Working with certification revocation lists

WebSphere Partner Gateway - Express includes a Certificate Revocation List (CRL) feature. The CRL, issued by a Certificate Authority (CA), identifies community participants who have revoked certificates prior to their scheduled expiration date. Participants with revoked certificates will be denied access to WebSphere Partner Gateway - Express.

Each revoked certificate is identified in a CRL by its certificate serial number. WebSphere Partner Gateway - Express's Document Manager scans the CRL every 60 seconds and refuses connections to participants if the list contains one or more of their certificates.

CRLs are stored in the following location: /<shared data directory>/security/crl. WebSphere Partner Gateway - Express uses the setting bcg.http.CRLDir in the bcg.properties file to identify the location of the CRL directory.

For example, in the bcg.properties file, you would use the following setting:

bcg.http.CRLDir=/<shared data directory>/security/crl

Using the Certificate Revocation List page, you can add and delete Certificate Revocation Lists (CRLs). CRLs contain lists of keys that have been compromised and should therefore not be trusted.

Adding new CRLs

To add new CRLs, use the following procedure.

  1. Click the Security tab, then click Certificate Revocation List in the navigation bar. The Certificate Revocation List page appears.
  2. Click the Add New CRL button. The Certificate Revocation List page appears.
  3. Click the Browse button. The File Upload dialog box appears.
  4. Navigate to the location where the CRL you want to add is located. Then click the CRL and click the Open button. The path where the CRL resides appears in the Certificate Revocation List page.
  5. Click the Submit button. The CRL is added to WebSphere Partner Gateway - Express and its name appears in the Certificate Revocation List page.
  6. To add more CRLs, repeat steps 2 through 5.

Deleting a CRL

If you no longer need a CRL, use the following procedure to delete it from WebSphere Partner Gateway - Express.

  1. Click the Security tab, then click Certificate Revocation List in the navigation bar. A Certificate Revocation List page appears.
  2. In the Delete column, click the Delete Certificate/Key icon for the CRL you want to delete. A confirmation dialogue box appears, asking you to confirm that you want to proceed with the deletion.
  3. Click OK to delete the CRL or Cancel to retain it.

Running the bcgSetCRLDP.jacl script

CAs maintain and update the CRLs. These CRLs are typically stored in a CRL distribution point. CRLs are used while doing revocation checks for the certificates to determine whether the certificate is revoked.

The bcgSetCRLDP.jacl script can be used to enable or disable CRL distribution point checking when the revocation check is performed. If you need the CRL distribution points to be accessed when revocation checking of a certificate is performed, enable the use of CRL distribution points. If the certificates you have installed contain a CRL DP extension, you can enable the use of CRL distribution point s so that the distribution points are accessed when the revocation check is performed. If you have downloaded all the required CRLs in the directory set in bcg.properties for the property bcg.CRLDir, you might not want to enable the use of CRL distribution points. If the current CRLs are not likely to be available in the bcg.CRLDir directory, you should enable the use of CRL distribution points.

The CRL distribution points accessible via HTTP and LDAP are supported. You can also configure proxies to access the CRL distribution points.

Note 1:
For Windows installations, use wsadmin.bat instead of ./wsadmin.sh in the commands listed in this section.

Note 2:
On systems running i5/OS or OS/400, the following commands are executed from a QShell (use the STRQSH command) environment. Therefore, you must add the following parameter just after ./wsadmin:
-wsadmin_classpath /QIBM/ProdData/WSPGExpress60/jaclScripts/classes. Also, be sure to remove the .sh or .bat from ./wsadmin.

To enable the use of CRL distribution points, run the following command from the <server_root>/bin directory:

./wsadmin.sh -f <ProductDir>/scripts/bcgSetCRLDP.jacl install <nodename> <serverName> CRLDP

To disable the use of CRL distribution points, run the following command from the <server_root>/bin directory:

./wsadmin.sh -f <ProductDir>/scripts/bcgSetCRLDP.jacl uninstall <nodename> <serverName> CRLDP

To enable the use of CRL distribution points with a proxy, run the following command from the <server_root>/bin directory:

./wsadmin.sh -f <ProductDir>/scripts/bcgSetCRLDP.jacl install <nodename> <serverName> CRLDP <proxyHost> <proxyPort>

To specify that you do not want to use a proxy, run the following command from the <server_root>/bin directory:

./wsadmin.sh -f <ProductDir>/scripts/bcgSetCRLDP.jacl uninstall <nodename> <serverName> PROXY

If you are using a Receiver user exit and if the user exit uses the SecurityService API, the above settings are applicable for the bcgreceiver server also. To run the above commands for the Receiver, replace bcgdocmgr with bcgreceiver.

Copyright IBM Corp. 2003, 2005