You are here

Automatic update of CRLs

Affects product: 
Airlock WAF

Airlock allows you to periodically update your certificate revocation lists (CRL). As this functionality is not available via Configuration Center, this tutorial explains the necessary setup steps.

The CRL displayed in the Configuration Center GUI does NOT correspond to the automatically installed CRL.

Configuration

The configuration file is /opt/airlock/custom-settings/crl/autoupdate/crl-fetch.cfg

An example file is /opt/airlock/base/crl/crl-fetch.cfg.sample:

cp -p /opt/airlock/base/crl/crl-fetch.cfg.sample /opt/airlock/custom-settings/crl/autoupdate/crl-fetch.cfg

crl-fetch.cfg Parameters

There are only a few parameters that must be configured in the configuration file:

     * ENABLE_CRL_AUTO_UPDATE
       This is the global switch to activate the auto update functionality.
       Possible values are "true" or "false". If the option is enabled, you
       will see in the Configuration Center the message "Manual CRL upload is
       disabled because automatic CRL updates are active." for every configured
       Virtual Host in crl-fetch.cfg
       For configuring the update interval, change the parameters of the cron
       job as described below.

  * ENABLE_CONFIG_SYNC
       This option is available in Airlock Gateway 8.1 and newer.
       If this option is enabled the active Airlock will not only update its own
       CRL but also push it to the cluster partner node.

Each Virtual Host has its own CRL (if client certificate authentication is
enabled). For each of these Virtual Hosts, you can optionally configure the
auto-update function by adding two parameters to the configuration file
crl-fetch.cfg. The parameters have a numbered suffix [n] at the end (n = 0).
All parameters for the same CRL/Virtual Host must have the same number.

    * CRL_URL[n]: This is the URL(s) of the CRL file(s) that should be
      downloaded periodically. In case of more than one URL, the URLs are
      separated by one or more space characters.

      Example:

https://crl.ergon.ch/employees.crl https://crl.ergon.ch/customers.crl

The host must be reachable from the management network interface. If your CRL server is in the internet or outside of your company, you have to set up a route from the management interface to the CRL server. Supported protocols are: HTTP, HTTPS, FTP, FTPS (any protocol that is supported by curl).
    * CRL_VH[n]: The value of this parameter describes the Virtual Host for the CRL_URL[n].
      The format for this parameter is <FQDN>.<IP-Address>.<Port>
      If FQDN is an IP, you must also insert it.

      Examples:

izanzibar60.ergon.ch.172.18.60.237.443

172.18.60.237.172.18.60.237.443

Example Configuration


We have following setup with three Virtual Hosts:

Virtual Host 1

    * Public IP Address: 192.168.1.1
    * Fully qualified name: www1.example.com
    * Enable HTTP: yes
    * HTTP port: 8080
    * Enable HTTPS (SSL): yes
    * HTTPS (SSL) port: 4443

The CRL for this Virtual Host is located on crl1.intern.example.com

Virtual Host 2

    * Public IP Address: 192.168.1.2
    * Fully qualified name: www2.example.com
    * Enable HTTP: yes
    * HTTP port: 80
    * Enable HTTPS (SSL): no
    * HTTPS (SSL) port: 443

Since there is no SSL enabled for this host we don't need any CRL here.

Virtual Host 3

    * Public IP Address: 192.168.1.3
    * Fully qualified name: www3.example.com
    * Enable HTTP: no
    * HTTP port: 80
    * Enable HTTPS (SSL): yes
    * HTTPS (SSL) port: 443

That CRLs are located on crl31.intern.example.com and crl32.intern.example.com

To have a configuration that matches the setup above the file crl-fetch.cfg
has to look as follows:

ENABLE_CRL_AUTO_UPDATE=true

#Virtual Host 1
CRL_URL[0]="https://crl1.intern.example.com/crl.txt"
CRL_VH[0]=www1.example.com.192.168.1.1.4443

#Virtual Host 3
CRL_URL[1]=" \
https://crl31.intern.example.com/crl.txt \
https://crl32.intern.example.com/crl.txt"
CRL_VH[1]=www3.example.com.192.168.1.3.443

Enable Auto-Fetching Functionality

The periodical update of the CRLs is triggered by a cron job (disabled by default).

This cronjob has to be configured on both Failover nodes. Best practice is to not do this at the exact same point of time.


You can enable it by editing the cron-tab of user root:

    * execute crontab -e as user root to edit the crontab (you should be familiar with the editor vi)
    * Add following lines:

# automatic fetch of external CRL
30 0,8,16 * * * [ -x /opt/airlock/base/crl/crl-fetch.sh ] && /opt/airlock/base/crl/crl-fetch.sh >/dev/null 2>&1

    * check and adapt the execution times if necessary. The default is three times a day at 00:30, 08:30 and 16:30.
    * save changes (:wq)

Web-listener Restart

Please be aware that if a CRL changes, the web-listener must be restarted to load the new file. That restart can cause a short interrupt in reachability of your services (typically less than 5 seconds).

Log Events

The log messages concerning the CRL auto-update feature appear in the LogViewer.Filter for the prefix SY-CRLG in the include field (Use "SY-CRLG*" in the log viewer of Airlock WAF 7.0).

Expert Mode

If you need some options that are not implemented in crl-fetch.sh you can override this script by creating your own script under the path: /opt/airlock/custom-settings/crl/autoupdate/crl-fetch.sh

You will see the message SY-CRLG-600 in the LogViewer in case of an overridden original script.

Self implemented scripts are update-resistant.

Be aware that this option should be considered only by advanced users. Please test your script carefully on an integration system before running it in production mode.

Neither the file crl-fetch.cfg nor the custom crl-fetch.sh are included in the Airlock configuration file that you can download through the Configuration Center. Don't forget to create backups of those files on an external device.

Knowledge Base Categories: