Working with Certificate Revocation Lists and Authority Revocation Lists
During the SSL handshake, the communicating partners authenticate each other with digital certificates. Authentication can include a check that the certificate received can still be trusted. Certification Authorities (CAs) revoke certificates for various reasons, including:
- The owner has moved to a different organization
- The private key is no longer secret
CAs publish revoked personal certificates in a Certificate Revocation List (CRL). CA certificates that have been revoked are published in an Authority Revocation List (ARL).
For more information about Certification Authorities, refer to Digital certificates.
WebSphere MQ SSL support implements CRL and ARL checking using LDAP (Lightweight Directory Access Protocol) servers. This chapter tells you about:
- Set up LDAP servers
- Accessing CRLs and ARLs
- Manipulating authentication information objects with PCF commands
- Keeping CRLs and ARLs up to date
- Certificate validation and trust policy design on UNIX and Windows systems
For more information about LDAP, refer to the WebSphere MQ Application Programming Guide.
The WebSphere MQ CRL and ARL support on each platform is as follows:
- On i5/OS, the CRL and ARL support complies with PKIX X.509 V2 CRL profile recommendations.
- On Windows and UNIX systems, the CRL and ARL support complies with PKIX X.509 V2 CRL profile recommendations.
- On z/OS, System SSL supports CRLs and ARLs stored in LDAP servers by the Tivoli Public Key Infrastructure product.
- Set up LDAP servers
- Accessing CRLs and ARLs
- Checking CRLs and ARLs
- Manipulating authentication information objects with PCF commands
- Keeping CRLs and ARLs up to date
- Certificate validation and trust policy design on UNIX and Windows systems
Parent topic:
Working with WebSphere MQ SSL support
sy12670_