Sun Java System SAML v2 Plug-in for Federation Services User's Guide

ProcedureTo Set Up for Certificate Revocation List Checking

Before You Begin

A local instance of Directory Server must be designated as the CRL repository. It can be the same directory in which the Access Manager or Federation Manager schema is stored or it can be standalone. The Java Development Kit (JDK) must be version 1.5 or higher.

Note –

If enabling this feature on an instance of Access Manager, it must be Access Manager version 7.0sp5 and above.

  1. Create one entry in Directory Server for each certificate authority.

    For example, if the certificate authority's subjectDN is CN=" Client Certification Authority",OU=" incorp. by ref. (limits lib.)", and the base DN for Directory Server is dc=sun,dc=com, create an entry with the DN cn=" Client Certification Authority",ou=people,dc=sun,dc=com.

    Note –

    If the certificate authority's subjectDN does not contain uid or cn attributes, do the following:

    1. Create a new object class.

      For example, sun-am-managed-ca-container.

    2. Populate the new object class with the following attributes:

      • objectclass

      • ou

      • authorityRevocationList

      • caCertificate

      • certificateRevocationList

      • crossCertificatePair

    3. Add the following entry (modified per your deployment) to Directory Server.

      dn: ou=1CA-AC1,dc=sun,dc=com
      objectClass: top
      objectClass: organizationalunit
      objectClass: iplanet-am-managed-ca-container
      ou: 1CA-AC1

    You will publish the appropriate CRL to the entry created in the last step.

  2. Publish the appropriate CRL to the corresponding LDAP entry.

    This part can be done automatically by Access Manager or Federation Manager or manually. If the certificate being validated has a CRL Distribution Point Extension value, the publishing of the CRL is done automatically. If the certificate being validated has an IssuingDistributionPointExtension value, the initial publishing of the CRL must be done manually but future updates are done in runtime. If the certificate being validated has neither of these values, updates must be done manually at all time. See To Manually Populate a Directory Server with a Certificate Revocation List for information on manual population.

  3. Configure the following properties in to point to the instance of Directory Server designated as the CRL repository.

    • defines the LDAP directory's host name.

    • defines the LDAP directory's port number.

    • takes a vale of TRUE or FALSE.

    • defines the DN of the user with permission to bind to the LDAP directory.

    • defines the encrypted password for the bind user. Use ampassword for the encryption. SeeChapter 2, The ampassword Command Line Tool, in Sun Java System Access Manager 7.1 Administration Reference for more information.

    • defines the base DN from where the search will begin.

    • defines the component of the root certificate's subjectDN (issuer) that will be used to retrieve the CRL from LDAP directory. The value is a single string as in cn.

      Note –

      All root certificate authorities must use the same search attribute. defines the password for the bind user. This actually need to be the encrypted password of the bind user, customer need to use ampassword to encrypt the password before putting values here.

  4. Import all the certificate authority certificates into the cacerts keystore under the java.home/jre/lib/secure directory using the keytool utility.

    Certificates must be imported as trustedcacert. More information on keytool can be found at