The IbmPKIX trust manager is enabled in the WebSphere® Application Server by default. The IbmPKIX trust manager allows certificate revocation checking to occur. You enable certificate revocation checking by using the administrative console or by manually updating the ssl.client.props file.
<trustManagers xmi:id="TrustManager_managementNode_2" name="IbmPKIX" provider= "IBMJSSE2" algorithm="IbmPKIX" trustManagerClass="" managementScope="ManagementScope_managementNode_1"> <additionalTrustManagerAttrs xmi:id="DescriptiveProperty_1" name="com.ibm.se curity.enableCRLDP" value="false" type="boolean" displayNameKey="" nlsRangeKey=" " hoverHelpKey="" range="" inclusive="false" firstClass="false"/> <additionalTrustManagerAttrs xmi:id="DescriptiveProperty_2" name="com.ibm.js se2.checkRevocation" value="false" type="boolean" displayNameKey="" nlsRangeKey= "" hoverHelpKey="" range="" inclusive="false" firstClass="false"/> <additionalTrustManagerAttrs xmi:id="DescriptiveProperty_3" name="ocsp.enable e" value="false" type="String" displayNameKey="" nlsRangeKey="" hoverHelpKey="" range="" inclusive="false" firstClass="false"/> <additionalTrustManagerAttrs xmi:id="DescriptiveProperty_4" name="ocsp.respo nderURL" value="http://ocsp.example.net:80" type="String" displayNameKey="" nlsRangeKey="" hoverHelpKey="" range="" inclusive="false" firstClass="false"/> <additionalTrustManagerAttrs xmi:id="DescriptiveProperty_5" name="ocsp.respo nderCertSubjectName" value="" type="String" displayNameKey="" nlsRangeKey="" hov erHelpKey="" range="" inclusive="false" firstClass="false"/> <additionalTrustManagerAttrs xmi:id="DescriptiveProperty_6" name="ocsp.respo nderCertIssuerName" value="" type="String" displayNameKey="" nlsRangeKey="" hove rHelpKey="" range="" inclusive="false" firstClass="false"/> <additionalTrustManagerAttrs xmi:id="DescriptiveProperty_7" name="ocsp.respo nderCertSerialNumber" value="" type="String" displayNameKey="" nlsRangeKey="" ho verHelpKey="" range="" inclusive="false" firstClass="false"/> </trustManagers>
You can view and change IbmPKIX Trust Manager Custom Properties using the administrative console.
For certificates that do not contain an internal CRL distribution point, the following properties can used so the revocation status will be checked against a remote LDAP server containing the CRL.
OCSP properties and CRL properties affect certificate revocation checking. By default OCSP properties are checked first. If there is an error validating the certificate with OCSP, then validation uses a CRL distribution point instead.
When you select a trust manager, its associated properties are automatically set as Java system properties so that the IBMCertPath and IBMJSSE2 providers are aware that CRL checking is enabled or disabled. Similarly, the same applies for OCSP properties, which are java.security.Security properties.
#------------------------------------------------------------------------- # Default Revocation Checking Properties # These properties are used for certificate revocation checking with the IBM # PKIX TrustManager. # # To enable CRL Distribution Points extension checking, use the system property # com.ibm.security.enableCRLDP. # # OCSP checking is not enabled by default. It is enabled by setting the # ocsp.enable property to "true". Use of the other ocsp properties is optional. # # Note: Both OCSP and CRLDP checking is only effective if revocation checking # has also been enabled by setting com.ibm.jsse2.checkRevocation to "true". # #------------------------------------------------------------------------- com.ibm.jsse2.checkRevocation=false com.ibm.security.enableCRLDP=false #ocsp.enable=true #ocsp.responderURL=http://ocsp.example.net #ocsp.responderCertSubjectName=CN=OCSP Responder, O=XYZ Corp #ocsp.responderCertIssuerName=CN=Enterprise CA, O=XYZ Corp #ocsp.responderCertSerialNumber=2A:FF:00
In addition, for revocation checking to be processed successfully on the client, you are required to turn off the signer exchange prompt. To do this, change the value of the com.ibm.ssl.enableSignerExchangePrompt property to false, in the ssl.client.props file.
For more information on these properties, see Java(TM) Certification Path API Programmer's Guide - SDK 6.0.