CRL for
> revocation checking.I didn’t see any parameter in java.security to
> enable CRL revocation checking, although there are parameters to
> configure OCSP.
>
> I tried setting these two parameters as JVM options with -D, but doesn’t
> seem to take any effect.
>
> deployment.security.validation.crl= true
>
> deployment.security.validation.crl.url=file:///root/xyz/crls/ àpoints to
> the CRL directory

These properties are not general JDK system properties. They are 
specifically used for revocation checking of certificates used when 
running signed applets via Java Plugin or WebStart.

> What configurable property controls the CRL revocation checking? Any
> answer will be greatly appreciated!

It would be helpful to know what security APIs your application is 
using, as the JVM itself doesn't perform revocation checking. For 
example, if you are using JSSE, then setting the following system 
properties may help address your issue:

com.sun.net.ssl.checkRevocation=true
com.sun.security.enableCRLDP=true

You can find more information and examples in the JSSE reference guide: 
http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html

Note that this list is not intended to be a general alias for questions 
about Java Security, so this question is somewhat off topic. There are 
various forums/websites that are probably more appropriate.

Thanks,
Sean

>
> Thanks,
>
> Usha Seshadri
>
> Lockheed Martin, IS&GS
>
> 301-240-7496
>
> LM-logo
>



More information about the security-dev mailing list