Deleted users are still able to connect

[eugeneiiim]

I'm having trouble deleting users in TAK Server such that they're no longer able to connect to the server. I’m using file-based user management (not LDAP).

Repro steps:

1. Add a user “testuser” using the User Management UI (/user-management/index.html)
2. Log in using testuser in ATAK with “Use Authentication” and “Enroll for Client Certificate” enabled.
3. Delete testuser in the User Management UI.
4. Revoke testuser’s client certificate in the Client Certificates UI (Marti/clientcerts/index.html)
5. Restart the server.

Expected: testuser no longer connected in ATAK
Actual: testuser is still connected in ATAK (and is even able to disconnect and reconnect)

[FarrantAlex]

Delete the user's private .key file in /opt/tak/certs/files/

[eugeneiiim]

Because I'm using "enroll for client certificate", the client certificates are not stored to /opt/tak/certs/files. They're only stored in the certificate table in Postgres AFAIK.

[eugeneiiim]

In the logs, I'm seeing

2023-01-04-19:18:05.705 [https-jsse-nio-8446-exec-18] DEBUG com.bbn.tak.tls.CertManagerAdminApi - revoking certificate : ./revokeCert.sh  /opt/tak/revoke-11366095838260085583 null null

I think this means CAkey and CAcertificate must be set for TAKServerCAConfig in CoreConfig.xml, but these are not being checked for null when read from the config.

[PrcsnFlyer]

@eugeneiiim

I have similar issues while revoking users manually.
After executing the ./revokeCert.sh script I receive the following error:

certificate variable lookup failed for CA_default::certificate

Probably this is related to your error because the Cert Manager API calls ./revokeCert.sh as well.

[JonasmedJ]

Whenever you revoke a certificate, you should also restart the server, for the changes to take effect.