V9.6.0.1: Configuring Rational DOORS Web Access to support PKI certificate revocation lists

In version 9.6.0.1 and later, you can configure IBM® Rational® DOORS® Web Access to use public key infrastructure (PKI) certificate revocation lists (CRLs) for managing user access.

Before you begin

To use CRLs, administrators must configure IBM Rational DOORS and Rational DOORS Web Access to enable PKI support and encryption compliance.

About this task

A CRL is a signed data structure that contains a time-stamped list that identifies revoked certificates. Revoked certificates are no longer trusted for authentication. Typically, CRLs block access when a user's employment status or assignment changes, or when a user's certificate or the corresponding private key is compromised.

Client certificates and CRLs must meet these conditions:

Note: Rational DOORS Web Access supports both DER (binary) and PEM (base-64) formats for CRLs. Rational DOORS only supports the DER format.

Procedure

To configure Rational DOORS Web Access to support CRLs, modify the script that is used to start the Apache Tomcat server.

  1. Open the startup script for the Apache Tomcat server in an editor.
    • On Windows systems, the server.start.bat script file is in the Rational DOORS Web Access installation directory; for example, C:\Program Files (x86)\IBM\Rational\DOORS Web Access\9.version.
    • On UNIX systems, the server.start.sh script file is in the Rational DOORS Web Access installation directory.
  2. Set the system properties to enable CRL support.
    • On Windows systems, add this code near the end of the file, before the cd %CATALINA_HOME%\bin entry:
      set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.jsse2.checkRevocation=true -Dcom.ibm.security.enableCRLDP=true
    • On UNIX systems, add this code before the export JAVA_OPTS entry:
      JAVA_OPTS=$JAVA_OPTS -Dcom.ibm.jsse2.checkRevocation=true -Dcom.ibm.security.enableCRLDP=true
    Note: SSL debugging can be enabled by adding this system property:
    -Djavax.net.debug=sslor 
    or
    -Djavax.net.debug=ssl,handshake
  3. Save and close the startup script file.

Example

For examples of how to make other edits in the startup script, see Configuring compliance for FIPS 140-2 in Rational DOORS Web Access.

Feedback