+

Search Tips   |   Advanced Search

Certificate revocation list configuration settings

Specify a list of certificate revocations that check the validity of a certificate. The application server checks the certificate revocation lists (CRL) to determine the validity of the client certificate. A certificate found in a certificate revocation list might not be expired, but is no longer trusted by the certificate authority (CA) that issued the certificate. The CA might add the certificate to the certificate revocation list if it believes that the client authority is compromised.

To view the administrative console panel for the collection certificate store on the cell level:

  1. Click...

      Security > security runtime > Additional properties > Collection certificate store

  2. Click the name of a configured collection certificate store or create a new collection certificate store first.

  3. To specify the path to a new list or click the name of a certificate revocation list to modify its path.

      Additional properties > Certificate revocation lists > New

To view the administrative console panel for the collection certificate store on the server level:

  1. Click...

      Servers > Server Types > WebSphere application servers > server > Security > security runtime

    Mixed-version environment: In a mixed node cell with a server using WebSphere Application Server version 6.1 or earlier, click...

      Web services: Default bindings for Web Services Security
    mixv

  2. Under Additional properties, click Collection certificate store.

  3. Click the name of a configured collection certificate store or create a new collection certificate store first.

  4. To specify the path to a new list or click the name of a certificate revocation list to modify its path.

      Additional properties > Certificate revocation lists > New

To view this administrative console page for the collection certificate store on the application level:

  1. Click...

      Applications > Application Types > WebSphere enterprise applications > application_name > Modules > Manage modules > URI_name

  2. Under Web Services Security Properties, we can access collection certificate stores for the following bindings:

    • For the Request generator, click Web services: Client security bindings. Under Request generator (sender) binding, click Edit custom > Collection certificate store.

    • For the Request consumer, click Web services: Server security bindings. Under Request consumer (receiver) binding, click Edit custom > Collection certificate store.

    • For the Response generator, click Web services: Server security bindings. Under Response generator (sender) binding, click Edit custom > Collection certificate store.

    • For the Response consumer, click Web services: Client security bindings. Under Response consumer (receiver) binding, click Edit custom > Collection certificate store.

  3. Click the name of a configured collection certificate store or create a new collection certificate store first.

  4. Under Additional properties, click Certificate revocation lists > New to specify the path to a new list or click the name of a certificate revocation list to modify its path.


Certificate revocation list path

Specifies a fully qualified path to the location where we can find the list of certificates that are not valid.

For portability reasons, IBM recommends using application server variables to specify a relative path to the certificate revocation list. This recommendation is especially important when we are working in a WAS ND environment. For example, we might use the USER_INSTALL_ROOT variable to define a path such as $USER_INSTALL_ROOT/mycertstore/mycrl where mycertstore represents the name of our certificate store and mycrl represents the certificate revocation list. For a list of the supported variables, click Environment > WebSphere variables in the administrative console.

The following list provides recommendations for using CRLs:

  • Configure the collection certificate store for the generator binding on the application level
  • Certificate revocation list collection
  • Collection certificate store collection
  • Collection certificate store configuration settings