Enabling certificate validation and certificate revocation list support in native interceptors
You must modify the keystore configuration file so that Advanced Message Security can download CLRs from the Lightweight Directory Access Protocol (LDAP) server.
About this task
Enabling certificate validation and certificate revocation list support in native interceptors is not supported for Advanced Message Security on IBM® i.
Procedure
Option | Description |
---|---|
crl.ldap.host=host_name
|
LDAP server host name. |
crl.ldap.port=port_number
|
LDAP server port number. You can specify up to 11 servers. Multiple LDAP hosts are used to ensure transparent failover in case of LDAP connection failure. It is expected that all LDAP servers are replicas and contain the same data. When the AMS Java interceptor successfully connects to an LDAP server, it does not attempt to download CRLs from the remaining servers provided. |
crl.cdp=off
|
Use this option to check or use CRLDistributionPoints extensions in certificates. |
crl.ldap.version=3
|
LDAP protocol version number. Possible values: 2 or 3. |
crl.ldap.user=cn=username
|
Log in to the LDAP server. If this value is not specified, CRL attributes in LDAP must be world-readable |
crl.ldap.pass=password
|
Password for the LDAP server. |
crl.ldap.encrypted=no/yes
|
Whether the clr.ldap.pass is encrypted or not. See Protecting passwords in AMS configuration files for
more information. |
crl.ldap.cache_lifetime=0
|
LDAP cache lifetime in seconds. Possible values: 0-86400. |
crl.ldap.cache_size=50
|
LDAP cache size. This option can be specified only if the
crl.ldap.cache_lifetime value is larger than 0 .
|
crl.http.proxy.host=some.host.com
|
Http proxy server port for CDP CRL retrieval. |
crl.http.proxy.port=8080
|
Http proxy server port number. |
crl.http.max_response_size=204800
|
The maximum size of CRL, in bytes, that can be retrieved from an HTTP server that is accepted by IBM Global Security Kit (GSKit). |
crl.http.timeout=30
|
Waiting time for a server response, in seconds, after which AMS times outs. |
crl.http.cache_size=0
|
HTTP cache size, in bytes. |
crl.unknown=ACCEPT |
Defines the behavior when a CRL server cannot be reached within a timeout
period. Possible values:
|