Use certificate revocation lists in IBM MQ classes for Java
Specify the certificate revocation lists to use through the java.security.cert.CertStore class. IBM MQ classes for Java then checks certificates against the specified CRL.
A certificate revocation list (CRL) is a set of certificates that have been revoked, either by the issuing certificate authority or by the local organization. CRLs are typically hosted on LDAP servers. With Java 2 v1.4, a CRL server can be specified at connect-time and the certificate presented by the queue manager is checked against the CRL before the connection is allowed. For more information about certificate revocation lists and IBM MQ, see Work with Certificate Revocation Lists and Authority Revocation Lists and Accessing CRLs and ARLs with IBM MQ classes for Java and IBM MQ classes for JMS.
Note: To use a CertStore successfully with a CRL hosted on an LDAP server, make sure that your Java Software Development Kit (SDK) is compatible with the CRL. Some SDKs require that the CRL conforms to RFC 2587, which defines a schema for LDAP v2. Most LDAP v3 servers use RFC 2256 instead. The CRLs to use are specified through the java.security.cert.CertStore class. Refer to documentation on this class for full details of how to obtain instances of CertStore. To create a CertStore based on an LDAP server, first create an LDAPCertStoreParameters instance, initialized with the server and port settings to use. For example:import java.security.cert.*; CertStoreParameters csp = new LDAPCertStoreParameters("crl_server", 389);Having created a CertStoreParameters instance, use the static constructor on CertStore to create a CertStore of type LDAP:
CertStore cs = CertStore.getInstance("LDAP", csp);Other CertStore types (for example, Collection) are also supported. Commonly there are several CRL servers set up with identical CRL information to give redundancy. When you have a CertStore object for each of these CRL servers, place them all in a suitable Collection. The following example shows the CertStore objects placed in an ArrayList:
import java.util.ArrayList; Collection crls = new ArrayList(); crls.add(cs);This Collection can be set into the MQEnvironment static variable, sslCertStores, before connecting to enable CRL checking:
MQEnvironment.sslCertStores = crls;The certificate presented by the queue manager when a connection is being set up is validated as follows:
- The first CertStore object in the Collection identified by sslCertStores is used to identify a CRL server.
- An attempt is made to contact the CRL server.
- If the attempt is successful, the server is searched for a match for the certificate.
- If the certificate is found to be revoked, the search process is over and the connection request fails with reason code MQRC_SSL_CERTIFICATE_REVOKED.
- If the certificate is not found, the search process is over and the connection is allowed to proceed.
- If the attempt to contact the server is unsuccessful, the next CertStore object is used to identify a CRL server and the process repeats from step 2.
If this was the last CertStore in the Collection, or if the Collection contains no CertStore objects, the search process failed, and the connection request fails with reason code MQRC_SSL_CERT_STORE_ERROR.
The Collection object determines the order in which CertStores are used.
The Collection of CertStores can also be set using the CMQC.SSL_CERT_STORE_PROPERTY. As a convenience, this property also allows a single CertStore to be specified without being a member of a Collection.
If sslCertStores is set to null, no CRL checking is performed. This property is ignored if sslCipherSuite is not set.
Parent topic: Transport Layer Security (TLS) support in IBM MQ classes for Java