To Set Up for Certificate Revocation List
Checking
Before You Begin
A local instance of Directory Server must be designated as the CRL repository. It can be the same directory in which the Access Manager or Federation Manager schema is stored or it can be standalone. The Java Development Kit (JDK) must be version 1.5 or higher.
Note –
If enabling this feature on an instance of Access Manager, it must be Access Manager version 7.0sp5 and above.
-
Create one entry in Directory Server for each certificate authority.
For example, if the certificate authority's subjectDN is CN="Entrust.net Client Certification Authority",OU="www.entrust.net/GCCA_CPS incorp. by ref. (limits lib.)",O=Entrust.net and the base DN for Directory Server is dc=sun,dc=com, create an entry with the DN cn="Entrust.net Client Certification Authority",ou=people,dc=sun,dc=com.
Note –If the certificate authority's subjectDN does not contain uid or cn attributes, do the following:
-
Create a new object class.
For example, sun-am-managed-ca-container.
-
Populate the new object class with the following attributes:
-
objectclass
-
ou
-
authorityRevocationList
-
caCertificate
-
certificateRevocationList
-
crossCertificatePair
-
-
Add the following entry (modified per your deployment) to Directory Server.
dn: ou=1CA-AC1,dc=sun,dc=com objectClass: top objectClass: organizationalunit objectClass: iplanet-am-managed-ca-container ou: 1CA-AC1
You will publish the appropriate CRL to the entry created in the last step.
-
-
Publish the appropriate CRL to the corresponding LDAP entry.
This part can be done automatically by Access Manager or Federation Manager or manually. If the certificate being validated has a CRL Distribution Point Extension value, the publishing of the CRL is done automatically. If the certificate being validated has an IssuingDistributionPointExtension value, the initial publishing of the CRL must be done manually but future updates are done in runtime. If the certificate being validated has neither of these values, updates must be done manually at all time. See To Manually Populate a Directory Server with a Certificate Revocation List for information on manual population.
-
Configure the following properties in AMConfig.properties to point to the instance of Directory Server designated as the CRL repository.
-
com.sun.identity.saml2.crl.cache.directory.host defines the LDAP directory's host name.
-
com.sun.identity.saml2.crl.cache.directory.port defines the LDAP directory's port number.
-
com.sun.identity.saml2.crl.cache.directory.ssl takes a vale of TRUE or FALSE.
-
com.sun.identity.saml2.crl.cache.directory.user defines the DN of the user with permission to bind to the LDAP directory.
-
com.sun.identity.saml2.crl.cache.directory.password defines the encrypted password for the bind user. Use ampassword for the encryption. SeeChapter 2, The ampassword Command Line Tool, in Sun Java System Access Manager 7.1 Administration Reference for more information.
-
com.sun.identity.saml2.crl.cache.directory.searchloc defines the base DN from where the search will begin.
-
com.sun.identity.saml2.crl.cache.directory.searchattr defines the component of the root certificate's subjectDN (issuer) that will be used to retrieve the CRL from LDAP directory. The value is a single string as in cn.
Note –All root certificate authorities must use the same search attribute.
com.sun.identity.saml2.crl.cache.directory.password defines the password for the bind user. This actually need to be the encrypted password of the bind user, customer need to use ampassword to encrypt the password before putting values here.
-
-
Import all the certificate authority certificates into the cacerts keystore under the java.home/jre/lib/secure directory using the keytool utility.
Certificates must be imported as trustedcacert. More information on keytool can be found at http://java.sun.com/j2se/1.5.0/docs/tooldocs/windows/keytool.html.
- © 2010, Oracle Corporation and/or its affiliates