Certificate revocation status

9 Kudos

Post Date: April 19, 2011
Posted By: Doug Bulkley

Question

I have a certificate where I've revoked a few entitlements. These revocations created work items which have been completed and the entitlements removed from the appropriate application accounts.

Account aggregation and identity refresh have both been run and I can see that the entitlements are no longer present on the Identity.

I then ran the "Perform Maintenance" task, with the "Scan for completed revocations" option checked.

However, when I examine the revoked entitlement within the certification, or if I run a "Revocation Report", the Status for the revoked entitlements continues to show "Open" instead of "Finished".

Answer

There are two scenarios that come into play here:

1) You did not check the "Enable Revocation Period" checkbox when you created the certification. Currently, the scanner will only check and update the status of a revoked entitlement if a revocation period has been enabled. ETN 8291 has been opened with engineering to allow the scanner to examine revocations regardless of enabling a revocation period.

2) If you have enabled a revocation period for your certification, the following describes how this process should function:

The certification must be in the remediation phase (phase="Remediation" in the certification object xml).
The "Perform Maintenance" task, with the "Scan for completed revocations" checkbox enabled, must be run.
Even though the perform maintenance task runs every five minutes, by default, it will only scan for completed revocations once per day, per certification, as defined in the System Configuration object:
<entry key="remediationScanInterval" value="86400000"/>
(Note 86400000 Milliseconds = 24 Hours)
For example, if the last remediation scan occurred on March 2, 2010 at 11pm central, the next scan will not occur until March 3, 2010 at 11pm central. So if you revoked an account and aggregated/refreshed on March 3, 2010 at 10am central, the Status will continue to show open until after March 3, 2010 at 11pm, when the scanner once again runs.
You can see what time the next remediation scan will occur by looking at the certification xml for the attribute named "nextRemediationScan". Use the value of this attribute with the "iiq console" date command (ex: date 1302235231965) to derive the next scan execution date/time.

Note: During this remediation scan, the Remediation Manager performs a targeted reaggregation on the identities link(s) affected by the certfication revocation and checks to see if the desired action has occurred on said native application. For this targeted reaggregation to properly run, applications either need to support random access (Active Directory, for example), or if they have the NO_RANDOM_ACCESS feature (JDBC applications, for example) they need the correct getObject methods implemented. This targeted reaggregation functionality can be tested via use of the following "iiq console" command:

Example

connectorDebug [application name] get account [native application identity]

connectorDebug "Active Directory" get account cn=jdoe1,cn=Users,dc=example,dc=com

victor_dimare · ‎Feb 19, 2014

Lyndsay,

In version 5.2, did the remediationScanInterval option exist in the Perform Maintenance task? In 5.2 the Revocation period option on the certification did not yet exist, so as long as revoked entitlements were removed properly the "revoke completed" column in the certification report would be set to "YES". In 6.1 (where our implementation is now), it seems that the revoke completed column only gets flagged to "TRUE" if we are in the revocation period. the downside to this (unless there is a rule we can implement) we will not see the revoke complete = TRUE until the certification is complete and we are in the revocation period (for us that would be 5 weeks after the certification kicked off vs. near real time in version 5.2 (we aggregate nightly).

There is an option / configuration to allow the revocations to be scanned immediately as the certifcation is on-going (the behavior we saw in 5.2)?

Thanks

lyndsay_lantz · ‎Feb 19, 2014

Hi Victor DiMare,

I would post this question in the Forums. I moved this article from the old site, but I don't have any insight into your question, so the experts in the forums should be able to assist. :smileyhappy:

-Lyndsay

victor_dimare · ‎Feb 19, 2014

will do.. Thx

sumit_gupta · ‎Feb 17, 2016

Hello

We have a before provisioning plan that we are using to change the delete request for an account request to disable for an AD Read/Write Connector and when we create the "Revocation Live Report" the status is still Open. I have checked and all the criteria that you have mentioned are there in the Performance Maintenance Task and I have waited for 24 hours based on the remediationScanInterval value in the System Configuration object but the Status is still Open. I am not sure what to do as I have run the aggregation task again and Cube Refresh Task again and even the attributes in the Identity are updated. Kindly suggest something as your feedback will be helpful and if there is any additional details required do let me know.

Thanks

Sumit Gupta

kapil123456 · ‎Apr 27, 2016

Hi Sumit,

Did you get any response for your question? What did you observe after your remediation phase is completed? did the status changed to "finished" or still "open". We have another situation along with yours, Revocation report which we pulled from OOTB displays type as "send provisioning request" but the status is Finished. What does the Type mean, what it should be change when finished?

sumit_gupta · ‎Apr 27, 2016

Hello kapil,

Please refer to this link

Revocation Live Report Showing Incorrect Status

Thanks

Sumit Gupta

kapil123456 · ‎Apr 27, 2016

Thanks Sumit ! Appreciate your Help !

sumit_gupta · ‎Apr 27, 2016

Np! Happy learning! Have fun.

Certificate revocation status