Enabling certificate revocation list support in Java

To enable CRL support in Advanced Message Security, you must modify the keystore configuration file to allow IBM® WebSphere® MQ AMS to download CRLs from the Lightweight Directory Access Protocol (LDAP) server and configure the java.security file.

Procedure

Add the following options to the configuration file:

Header Description

crl.ldap.host=<host_name> LDAP host name.

Header	Description
`crl.ldap.host=<host_name>`	LDAP host name.
`crl.ldap.port=<port_number>`	LDAP server port number. You can specify up to 11 servers. Multiple LDAP hosts are used to ensure transparent failover in case of LDAP connection failure. It is expected that all LDAP servers are replicas and contain the same data. When the IBM WebSphere MQ AMS Java interceptor successfully connects to an LDAP server, it does not attempt to download CRLs from the remaining servers provided. Java does not use `crl.ldap.user` and crl.ldaworldp.pass values. It does not use a user and password when connecting to an LDAP server. As a consequence, CRL attributes in LDAP must be world-readable.
`crl.cdp=on/off`	Use this option to check or use CRLDistributionPoints extensions in certificates.

crl.ldap.port=<port_number>

LDAP server port number.

You can specify up to 11 servers. Multiple LDAP hosts are used to ensure transparent failover in case of LDAP connection failure. It is expected that all LDAP servers are replicas and contain the same data. When the IBM WebSphere MQ AMS Java interceptor successfully connects to an LDAP server, it does not attempt to download CRLs from the remaining servers provided.

Java does not use crl.ldap.user and crl.ldaworldp.pass values. It does not use a user and password when connecting to an LDAP server. As a consequence, CRL attributes in LDAP must be world-readable.

crl.cdp=on/off Use this option to check or use CRLDistributionPoints extensions in certificates.

Modify the JRE/lib/security/java.security file with the following properties:

Property Name Description

Property Name	Description
`com.ibm.security.enableCRLDP`	This property takes the following values: `true`, `false`. If it is set to `true`, when doing certificate revocation check, CRLs are located using the URL from CRL distribution points extension of the certificate. If it is set to `false` or not set, checking CRL by using the CRL distribution points extension is disabled.
`ibm.security.certpath.ldap.cache.lifetime`	This property can be used to set the lifetime of entries in the memory cache of LDAP CertStore to a value in seconds. A value of 0 disables the cache; -1 means unlimited lifetime. If not set, the default lifetime is 30 seconds.
`com.ibm.security.enableAIAEXT`	This property takes the following values: `true`, `false`. If it is set to `true`, any Authority Information Access extensions that are found within the certificates of the certificate path being built are examined to determine whether they contain LDAP URIs. For each LDAP URI found, an LDAPCertStore object is created and added to the collection of CertStores that is used to locate other certificates that are required to build the certificate path. If it is set to `false` or not set, additional LDAPCertStore objects are not created.

com.ibm.security.enableCRLDP

This property takes the following values: true, false.

If it is set to true, when doing certificate revocation check, CRLs are located using the URL from CRL distribution points extension of the certificate.

If it is set to false or not set, checking CRL by using the CRL distribution points extension is disabled.

ibm.security.certpath.ldap.cache.lifetime This property can be used to set the lifetime of entries in the memory cache of LDAP CertStore to a value in seconds. A value of 0 disables the cache; -1 means unlimited lifetime. If not set, the default lifetime is 30 seconds.

com.ibm.security.enableAIAEXT

This property takes the following values: true, false.

If it is set to true, any Authority Information Access extensions that are found within the certificates of the certificate path being built are examined to determine whether they contain LDAP URIs. For each LDAP URI found, an LDAPCertStore object is created and added to the collection of CertStores that is used to locate other certificates that are required to build the certificate path.

If it is set to false or not set, additional LDAPCertStore objects are not created.