Accessing CRLs and ARLs with a queue manager
Note that in this section, information about Certificate Revocation
Lists (CRLs) also applies to Authority Revocation Lists (ARLs).
You tell the queue manager how to access CRLs by supplying the queue manager
with authentication information objects, each of which holds the address of
an LDAP CRL server. The authentication information objects are held in a namelist,
which is specified in the SSLCRLNamelist queue manager
attribute.
In the following example, MQSC is used to specify the parameters:
- Define authentication information objects using the DEFINE AUTHINFO MQSC
command, with the AUTHTYPE parameter set to CRLLDAP. On i5/OS(TM), you can
also use the CRTMQMAUTI CL command.
WebSphere MQ supports only
the value CRLLDAP for the AUTHTYPE parameter, which indicates that CRLs are
accessed on LDAP servers. Each authentication information object with type
CRLLDAP that you create holds the address of an LDAP server. When you have
more than one authentication information object, the LDAP servers to which
they point must contain identical information. This
provides continuity of service if one or more LDAP servers fail.
Additionally, on z/OS(R) only, all LDAP servers must be accessed using the
same user ID and password. The user ID and password used are those specified
in the first AUTHINFO object in the namelist.
- Using the DEFINE NAMELIST MQSC command, define a namelist for
the names of your authentication information objects. On z/OS, ensure that
the NLTYPE namelist attribute is set to AUTHINFO.
- Using the ALTER QMGR MQSC command, supply the namelist to the queue manager.
For example:
ALTER QMGR SSLCRLNL(sslcrlnlname)
where sslcrlnlname is your namelist of authentication information objects.
This command sets a queue manager attribute called SSLCRLNamelist. The queue manager's initial value for this attribute is blank.
On i5/OS, you can specify authentication information objects, but the
queue manager uses neither authentication information objects nor a namelist
of authentication information objects. Only WebSphere MQ clients that use a client connection
table generated by an i5/OS queue manager use the authentication information
specified for that i5/OS queue manager. The SSLCRLNamelist queue manager attribute on i5/OS determines what authentication information
such clients use. See Accessing CRLs and ARLs on i5/OS for information about
telling an i5/OS queue manager how to access CRLs.
You can add up to 10 connections to alternative LDAP servers
to the namelist, to ensure continuity of service if one or more LDAP servers
fail. Note that the LDAP servers must contain
identical information.
Accessing CRLs and ARLs on i5/OS
Note that in this section, information about Certificate Revocation
Lists (CRLs) also applies to Authority Revocation Lists (ARLs).
Use the following procedure to set up a CRL location for a specific certificate
on i5/OS:
- Access the DCM interface, as described in Accessing DCM.
- In the Manage CRL locations task category in the
navigation panel, click Add CRL location. The Manage
CRL Locations page displays in the task frame.
- In the CRL Location Name field, type a CRL location
name, for example LDAP Server #1
- In the LDAP Server field, type the LDAP server name.
- In the Use Secure Sockets Layer (SSL) field, select Yes if you want to connect to the LDAP server using SSL.
Otherwise, select No.
- In the Port Number field, type a port number for
the LDAP server, for example 389.
- If your LDAP server does not allow anonymous users to query the directory,
type a login distinguished name for the server in the login
distinguished name field.
- Click OK. DCM informs you that it has created the
CRL location.
- In the navigation panel, click Select a Certificate Store. The Select a Certificate Store page displays in the task frame.
- Select the Other System Certificate Store check
box and click Continue. The Certificate Store and Password
page displays.
- In the Certificate store path and filename field,
type the IFS path and filename you set when Creating a new certificate store.
- Type a password in the Certificate Store Password field.
Click Continue. The Current Certificate
Store page displays in the task frame.
- In the Manage Certificates task category in the
navigation panel, click Update CRL location assignment.
The CRL Location Assignment page displays in the task frame.
- Select the radio button for the CA certificate to which you want to assign
the CRL location. Click Update CRL Location Assignment.
The Update CRL Location Assignment page displays in the task frame.
- Select the radio button for the CRL location which you want to assign
to the certificate. Click Update Assignment. DCM informs
you that it has updated the assignment.
Note that DCM allows you to assign a different LDAP server by Certification
Authority.
Accessing CRLs and ARLs using WebSphere MQ Explorer
Note that in this section, information about Certificate Revocation
Lists (CRLs) also applies to Authority Revocation Lists (ARLs).
You can use WebSphere MQ Explorer to tell a queue manager how to access CRLs.
Use the following procedure to set up an LDAP connection to a CRL:
- Ensure that you have started your queue manager.
- In WebSphere MQ Explorer, expand the Advanced folder of your queue
manager.
- Right-click the Authentication Information folder
and click New -> CRL(LDAP). In the property sheet that
opens:
-
On the General page, type a name
for the CRL(LDAP) object.
- Select the CRL(LDAP) page.
- Type the LDAP server name as either the network name or the IP address.
- If the server requires login details, provide a user ID and if necessary
a password.
- Click OK.
- Right-click the Namelists folder and click New -> Namelist. In the property sheet that opens:
-
Type a name for the namelist.
- Add the name of the CRL(LDAP) object (from step 3a)
to the list.
- Click OK.
- Right-click the queue manager, select Properties,
and select the SSL page:
- Select the Check certificates received by this queue
manager against Certification Revocation Lists check box.
- Type the name of the namelist (from step 4a) in the CRL Namelist field.