Set up LDAP servers
Configure the LDAP Directory Information Tree structure to reflect the hierarchy of Distinguished Names of CAs. Do this using LDAP Data Interchange Format files.
Configure the LDAP Directory Information Tree (DIT) structure to use the hierarchy corresponding to the Distinguished Names of the CAs that issue the certificates and CRLs. We can set up the DIT structure with a file that uses the LDAP Data Interchange Format (LDIF). We can also use LDIF files to update a directory.
LDIF files are ASCII text files that contain the information required to define objects within an LDAP directory. LDIF files contain one or more entries, each of which comprises a Distinguished Name, at least one object class definition and, optionally, multiple attribute definitions.
The certificateRevocationList;binary attribute contains a list, in binary form, of revoked user certificates. The authorityRevocationList;binary attribute contains a binary list of CA certificates that have been revoked. For use with IBM MQ TLS, the binary data for these attributes must conform to DER (Definite Encoding Rules) format. For more information about LDIF files, refer to the documentation provided with your LDAP server.
Figure 1 shows a sample LDIF file that you might create as input to your LDAP server to load the CRLs and ARLs issued by CA1, which is an imaginary Certificate Authority with the Distinguished Name CN=CA1, OU=Test, O=IBM, C=GB
, set up by the Test organization within IBM.
Figure 2 shows the DIT structure that your LDAP server creates when you load the sample LDIF file shown in Figure 1 together with a similar file for CA2, an imaginary Certificate Authority set up by the PKI organization, also within IBM.
WebSphere MQ checks both CRLs and ARLs.
Note: Ensure that the access control list for the LDAP server allows authorized users to read, search, and compare the entries that hold the CRLs and ARLs. WebSphere MQ accesses the LDAP server using the LDAPUSER and LDAPPWD properties of the AUTHINFO object.- Configure and updating LDAP servers
Use this procedure to configure or update your LDAP server.
Parent topic: Work with Certificate Revocation Lists and Authority Revocation Lists