Certificate revocation lists (CRLs) provide a means for an SSL endpoint to verify that a certificate that is received from a remote host, and that is signed by a trusted certificate authority (CA), is still valid and trustworthy.
By using CRLs, CAs can manage the validity of the certificates they previously issued, when these certificates are published and in use. A CRL is a downloadable file that is maintained by the CA and contains a list of certificates that the CA issued but which the CA no longer considers trustworthy. Each entry in the CRL includes a certificate that has been revoked, a time limit (if the revocation applies for only a period of time), and a reason for the revocation. By checking that a presented certificate is not included in a recent CRL from the CA, the endpoint ensures that the CA still considers the certificate trustworthy.
You can configure HTTP-based output nodes (HTTPRequest, HTTPAsyncRequest, SOAPRequest, SOAPAsyncRequest, SCARequest, and SCAAsyncRequest) to specify whether CRL checking should be enabled for SSL connections that are made on behalf of the nodes. You configure CRL checking by setting the Enable certificate revocation list checking property in the node. The default value is false.
You must enable CRL checking per node, and not per Java™ Virtual Machine (JVM). That is, the com.ibm.jsse2.checkRevocation JVM system property is ignored and the value of the node's Enable certificate revocation list checking property is used instead.
mqsichangeproperties IB9NODE -o BrokerRegistry -n crlFileList -v file_path
where IB9NODE is the name of
the node and file_path is the path to the CRL file.mqsichangeproperties IB9NODE -e exgroup1 -o ComIbmJVMManager -n enableCRLDP -v true
where IB9NODE is the name of
the node and exgroup1 is the name of the integration server.You can use the com.ibm.security.enableCRLDP and broker.crlFileList properties together to enable automatic loading of CRLs.
You cannot check the revocation status of self-signed certificates because those certificates are by definition untrusted and they have no CA against which to check validity. If CRL checking is enabled on a node, and that node is presented with a self-signed certificate, the connection fails. By enabling CRL checking, you can prevent IBM® Integration Bus from connecting to remote hosts that use untrusted certificates when trusted certificates are expected.
mqsichangeproperties IB9NODE -b httplistener -o HTTPSConnector
-n crlFile -v file_path
where IB9NODE is the name of
the node and file_path is the path to the CRL file.mqsichangeproperties IB9NODE -e exgroup1 -n crlFile -v file_path
where IB9NODE is the name of
the node, exgroup1 is the name of the integration server, and file_path is
the path to the CRL file.