Enabling certificate revocation list support in Java in AMS

To enable CRL support in Advanced Message Security (AMS), you must modify the keystore configuration file to allow AMS to download CRLs from the Lightweight Directory Access Protocol (LDAP) server and configure the java.security file.

Procedure

Add the following options to the configuration file:

Header Description

crl.ldap.host.N=host_name LDAP host name, where N is a number from 1 to 9. To supply multiple CRL LDAP servers, set multiple LDAP host names and port numbers.

Header	Description
`crl.ldap.host.N=host_name`	LDAP host name, where `N` is a number from 1 to 9. To supply multiple CRL LDAP servers, set multiple LDAP host names and port numbers.
`crl.ldap.port.N=port_number`	LDAP server port number, where `N` is a number from 1 to 9. Multiple LDAP hosts are used to ensure transparent failover in case of LDAP connection failure. All LDAP servers should be replicas and contain the same data. When the AMS Java interceptor successfully connects to an LDAP server, it does not attempt to download CRLs from the remaining available servers. Java does not use `crl.ldap.user` and `crl.ldaworldp.pass` values. It does not use a user and password when connecting to an LDAP server. Therefore CRL attributes in LDAP must be world-readable.
`crl.cdp=on/off`	Use this option to check or use CRLDistributionPoints extensions in certificates.

crl.ldap.port.N=port_number

LDAP server port number, where N is a number from 1 to 9.

Multiple LDAP hosts are used to ensure transparent failover in case of LDAP connection failure. All LDAP servers should be replicas and contain the same data. When the AMS Java interceptor successfully connects to an LDAP server, it does not attempt to download CRLs from the remaining available servers.

Java does not use crl.ldap.user and crl.ldaworldp.pass values. It does not use a user and password when connecting to an LDAP server. Therefore CRL attributes in LDAP must be world-readable.

crl.cdp=on/off Use this option to check or use CRLDistributionPoints extensions in certificates.

Modify the JRE/lib/security/java.security file with the following properties:

Property Name Description

Property Name	Description
`com.ibm.security.enableCRLDP`	This property takes the following values: `true`, `false`. If it is set to `true`, when doing certificate revocation check, CRLs are located using the URL from CRL distribution points extension of the certificate. If it is set to `false` or not set, checking CRL by using the CRL distribution points extension is disabled.
`ibm.security.certpath.ldap.cache.lifetime`	This property can be used to set the lifetime of entries in the memory cache of LDAP CertStore to a value in seconds. A value of 0 disables the cache; -1 means unlimited lifetime. If not set, the default lifetime is 30 seconds.
`com.ibm.security.enableAIAEXT`	This property takes the following values: `true`, `false`. If it is set to `true`, any Authority Information Access extensions that are found within the certificates of the certificate path being built are examined to determine whether they contain LDAP URIs. For each LDAP URI found, an LDAPCertStore object is created and added to the collection of CertStores that is used to locate other certificates that are required to build the certificate path. If it is set to `false` or not set, additional LDAPCertStore objects are not created.

com.ibm.security.enableCRLDP

This property takes the following values: true, false.

If it is set to true, when doing certificate revocation check, CRLs are located using the URL from CRL distribution points extension of the certificate.

If it is set to false or not set, checking CRL by using the CRL distribution points extension is disabled.

ibm.security.certpath.ldap.cache.lifetime This property can be used to set the lifetime of entries in the memory cache of LDAP CertStore to a value in seconds. A value of 0 disables the cache; -1 means unlimited lifetime. If not set, the default lifetime is 30 seconds.

com.ibm.security.enableAIAEXT

This property takes the following values: true, false.

If it is set to true, any Authority Information Access extensions that are found within the certificates of the certificate path being built are examined to determine whether they contain LDAP URIs. For each LDAP URI found, an LDAPCertStore object is created and added to the collection of CertStores that is used to locate other certificates that are required to build the certificate path.

If it is set to false or not set, additional LDAPCertStore objects are not created.