Work with Certificate Revocation Lists and Authority Revocation Lists
IBM MQ support for CRLs and ARLs varies by platform.
CRL and ARL support on each platform is as follows:- On z/OS, System SSL supports CRLs and ARLs stored in LDAP servers by the Tivoli Public Key Infrastructure product.
- On other platforms, the CRL and ARL support complies with PKIX X.509 V2 CRL profile recommendations.
IBM MQ maintains a cache of CRLs and ARLs that have been accessed in the preceding 12 hours.
When a queue manager or IBM MQ MQI client receives a certificate, it checks the CRL to confirm that the certificate is still valid. IBM MQ first checks in the cache, if there is a cache. If the CRL is not in the cache, IBM MQ interrogates the LDAP CRL server locations in the order they occur in the namelist of authentication information objects specified by the SSLCRLNamelist attribute, until IBM MQ finds an available CRL. If the namelist is not specified, or is specified with a blank value, CRLs are not checked.
- Set up LDAP servers
Configure the LDAP Directory Information Tree structure to reflect the hierarchy of Distinguished Names of CAs. Do this using LDAP Data Interchange Format files. - Accessing CRLs and ARLs with a queue manager
A queue manager is associated with one or more authentication information objects, which hold the address of an LDAP CRL server. IBM MQ on IBM i behaves differently from other platforms. - Accessing CRLs and ARLs with an IBM MQ MQI client
We have three options for specifying the LDAP servers that hold CRLs for checking by an IBM MQ MQI client. - Accessing CRLs and ARLs with IBM MQ classes for Java and IBM MQ classes for JMS
IBM MQ classes for Java and IBM MQ classes for JMS access CRLs differently from other platforms.
Parent topic: Work with revoked certificates