Certificate Revocation List (CRL) Processing Service
The Certificate Revocation List Processing service confirms that your business processes correctly authenticate your trading partners. This service confirms that other Sterling B2B Integrator services that request digital certificates are only given valid certificates. This service also notifies you when an attempt is made to check in a revoked certificate.
The following table provides an overview of the CRL Processing service:
System name | CRLProcessingService |
---|---|
Graphical Process Modeler (GPM) category | All Services |
Description | This service processes a version 2 digital Certificate
Revocation List (CRL). Specifically, this service:
Note: The notification only occurs if you enable CRL caching
in Sterling B2B Integrator.
|
Business usage | Use this service to confirm that your business processes correctly authenticate your trading partners. This service confirms that other Sterling B2B Integrator services that request digital certificates are only given valid certificates. Valid certificates are those that have not been revoked or held. Also use this service if you want to be notified when an attempt is made to check in a revoked certificate. |
Usage example | The CRL Processing service should be placed in
a scheduled business process that downloads CRLs at the required interval.
(The required interval varies by authority and trading community.) Note: The
CRL does not contain certificates; it lists those certificates that
should be revoked.
For more information, see How the CRL
Processing Service Works. |
Preconfigured? | No |
Requires third party files? | No |
Platform availability | All supported Sterling B2B Integrator platforms |
Related services | The HTTP Client adapter and the LDAP adapter are often used in conjunction with this service because these adapters can be used to download the CRL. This service confirms that other services which request the use of digital certificates are given them only if the certificate has not been revoked or is being held. |
Application requirements | The list passed to this service must be formatted according to the CRL version 2 specification published by the Internet Engineering Task Force (IETF) in document http://www.ietf.org/rfc/rfc3280.txt. |
Initiates business processes? | No |
Invocation | This service must be preceded by a service or adapter that can collect the CRL and hand it off to this one. In addition, the entire chain of authorization for the CRL must be in the Sterling B2B Integrator CA certificate store before this service can run. |
Business process context considerations | This service processes the CRL; it does not download
the CRL. Before processing the CRL, this service attempts to verify
the signature on the CRL. This service can verify the CRL only if
the following certificates are in the Sterling B2B Integrator certificate
store:
|
Returned status values | Returned status values:
|
Restrictions | This service only processes the following CRL critical
extensions:
|
Persistence level | None |
Testing considerations | Enable the ShowTranscripts parameter in the CRL Processing service configuration. When enabled, operations on each certificate in the list are recorded. |
How the CRL Processing Service Works
The Certificate Revocation List is periodically issued by the certificate authority to identify those certificates that should be revoked.
- It verifies the CRL using a certificate in the CA certificate store in the Sterling B2B Integrator database.
- Once verified, it checks the CRL expiration date. If the CRL is expired, the default behavior is for the service to fail. You can allow the service to continue by changing the FailOnExpiredCRL parameter to false.
- The service then begins to process the CRL. If the CRL has a critical extension that the application does not understand, the default behavior for this service is to fail. You can allow the service to continue by changing the FailOnUnsupportedCRLCritExtns parameter to false.
- For each entry in the CRL, the service looks in the trusted certificate
and system certificate tables for a corresponding certificate entry.Note: You can turn off processing of the system certificates by adding the parameter RevokePrivateKeys to the BMPL and setting it to false.
For each record in the system certificate or trusted certificate table which corresponds to an entry in the CRL, the service does the following:
- If the status of the entry is OK and the CRL indicates the certificate is revoked, the service sets the status in the table to revoked.
- If the status of the entry is OK and the CRL indicates the certificate
is held, the service sets the status in the table to held.
When the status is set to revoked or held, the API calls which attempt to load the certificate or key from the database will fail at runtime.
- If the status of the entry is held and the CRL indicates the certificate should be removed from the CRL, the service sets the status in the table to OK. This allows the API calls which attempt to load the certificate or key from the database to succeed at runtime.
- The service then determines if it is a base CRL or a delta CRL
and adds it to the Sterling B2B Integrator database
according to the following rules:
- If there is no corresponding CRL of that type and issuer, the service simply adds the CRL to the database.
- If there is an existing CRL, the service uses the CRL number to
add the most recent CRL to the database.
- If the CRL numbers are identical, the service uses the thisUpdate date in the CRLs to determine which is the most recent.
- If there are no CRL numbers, the thisUpdate date is used.
- The service updates the CRL cache.
The CRL cache is a standard cache that maintains CRL information in memory and is checked by Sterling B2B Integrator when you try to upload a certificate and by the certificate loading APIs. The cache consists of information from one base CRL and possibly one delta CRL for each issuer.
Note: CRLs are verified when they are loaded into the cache. By default, CRLs that are expired or that have unsupported critical extensions do not update the CRL cache. However, you can change the default by setting the LoadExpiredCRLs and LoadUnsuppCritExtnCRLs parameter to true in the security.properties file.
Implementing the CRL Processing Service
- Activate your license for the CRL Processing service. See Installing Sterling B2B Integrator.
- Create a CRL Processing service configuration. See Managing Services and Adapters.
- Configure the CRL Processing service.
- Use the CRL Processing service in a business process.
Configuring the CRL Processing Service
To configure the CRL Processing service, you must specify settings for the following fields in the GPM.
Field | Description |
---|---|
Config | Name of the service configuration. Required. |
ShowTranscripts | Tells the service whether to put log information into the WFC advanced status. For debug information, debug logging must be enabled in the security log. Optional. Valid values are true and false (default is false). |
FailOnExpiredCRL | Tells the service whether to fail if the CRL is expired. The only reason to not fail in this situation is for testing. Optional. Valid values are true and false (default is true). |
FailOnUnsupportedCRLCritExtns | Tells the service whether to fail if it encounters a critical extension it does not understand when processing a CRL. In most cases, Sterling B2B Integrator should not process CRLs with un-supported critical extensions. There may be extraordinary or testing situations where you want to turn this off. Optional. Valid values are true and false (default is true). |
Output from Business Process to Service
The preceding table describes the information that is passed from the business process to the CRL Processing service.
Business Process Example
The following example illustrates how to pass values to the service for the parameters in the previous table:
<process name="1CRL">
<sequence name="optional">
<operation name="One">
<participant name="1CRL"/>
<output message="noopout">
<assign to="." from="*"></assign>
<assign to="ShowTranscripts">true</assign>
<assign to="FailOnExpiredCRL">false</assign>
<assign to="FailOnUnsupportedCRLCritExtns">false</assign>
</output>
<input message="noopin">
<assign to="." from="*"></assign>
</input>
</operation>
</sequence>
</process>