To Set Up for Certificate Revocation List Checking (Sun OpenSSO Enterprise 8.0 Administration Guide)

Sun OpenSSO Enterprise 8.0 Administration Guide

To Set Up for Certificate Revocation List Checking

Before You Begin

A local instance of Directory Server must be designated as the CRL repository. It can be the same directory in which the OpenSSO Enterprise schema is stored or it can be standalone. The Java Development Kit (JDK) must be version 1.5 or higher.

Create one entry in Directory Server for each certificate authority.

For example, if the certificate authority's subjectDN is CN="Entrust.net Client Certification Authority",OU="www.entrust.net/GCCA_CPS incorp. by ref. (limits lib.)",O=Entrust.net and the base DN for Directory Server is dc=sun,dc=com, create an entry with the DN cn="Entrust.net Client Certification Authority",ou=people,dc=sun,dc=com.

Note –
If the certificate authority's subjectDN does not contain uid or cn attributes, do the following:
1. Create a new object class.
  
  For example, sun-am-managed-ca-container.
2. Populate the new object class with the following attributes:
  - objectclass
  - ou
  - authorityRevocationList
  - caCertificate
  - certificateRevocationList
  - crossCertificatePair
3. Add the following entry (modified per your deployment) to Directory Server.
```
dn: ou=1CA-AC1,dc=sun,dc=com
objectClass: top
objectClass: organizationalunit
objectClass: iplanet-am-managed-ca-container
ou: 1CA-AC1
```
You will publish the appropriate CRL to the entry created in the last step.

Publish the appropriate CRL to the corresponding LDAP entry.

This part can be done automatically by OpenSSO Enterprise or manually. If the certificate being validated has a CRL Distribution Point Extension value, the publishing of the CRL is done automatically. If the certificate being validated has an IssuingDistributionPointExtension value, the initial publishing of the CRL must be done manually but future updates are done in runtime. If the certificate being validated has neither of these values, updates must be done manually at all time. See To Manually Populate a Directory Server with a Certificate Revocation List for information on manual population.

Configure OpenSSO Enterprise in the console to point to the instance of Directory Server designated as the CRL repository.
1. In the OpenSSO Enterprise Console, click the Configuration tab.
2. Click Servers and Sites tab.
3. Click the Server Name.
4. Click Security tab.
5. Click Inheritance Settings.
6. Uncheck the following properties:
  - LDAP Search Base DN
  - LDAP Server Bind Password
  - LDAP Server Bind Username
  - LDAP Server Host Name
  - LDAP server port number
  - Search Attributes
  - SSL Enabled
7. Click Save and then Back to Server Profile.
8. Click Certificate Revocation List Caching.
9. Configure the following attributes. See Certificate Revocation List Caching in Sun OpenSSO Enterprise 8.0 Administration Reference for definitions of the properties:
  - LDAP Server Host Name
  - LDAP Server Port Number
  - SSL Enabled
  - LDAP Server Bind User Name
  - LDAP Server Bind Password
  - LDAP Search Base DN
  - Search Attributes
10. Click Save.
11. Restart the web container.

Import all the certificate authority certificates into the cacerts keystore under the java.home/jre/lib/secure directory using the keytool utility.

Certificates must be imported as trustedcacert. More information on keytool can be found at http://java.sun.com/j2se/1.5.0/docs/tooldocs/windows/keytool.html.