WebSphere Partner Gateway - Express includes a Certificate Revocation List (CRL) feature. The CRL, issued by a Certificate Authority (CA), identifies community participants who have revoked certificates prior to their scheduled expiration date. Participants with revoked certificates will be denied access to WebSphere Partner Gateway - Express.
Each revoked certificate is identified in a CRL by its certificate serial number. WebSphere Partner Gateway - Express's Document Manager scans the CRL every 60 seconds and refuses connections to participants if the list contains one or more of their certificates.
CRLs are stored in the following location: /<shared data directory>/security/crl. WebSphere Partner Gateway - Express uses the setting bcg.http.CRLDir in the bcg.properties file to identify the location of the CRL directory.
For example, in the bcg.properties file, you would use the following setting:
bcg.http.CRLDir=/<shared data directory>/security/crl
Using the Certificate Revocation List page, you can add and delete Certificate Revocation Lists (CRLs). CRLs contain lists of keys that have been compromised and should therefore not be trusted.
To add new CRLs, use the following procedure.
If you no longer need a CRL, use the following procedure to delete it from WebSphere Partner Gateway - Express.
CAs maintain and update the CRLs. These CRLs are typically stored in a CRL distribution point. CRLs are used while doing revocation checks for the certificates to determine whether the certificate is revoked.
The bcgSetCRLDP.jacl script can be used to enable or disable CRL distribution point checking when the revocation check is performed. If you need the CRL distribution points to be accessed when revocation checking of a certificate is performed, enable the use of CRL distribution points. If the certificates you have installed contain a CRL DP extension, you can enable the use of CRL distribution point s so that the distribution points are accessed when the revocation check is performed. If you have downloaded all the required CRLs in the directory set in bcg.properties for the property bcg.CRLDir, you might not want to enable the use of CRL distribution points. If the current CRLs are not likely to be available in the bcg.CRLDir directory, you should enable the use of CRL distribution points.
The CRL distribution points accessible via HTTP and LDAP are supported. You can also configure proxies to access the CRL distribution points.
To enable the use of CRL distribution points, run the following command from the <server_root>/bin directory:
./wsadmin.sh -f <ProductDir>/scripts/bcgSetCRLDP.jacl install <nodename> <serverName> CRLDP
To disable the use of CRL distribution points, run the following command from the <server_root>/bin directory:
./wsadmin.sh -f <ProductDir>/scripts/bcgSetCRLDP.jacl uninstall <nodename> <serverName> CRLDP
To enable the use of CRL distribution points with a proxy, run the following command from the <server_root>/bin directory:
./wsadmin.sh -f <ProductDir>/scripts/bcgSetCRLDP.jacl install <nodename> <serverName> CRLDP <proxyHost> <proxyPort>
To specify that you do not want to use a proxy, run the following command from the <server_root>/bin directory:
./wsadmin.sh -f <ProductDir>/scripts/bcgSetCRLDP.jacl uninstall <nodename> <serverName> PROXY
If you are using a Receiver user exit and if the user exit uses the SecurityService API, the above settings are applicable for the bcgreceiver server also. To run the above commands for the Receiver, replace bcgdocmgr with bcgreceiver.