Accessing CRLs and ARLs with a queue manager

 

Note that in this section, information about Certificate Revocation Lists (CRLs) also applies to Authority Revocation Lists (ARLs).

You tell the queue manager how to access CRLs by supplying the queue manager with authentication information objects, each of which holds the address of an LDAP CRL server. The authentication information objects are held in a namelist, which is specified in the SSLCRLNamelist queue manager attribute.

In the following example, MQSC is used to specify the parameters:

1. Define authentication information objects using the DEFINE AUTHINFO MQSC command, with the AUTHTYPE parameter set to CRLLDAP. On i5/OS, we can also use the CRTMQMAUTI CL command.

   WebSphere MQ supports only the value CRLLDAP for the AUTHTYPE parameter, which indicates that CRLs are accessed on LDAP servers. Each authentication information object with type CRLLDAP that you create holds the address of an LDAP server. When you have more than one authentication information object, the LDAP servers to which they point must contain identical information. This provides continuity of service if one or more LDAP servers fail.

   Additionally, on z/OS only, all LDAP servers must be accessed using the same user ID and password. The user ID and password used are those specified in the first AUTHINFO object in the namelist.

2. Using the DEFINE NAMELIST MQSC command, define a namelist for the names of your authentication information objects. On z/OS, ensure that the NLTYPE namelist attribute is set to AUTHINFO.

3. Using the ALTER QMGR MQSC command, supply the namelist to the queue manager. For example:

   ALTER QMGR SSLCRLNL(sslcrlnlname)

   where sslcrlnlname is your namelist of authentication information objects.

   This command sets a queue manager attribute called SSLCRLNamelist. The queue manager's initial value for this attribute is blank.

On i5/OS, we can specify authentication information objects, but the queue manager uses neither authentication information objects nor a namelist of authentication information objects. Only WebSphere MQ clients that use a client connection table generated by an i5/OS queue manager use the authentication information specified for that i5/OS queue manager. The SSLCRLNamelist queue manager attribute on i5/OS determines what authentication information such clients use. See Accessing CRLs and ARLs on i5/OS for information about telling an i5/OS queue manager how to access CRLs.

We can add up to 10 connections to alternative LDAP servers to the namelist, to ensure continuity of service if one or more LDAP servers fail. Note that the LDAP servers must contain identical information.

• Accessing CRLs and ARLs on i5/OS
  

• Accessing CRLs and ARLs using WebSphere MQ Explorer
  

 

Parent topic:

Accessing CRLs and ARLs

sy12710_