Use this
page to specify a list of certificate revocations
that check the validity of a certificate. The application server checks
the certificate revocation lists (CRL) to determine the validity of
the client certificate. A certificate that is found in a certificate
revocation list might not be expired, but is no longer trusted by
the certificate authority (CA) that issued the certificate. The CA
might add the certificate to the certificate revocation list if it
believes that the client authority is compromised.
To view the
administrative console panel for the
collection certificate store on the cell level, complete the following
steps:
- Click .
- Under
additional properties, click Collection certificate
store.
- Click the name of a configured collection
certificate store or
create a new collection certificate store first.
- Under Additional
properties, click to
specify the path to a new list or click the name of a certificate
revocation list to modify its path.
To view the administrative
console panel for the collection certificate
store on the server level, complete the following steps:
- Click .
- Under Security, click JAX-WS and JAX-RPC security runtime.
Mixed-version environment: In a mixed node cell with a server using
WebSphere® Application Server version 6.1 or
earlier, click
Web services: Default bindings for Web Services
Security.
mixv
- Under Additional properties,
click Collection certificate
store.
- Click the name of a configured collection
certificate store or
create a new collection certificate store first.
- Under Additional
properties, click to
specify the path to a new list or click the name of a certificate
revocation list to modify its path.
To view this administrative
console page for the collection certificate
store on the application level, complete the following steps:
- Click .
- Under Modules, click .
- Under Web Services Security Properties, you can access collection
certificate stores for the following bindings:
- For the Request
generator, click Web services: Client
security bindings. Under Request generator (sender) binding,
click .
- For the Request
consumer, click Web services: Server
security bindings. Under Request consumer (receiver) binding,
click .
- For the Response
generator, click Web services: Server
security bindings. Under Response generator (sender) binding,
click .
- For the Response
consumer, click Web services: Client
security bindings. Under Response consumer (receiver)
binding, click .
- Click the name of a configured collection certificate store or
create a new collection certificate store first.
- Under Additional
properties, click to
specify the path to a new list or click the name of a certificate
revocation list to modify its path.
Specifies a fully qualified path to the location where
you can find the list of certificates that are not valid.
For portability reasons, it is recommended that you use application
server variables to specify a relative path to the certificate revocation
list. This recommendation is especially important when you are working
in a WebSphere Application Server, Network Deployment environment.
For example, you might use the USER_INSTALL_ROOT variable
to define a path such as $USER_INSTALL_ROOT/mycertstore/mycrl where mycertstore represents
the name of your certificate store and mycrl represents
the certificate revocation list. For a list of the supported variables,
click in the administrative console.
The following list provides recommendations for using CRLs:
- If
CRLs are added to the collection certificate store collection,
add the CRLs for the root certificate authority and each intermediate
certificate, if applicable. When the CRL is in the certificate collection
store, the certificate revocation status for every certificate in
the chain is checked against the CRL of the issuer.
- When the
CRL file is updated, the new CRL does not take effect
until you restart the web service application.
- Before a CRL
expires, you must load a new CRL into the certificate
collection store to replace the old CRL. An expired CRL in the collection
certificate store results in a certificate path (CertPath) build failure.