Using certificate revocation lists in IBM MQ classes for Java
Specify the certificate revocation lists to use through the java.security.cert.CertStore class. IBM® MQ classes for Java then checks certificates against the specified CRL.
A certificate revocation list (CRL) is a set of certificates that have been revoked, either by the issuing certificate authority or by the local organization. CRLs are typically hosted on LDAP servers. With Java 2 v1.4, a CRL server can be specified at connect-time and the certificate presented by the queue manager is checked against the CRL before the connection is allowed. For more information about certificate revocation lists and IBM MQ, see Working with Certificate Revocation Lists and Authority Revocation Lists and Accessing CRLs and ARLs with IBM MQ classes for Java and IBM MQ classes for JMS.
import java.security.cert.*;
CertStoreParameters csp = new LDAPCertStoreParameters("crl_server", 389);
CertStore cs = CertStore.getInstance("LDAP", csp);
import java.util.ArrayList;
Collection crls = new ArrayList();
crls.add(cs);
MQEnvironment.sslCertStores = crls;
- The first CertStore object in the Collection identified by sslCertStores is used to identify a CRL server.
- An attempt is made to contact the CRL server.
- If the attempt is successful, the server is searched for a match for the certificate.
- If the certificate is found to be revoked, the search process is over and the connection request fails with reason code MQRC_SSL_CERTIFICATE_REVOKED.
- If the certificate is not found, the search process is over and the connection is allowed to proceed.
- If the attempt to contact the server is unsuccessful, the next CertStore object is used to identify a CRL server and the process repeats from step 2.
If this was the last CertStore in the Collection, or if the Collection contains no CertStore objects, the search process failed, and the connection request fails with reason code MQRC_SSL_CERT_STORE_ERROR.
The Collection of CertStores can also be set using the CMQC.SSL_CERT_STORE_PROPERTY. As a convenience, this property also allows a single CertStore to be specified without being a member of a Collection.
If sslCertStores is set to null, no CRL checking is performed. This property is ignored if sslCipherSuite is not set.