Accessing CRLs and ARLs with a queue manager

Note that in this section, information about Certificate Revocation Lists (CRLs) also applies to Authority Revocation Lists (ARLs).

You tell the queue manager how to access CRLs by supplying the queue manager with authentication information objects, each of which holds the address of an LDAP CRL server. The authentication information objects are held in a namelist, which is specified in the SSLCRLNamelist queue manager attribute.

In the following example, MQSC is used to specify the parameters:

  1. Define authentication information objects using the DEFINE AUTHINFO MQSC command, with the AUTHTYPE parameter set to CRLLDAP. On i5/OS(TM), you can also use the CRTMQMAUTI CL command.

    WebSphere MQ supports only the value CRLLDAP for the AUTHTYPE parameter, which indicates that CRLs are accessed on LDAP servers. Each authentication information object with type CRLLDAP that you create holds the address of an LDAP server. When you have more than one authentication information object, the LDAP servers to which they point must contain identical information. This provides continuity of service if one or more LDAP servers fail.

    Additionally, on z/OS(R) only, all LDAP servers must be accessed using the same user ID and password. The user ID and password used are those specified in the first AUTHINFO object in the namelist.

  2. Using the DEFINE NAMELIST MQSC command, define a namelist for the names of your authentication information objects. On z/OS, ensure that the NLTYPE namelist attribute is set to AUTHINFO.
  3. Using the ALTER QMGR MQSC command, supply the namelist to the queue manager. For example:
    ALTER QMGR SSLCRLNL(sslcrlnlname)
    where sslcrlnlname is your namelist of authentication information objects.

    This command sets a queue manager attribute called SSLCRLNamelist. The queue manager's initial value for this attribute is blank.

On i5/OS, you can specify authentication information objects, but the queue manager uses neither authentication information objects nor a namelist of authentication information objects. Only WebSphere MQ clients that use a client connection table generated by an i5/OS queue manager use the authentication information specified for that i5/OS queue manager. The SSLCRLNamelist queue manager attribute on i5/OS determines what authentication information such clients use. See Accessing CRLs and ARLs on i5/OS for information about telling an i5/OS queue manager how to access CRLs.

You can add up to 10 connections to alternative LDAP servers to the namelist, to ensure continuity of service if one or more LDAP servers fail. Note that the LDAP servers must contain identical information.

Accessing CRLs and ARLs on i5/OS

Note that in this section, information about Certificate Revocation Lists (CRLs) also applies to Authority Revocation Lists (ARLs).

Use the following procedure to set up a CRL location for a specific certificate on i5/OS:

  1. Access the DCM interface, as described in Accessing DCM.
  2. In the Manage CRL locations task category in the navigation panel, click Add CRL location. The Manage CRL Locations page displays in the task frame.
  3. In the CRL Location Name field, type a CRL location name, for example LDAP Server #1
  4. In the LDAP Server field, type the LDAP server name.
  5. In the Use Secure Sockets Layer (SSL) field, select Yes if you want to connect to the LDAP server using SSL. Otherwise, select No.
  6. In the Port Number field, type a port number for the LDAP server, for example 389.
  7. If your LDAP server does not allow anonymous users to query the directory, type a login distinguished name for the server in the login distinguished name field.
  8. Click OK. DCM informs you that it has created the CRL location.
  9. In the navigation panel, click Select a Certificate Store. The Select a Certificate Store page displays in the task frame.
  10. Select the Other System Certificate Store check box and click Continue. The Certificate Store and Password page displays.
  11. In the Certificate store path and filename field, type the IFS path and filename you set when Creating a new certificate store.
  12. Type a password in the Certificate Store Password field. Click Continue. The Current Certificate Store page displays in the task frame.
  13. In the Manage Certificates task category in the navigation panel, click Update CRL location assignment. The CRL Location Assignment page displays in the task frame.
  14. Select the radio button for the CA certificate to which you want to assign the CRL location. Click Update CRL Location Assignment. The Update CRL Location Assignment page displays in the task frame.
  15. Select the radio button for the CRL location which you want to assign to the certificate. Click Update Assignment. DCM informs you that it has updated the assignment.

Note that DCM allows you to assign a different LDAP server by Certification Authority.

Accessing CRLs and ARLs using WebSphere MQ Explorer

Note that in this section, information about Certificate Revocation Lists (CRLs) also applies to Authority Revocation Lists (ARLs).

You can use WebSphere MQ Explorer to tell a queue manager how to access CRLs.

Use the following procedure to set up an LDAP connection to a CRL:

  1. Ensure that you have started your queue manager.
  2. In WebSphere MQ Explorer, expand the Advanced folder of your queue manager.
  3. Right-click the Authentication Information folder and click New -> CRL(LDAP). In the property sheet that opens:
    1. On the General page, type a name for the CRL(LDAP) object.
    2. Select the CRL(LDAP) page.
    3. Type the LDAP server name as either the network name or the IP address.
    4. If the server requires login details, provide a user ID and if necessary a password.
    5. Click OK.
  4. Right-click the Namelists folder and click New -> Namelist. In the property sheet that opens:
    1. Type a name for the namelist.
    2. Add the name of the CRL(LDAP) object (from step 3a) to the list.
    3. Click OK.
  5. Right-click the queue manager, select Properties, and select the SSL page:
    1. Select the Check certificates received by this queue manager against Certification Revocation Lists check box.
    2. Type the name of the namelist (from step 4a) in the CRL Namelist field.