Enabling LDAP CRL support

Certificate revocation can be obtained through an LDAP server. The LDAP server provides the revocation information in the form of a CRL.

To enable the use of an LDAP server, GSK_LDAP_SERVER must be set to the IP address or the hostname of the LDAP server and optionally, the GSK_LDAP_PORT must be set to the port that the LDAP server is listening to for requests. When no port is provided, port 389 is used.

When checking the revocation status of a certificate, the x.500 directory name within the CDP extension is used to identify the CRL to be retrieved from the LDAP server. If the CDP extension is not present or does not contain an x.500 directory name, the issuer name within the certificate is used to identify the CRL. The returned CRL is used to determine the certificate revocation status.

The following LDAP server and CRL characteristics can be tailored to your environment:
Response timeout
The time to wait in seconds for a response from the LDAP server can be overridden by specifying GSK_LDAP_RESPONSE_TIMEOUT.

The default is 15 seconds.

LDAP CRL caching
CRLs retrieved from LDAP can be cached in the application's address space to save the processing time required to contact the LDAP server. LDAP CRL caching is enabled by default when LDAP CRL revocation checking is enabled.
When LDAP CRL support is enabled, LDAP basic CRL caching is automatically enabled. LDAP basic CRL caching allows for:
  • All valid retrieved CRLs to be placed into the cache.
  • An unlimited number of CRLs can reside in the cache. GSK_CRL_CACHE_SIZE can be specified to limit the number of entries allowed in the cache.
  • CRLs stay in the cache for a maximum of 24 hours. Every 24 hours after the first CRL is added to the cache, the entire cache is emptied. GSK_CRL_CACHE_TIMEOUT can be specified to change the number of hours that the CRLs remain in the cache.
  • Temporary CRLs are placed into the cache when the LDAP server does not contain the CRL. GSK_CRL_CACHE_TEMP_CRL can be specified to disable temporary CRL caching.
LDAP extended CRL cache support provides the ability to enhance the CRL caching capabilities. To enable LDAP extended CRL caching support, GSK_CRL_CACHE_EXTENDED must be set to ON. LDAP extended caching support allows the following:
  • Valid retrieved CRLs are eligible to be cached when they contain a nextUpdate or expiration time that is greater than the current time.
  • CRLs are allowed to expire in the cache at different times because the nextUpdate or expiration time controls their expiration time. When the cache is updated with a new CRL, any expired CRLs are removed.
  • The default for GSK_CRL_CACHE_SIZE is 32 CRLs in the cache at one time. If the size is about to be exceeded, the CRL with the time closest to expiration is removed from the cache.
  • By default, temporary CRLs are not added to the cache when the LDAP server does not contain the CRL. GSK_CRL_CACHE_TEMP_CRL can be specified to enable temporary CRL caching. If enabled, the lifetime of these temporary CRL entries is controlled by the GSK_CRL_CACHE_TEMP_CRL_TIMEOUT setting, which defaults to 24 hours.

For both basic and LDAP extended CRL cache support, the GSK_CRL_CACHE_ENTRY_MAXSIZE indicates the maximum size in bytes of a CRL that is allowed to be stored in the cache. The default is 0, which means that the CRL size is unlimited.

If LDAP basic CRL cache support is enabled, LDAP CRL caching can be disabled by setting GSK_CRL_CACHE_SIZE to 0 or GSK_CRL_CACHE_TIMEOUT to 0. If LDAP extended CRL cache support is enabled, LDAP CRL caching can be disabled by setting GSK_CRL_CACHE_SIZE to 0.