IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Working with certificate revocation lists

Certificate revocation lists (CRLs) provide a means for an SSL endpoint to verify that a certificate that is received from a remote host, and that is signed by a trusted certificate authority (CA), is still valid and trustworthy.

By using CRLs, CAs can manage the validity of the certificates they previously issued, when these certificates are published and in use. A CRL is a downloadable file that is maintained by the CA and contains a list of certificates that the CA issued but which the CA no longer considers trustworthy. Each entry in the CRL includes a certificate that has been revoked, a time limit (if the revocation applies for only a period of time), and a reason for the revocation. By checking that a presented certificate is not included in a recent CRL from the CA, the endpoint ensures that the CA still considers the certificate trustworthy.

You can configure HTTP-based output nodes (HTTPRequest, HTTPAsyncRequest, SOAPRequest, SOAPAsyncRequest, SCARequest, and SCAAsyncRequest) to specify whether CRL checking should be enabled for SSL connections that are made on behalf of the nodes. You configure CRL checking by setting the Enable certificate revocation list checking property in the node. The default value is false.

For more information about the properties of these nodes, see the following documents:

You must enable CRL checking per node, and not per Java™ Virtual Machine (JVM). That is, the com.ibm.jsse2.checkRevocation JVM system property is ignored and the value of the node's Enable certificate revocation list checking property is used instead.

Configure the path to the CRL files that the JVM uses to check certificates by using the broker.crlFileList property. You can set this property at the level of the integration server or at the level of the integration node (broker). The value of the property is a list of paths to CRL files separated by the path separator character for the host operating system. You can set the value of this property by using the mqsichangeproperties command. For example:
mqsichangeproperties IB9NODE -o BrokerRegistry -n crlFileList -v file_path
where IB9NODE is the name of the node and file_path is the path to the CRL file.
You can configure the JVM to automatically download any CRL files (from CRL distribution points that are specified in the CA's digital signature) by setting the com.ibm.security.enableCRLDP property to true. The default value is false. You can set the value of this property by using the mqsichangeproperties command. For example: 
mqsichangeproperties IB9NODE -e exgroup1 -o ComIbmJVMManager -n enableCRLDP -v true
where IB9NODE is the name of the node and exgroup1 is the name of the integration server.

You can use the com.ibm.security.enableCRLDP and broker.crlFileList properties together to enable automatic loading of CRLs.

You cannot check the revocation status of self-signed certificates because those certificates are by definition untrusted and they have no CA against which to check validity. If CRL checking is enabled on a node, and that node is presented with a self-signed certificate, the connection fails. By enabling CRL checking, you can prevent IBM® Integration Bus from connecting to remote hosts that use untrusted certificates when trusted certificates are expected.

When you use IBM Integration Bus to receive HTTP requests, you can configure the HTTP listener to use a CRL file. The validity of client certificates is then checked against the CRL file before connections are accepted. You can configure the broker-wide listener to use a CRL file by using the following command: 
mqsichangeproperties IB9NODE -b httplistener -o HTTPSConnector 
			-n crlFile -v file_path
where IB9NODE is the name of the node and file_path is the path to the CRL file.
You can configure an HTTP listener that is embedded in an integration server to use a CRL file by using the following command:
mqsichangeproperties IB9NODE -e exgroup1 -n crlFile -v file_path
where IB9NODE is the name of the node, exgroup1 is the name of the integration server, and file_path is the path to the CRL file.
Parent topic: Setting up a public key infrastructure
Related tasks:
Implementing SSL authentication
Configuring SOAPRequest and SOAPAsyncRequest nodes to use SSL (HTTPS)
Configuring the HTTPRequest and HTTPAsyncRequest nodes to use SSL (HTTPS)
Related reference:
mqsichangeproperties command
bc49114_.htm | Last updated Friday, 21 July 2017