A local instance of Directory Server must be designated as the CRL repository. It can be the same directory in which the OpenSSO Enterprise schema is stored or it can be standalone. The Java Development Kit (JDK) must be version 1.5 or higher.
Create one entry in Directory Server for each certificate authority.
For example, if the certificate authority's subjectDN is CN="Entrust.net Client Certification Authority",OU="www.entrust.net/GCCA_CPS incorp. by ref. (limits lib.)",O=Entrust.net and the base DN for Directory Server is dc=sun,dc=com, create an entry with the DN cn="Entrust.net Client Certification Authority",ou=people,dc=sun,dc=com.
If the certificate authority's subjectDN does not contain uid or cn attributes, do the following:
Create a new object class.
For example, sun-am-managed-ca-container.
Populate the new object class with the following attributes:
objectclass
ou
authorityRevocationList
caCertificate
certificateRevocationList
crossCertificatePair
Add the following entry (modified per your deployment) to Directory Server.
dn: ou=1CA-AC1,dc=sun,dc=com objectClass: top objectClass: organizationalunit objectClass: iplanet-am-managed-ca-container ou: 1CA-AC1
You will publish the appropriate CRL to the entry created in the last step.
Publish the appropriate CRL to the corresponding LDAP entry.
This part can be done automatically by OpenSSO Enterprise or manually. If the certificate being validated has a CRL Distribution Point Extension value, the publishing of the CRL is done automatically. If the certificate being validated has an IssuingDistributionPointExtension value, the initial publishing of the CRL must be done manually but future updates are done in runtime. If the certificate being validated has neither of these values, updates must be done manually at all time. See To Manually Populate a Directory Server with a Certificate Revocation List for information on manual population.
Configure OpenSSO Enterprise in the console to point to the instance of Directory Server designated as the CRL repository.
In the OpenSSO Enterprise Console, click the Configuration tab.
Click Servers and Sites tab.
Click the Server Name.
Click Security tab.
Click Inheritance Settings.
Uncheck the following properties:
LDAP Search Base DN
LDAP Server Bind Password
LDAP Server Bind Username
LDAP Server Host Name
LDAP server port number
Search Attributes
SSL Enabled
Click Save and then Back to Server Profile.
Click Certificate Revocation List Caching.
Configure the following attributes. See Certificate Revocation List Caching in Sun OpenSSO Enterprise 8.0 Administration Reference for definitions of the properties:
LDAP Server Host Name
LDAP Server Port Number
SSL Enabled
LDAP Server Bind User Name
LDAP Server Bind Password
LDAP Search Base DN
Search Attributes
Click Save.
Restart the web container.
Import all the certificate authority certificates into the cacerts keystore under the java.home/jre/lib/secure directory using the keytool utility.
Certificates must be imported as trustedcacert. More information on keytool can be found at http://java.sun.com/j2se/1.5.0/docs/tooldocs/windows/keytool.html.