Certificate Revocation Lists
During the SSL handshake, the communicating partners authenticate each other with digital certificates. Authentication can include a check that the certificate received can still be trusted. Certification Authorities (CAs) revoke certificates for various reasons, including:
- The owner has moved to a different organization
- The private key is no longer secret
CAs publish revoked personal certificates in a Certificate Revocation List (CRL). CA certificates that have been revoked are published in an Authority Revocation List (ARL).
For more information about Certification Authorities, refer to Digital certificates.
WebSphere MQ SSL support implements CRL checking using LDAP (Lightweight Directory Access Protocol) servers. This chapter tells you about:
- Setting up LDAP servers
- Accessing CRLs
- Manipulating authentication information objects with PCF commands
- Keeping CRLs up to date
For more information about LDAP, refer to the WebSphere MQ Application Programming Guide.
The WebSphere MQ CRL support on each platform is as follows:
- On OS/400, the CRL support complies with PKIX X.509 V2 CRL profile recommendations.
- On UNIX systems, the CRL support complies with PKIX X.509 V2 CRL profile recommendations.
- On Windows 2000, the CRL support corresponds to that provided by the operating system.
- On Windows NT, the CRL support corresponds to that provided by Microsoft Internet Explorer.
- On z/OS, System SSL supports CRLs stored in LDAP servers by the Tivoli Public Key Infrastructure product.
WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.