Access CRLs

 

---

Contents

1. Overview
2. With a queue manager
3. With WebSphere MQ client
4. With WebSphere MQ Explorer
5. With the Java client and JMS

 

---

Overview

WebSphere MQ maintains a cache of CRLs that have been accessed in the preceding 12 hours:

When the queue manager or WebSphere MQ client receives a certificate, it checks the CRL to confirm that the certificate is still valid. WebSphere MQ first checks in the cache, if there is a cache. If the CRL is not in the cache, WebSphere MQ interrogates the CRL locations in the order they appear in the namelist of authentication information objects specified by the SSLCRLNamelist attribute, until WebSphere MQ finds an available CRL. If the namelist is not specified, or is specified with a blank value, CRLs are not checked.

 

Accessing CRLs with a queue manager

You tell the queue manager how to access CRLs by supplying the queue manager with authentication information objects, each of which holds the address of an LDAP CRL server. The authentication information objects are held in a namelist, which is specified in the SSLCRLNamelist queue manager attribute.

1. Define authentication information objects using the DEFINE AUTHINFO MQSC command, with the AUTHTYPE parameter set to CRLLDAP. On OS/400, you can also use the CRTMQMAUTI CL command.

   WebSphere MQ V5.3 supports only the value CRLLDAP for the AUTHTYPE parameter, which indicates that CRLs are accessed on LDAP servers. Each authentication information object with type CRLLDAP that you create holds the address of an LDAP server. When you have more than one authentication information object, the LDAP servers to which they point must contain identical information. This provides continuity of service if one or more LDAP servers fail.

2. Using the DEFINE NAMELIST MQSC command, define a namelist for the names of the authentication information objects. On z/OS ensure that:

   • The NLTYPE namelist attribute is set to AUTHINFO

   • There is only one authentication information object in the namelist

3. Using the ALTER QMGR MQSC command, supply the namelist to the queue manager. For example:

   ALTER QMGR SSLCRLNL(sslcrlnlname)

   where sslcrlnlname is the namelist of authentication information objects.

   This command sets a new queue manager attribute called SSLCRLNamelist. The default value for this attribute is blank.

On OS/400, you can specify authentication information objects, but the queue manager uses neither authentication information objects nor a namelist of authentication information objects. Only WebSphere MQ clients that use a client connection table generated by an OS/400 queue manager use the authentication information specified for that OS/400 queue manager. The SSLCRLNamelist queue manager attribute on OS/400 determines what authentication information such clients use. See Accessing CRLs on OS/400 for information about telling an OS/400 queue manager how to access CRLs.

On platforms other than z/OS, you can add up to 10 connections to alternative LDAP servers to the namelist, to ensure continuity of service if one or more LDAP servers fail. Note that the LDAP servers must contain identical information.

 

Accessing CRLs on OS/400

Use the following procedure to set up a CRL location for a specific certificate on OS/400:

1. Access the DCM interface, as described in Accessing the DCM.

2. In the Manage CRL locations task category in the navigation panel, click Add CRL location. The Manage CRL Locations page displays in the task frame.

3. In the CRL Location Name field, type a CRL location name, for example LDAP Server #1

4. In the LDAP Server field, type the LDAP server name.

5. In the Use SSL field, select Yes if you want to connect to the LDAP server using SSL. Otherwise, select No.

6. In the Port Number field, type a port number for the LDAP server, for example 389.

7. If the LDAP server does not allow anonymous users to query the directory, type a login distinguished name for the server in the login distinguished name field.

8. Click OK. DCM informs you that it has created the CRL location.

9. In the navigation panel, click Select a Certificate Store. The Select a Certificate Store page displays in the task frame.

10. Select the Other System Certificate Store check box and click Continue. The Certificate Store and Password page displays.

11. In the Certificate store path and filename field, type the IFS path and filename you set when Creating a new certificate store.

12. Type a password in the Certificate Store Password field. Click Continue. The Current Certificate Store page displays in the task frame.

13. In the Manage Certificates task category in the navigation panel, click Update CRL location assignment. The CRL Location Assignment page displays in the task frame.

14. Select the radio button for the CA certificate to which you want to assign the CRL location. Click Update CRL Location Assignment. The Update CRL Location Assignment page displays in the task frame.

15. Select the radio button for the CRL location which you want to assign to the certificate. Click Update Assignment. DCM informs you that it has updated the the assignment.

Note that DCM allows you to assign a different LDAP server by Certification Authority.

 

Accessing CRLs using WebSphere MQ Explorer

You can use WebSphere MQ Explorer to tell a queue manager how to access CRLs.

Use the following procedure to set up an LDAP connection to a CRL:

1. Ensure that you have started the queue manager.

2. In WebSphere MQ Explorer, expand the Advanced folder of the queue manager.

3. Right-click the Authentication Information folder and click New -> CRL. In the property sheet that opens:

   1. On the General page, type a name for the CRL object.

   2. Select the CRL page.

   3. Type the LDAP server name as either the network name or the IP address.

   4. If the server requires login details, provide a user ID and if necessary a password.

   5. Click OK.

4. Right-click the Namelists folder and click New -> Namelist. In the property sheet that opens:

   1. Type a name for the namelist.

   2. Add the name of the CRL object (from step 3a) to the list.

   3. Click OK.

5. Right-click the queue manager, select Properties, and select the SSL page:

   1. Select the Check certificates received by this queue manager against Certification Revocation Lists check box.

   2. Type the name of the namelist (from step 4a) in the CRL Namelist field.

 

Accessing CRLs with a WebSphere MQ client

You have three options for specifying the LDAP servers that hold CRLs for checking by a WebSphere MQ client:

• Using a channel definition table

• Using the SSL configuration options structure, MQSCO, on an MQCONNX call

• Using the Active Directory (on Windows systems with Active Directory support)

For more information, refer to the WebSphere MQ Clients book, the WebSphere MQ Application Programming Reference, and the setmqcrl command in the WebSphere MQ System Administration Guide.

You can include up to 10 connections to alternative LDAP servers to ensure continuity of service if one or more LDAP servers fail. Note that the LDAP servers must contain identical information.

 

Accessing CRLs with the Java client and JMS

Refer to WebSphere MQ Using Java for information about working with CRLs with the Java client and JMS.

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.