David B Hinz wrote, On 2008-09-11 09:13: > We are still encountering the problem detailed below that was described by > Steve over a year ago. > > Is there anyone that can provide some insight on how we can solve this > problem? > > What happens is that some of our applications must run 24x7 yet the user > certificates are changed every 90 days (or sooner based on other criteria). > When the certificates are changed while the applications are running we get > the INVALID_CREDENTIALS error.
David, There are a number of details I'd like you to clarify. You've got a server and one (or more) client(s), but your description doesn't talk about either one specifically, and just says "we" and "the applications". So I'm going to ask you to clarify your description, and be very clear about whether you're talking about client or server for each aspect. Which one(s) of them must be up 24x7? Which one(s) of them use the Java LDAP SDK? Which one(s) of them has its certificates changed? That is, is it a client certificate being changed? Or, is it the server certificate being changed? Or both? Are your clients using certificate based client authentication? Where do these "INVALID_CREDENTIALS" errors appear? On the server? On the client? Is the client rejecting the server's certificate? Or is the server rejecting the client's certificate? Which certificates are being replaced every 90 days? The server's? The client's? Both? Are these certificates self-signed? Or are they issued by a CA (perhaps your own enterprise internal CA)? And, if by a CA, are you replacing the CA cert every 90 days? Is the problem that you cannot insert the new certificate into the DB of the application (client or server) that is sending the certificate to its peer? Or is the problem that the certificate must be inserted into the DB of the application that is receiving and verifying the cert, so that it will verify the (self-signed) cert it receives? Finally, if you had the ability to safely insert the new cert into the cert DB while the DB was in use, do you know how to get the application that uses it to switch to the new cert in the DB? _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
