Set up LDAP servers

 

Configure the LDAP Directory Information Tree (DIT) structure to use the hierarchy corresponding to the Distinguished Names of the CAs that issue the certificates and CRLs. We can set up the DIT structure with a file that uses the LDAP Data Interchange Format (LDIF). We can also use LDIF files to update a directory.

LDIF files are ASCII text files that contain the information required to define objects within an LDAP directory. LDIF files contain one or more entries, each of which comprises a Distinguished Name, at least one object class definition and, optionally, multiple attribute definitions.

The certificateRevocationList;binary attribute contains a list, in binary form, of revoked user certificates. The authorityRevocationList;binary attribute contains a binary list of CA certificates that have been revoked. For use with WebSphere MQ SSL, the binary data for these attributes must conform to DER (Definite Encoding Rules) format. For more information about LDIF files, refer to the documentation provided with your LDAP server.

Figure 1 shows a sample LDIF file that you might create as input to your LDAP server to load the CRLs and ARLs issued by CA1, which is an imaginary Certification Authority with the Distinguished Name "CN=CA1, OU=Test, O=IBM, C=GB", set up by the Test organization within IBM.

Figure 1. Sample LDIF for a Certification Authority. This might vary from implementation to implementation.

dn: o=IBM, c=GB
o: IBM
objectclass: top
objectclass: organization

dn: ou=Test, o=IBM, c=GB
ou: Test
objectclass: organizationalUnit

dn: cn=CA1, ou=Test, o=IBM, c=GB
cn: CA1
objectclass: cRLDistributionPoint
objectclass: certificationAuthority
authorityRevocationList;binary:: (DER format data)
certificateRevocationList;binary:: (DER format data)
caCertificate;binary:: (DER format data)

Figure 2 shows the DIT structure that your LDAP server creates when you load the sample LDIF file shown in Figure 1 together with a similar file for CA2, an imaginary Certification Authority set up by the PKI organization, also within IBM.

Figure 2. Example of an LDAP Directory Information Tree structure

Note that both CRLs and ARLs are checked by WebSphere MQ.

Ensure that the access control list for your LDAP server allows authorized users to read, search, and compare the entries that hold the CRLs and ARLs. WebSphere MQ accesses the LDAP server using the LDAPUSER and LDAPPWD properties of the AUTHINFO object.

• Configuring and updating LDAP servers
  

 

Parent topic:

Working with Certificate Revocation Lists and Authority Revocation Lists

sy12680_