| Oracle® Traffic Director Administrator's Guide 11g Release 1 (11.1.1.7.0) Part Number E21036-04 |
|
|
PDF · Mobi · ePub |
| Oracle® Traffic Director Administrator's Guide 11g Release 1 (11.1.1.7.0) Part Number E21036-04 |
|
|
PDF · Mobi · ePub |
A Certificate Revocation List (CRL) is a list that a CA publishes to inform users about certificates that the CA has decided to revoke before they expire. CRLs are updated periodically; the updated CRLs can be downloaded from the CA's website.
To ensure that Oracle Traffic Director servers do not trust server certificates that have been revoked by CA, you should download the latest CRLs from the CAs' websites regularly and install them in your Oracle Traffic Director configurations.
You can install CRLs manually. You can also configure Oracle Traffic Director to take the downloaded CRLs from a specified directory and install them automatically at specified intervals.
This section contains the following topics:
Note:
The information in this section is aimed at readers who are familiar with the concepts of SSL, certificates, ciphers, and keys. For basic information about those concepts, see Section 11.2.7, "SSL/TLS Concepts."
The CLI examples in this section are shown in shell mode (tadm>). For information about invoking the CLI shell, see Section 2.3.1, "Accessing the Command-Line Interface."
You can install and delete CRLs manually by using either the administration console or the CLI.
Installing CRLs Manually Using the Administration Console
To install a downloaded CRL by using the administration console, do the following:
Log in to the administration console, as described in Section 2.3.2, "Accessing the Administration Console."
Click the Configurations button that is situated at the upper left corner of the page.
A list of the available configurations is displayed.
Select the configuration for which you want to install a certificate.
In the navigation pane, expand SSL, and select Certificate Authorities.
Click the Install CRL button.
The Install Certificate Revocation List dialog box is displayed.
Specify the location of the downloaded CRL file, and click Install CRL.
A message, confirming successful installation of the CRL, is displayed in the Console Messages pane.
The CRL that you just installed is displayed on the Certificate Authorities page.
In addition, the Deployment Pending message is displayed at the top of the main pane. You can either deploy the updated configuration immediately by clicking Deploy Changes, or you can do so later after making further changes as described in Section 4.3, "Deploying a Configuration."
Installing and Deleting CRLs Manually Using the CLI
To install a downloaded CRL, run the install-crl command, as shown in the following example:
tadm> install-crl --config=soa /home/admin/crls/ServerSign.crl
OTD-70201 Command 'install-crl' ran successfully.
To view a list of the installed CRLs in a configuration, run the list-crls command, as shown in the following example:
tadm> list-crls --config=soa --verbose --all
crl-name next-update
---------------------------
"Class 1 Public Primary Certification Authority" "Sat Apr 15 16:59:59 PDT 2000"
"VeriSign Class 3 Code Signing 2010 CA" "Mon Aug 29 14:00:03 PDT 2011"
"VeriSign Class 3 Organizational CA" "Sun May 18 13:48:16 PDT 2014"
To delete a CRL, run the delete-crl command, as shown in the following example:
tadm> delete-crl --config=config1 "VeriSign Class 3 Organizational CA"
OTD-70201 Command 'delete-crl' ran successfully.
When you delete a CRL, it is removed from the Oracle Traffic Director configuration and from the directory in which the downloaded CRL was stored.
For the updated configuration to take effect, you should deploy it to the Oracle Traffic Director instances by using the deploy-config command.
For more information about the CLI commands mentioned in this section, see the Oracle Traffic Director Command-Line Reference or run the commands with the --help option.
You can configure Oracle Traffic Director to periodically take downloaded CRL files from a specified directory and install them automatically by using either the administration console or the CLI.
At the specified interval, Oracle Traffic Director looks for updated CRL files in the specified directory.
If Oracle Traffic Director detects new CRL files, it installs them in the configuration and logs a message in the server log.
If existing CRL files have been changed, Oracle Traffic Director installs the updated CRL files in the configuration and logs a message in the server log.
If Oracle Traffic Director detects that previously installed CRL files have been removed from the directory, it deletes the CRLs from the configuration and logs a message in the server log.
If no changes are detected in the CRL directory, Oracle Traffic Director does not perform any update.
Configuring Oracle Traffic Director to Install CRLs Automatically Using the Administration Console
To configure Oracle Traffic Director to install CRLs automatically by using the administration console, do the following:
Log in to the administration console, as described in Section 2.3.2, "Accessing the Administration Console."
Click the Configurations button that is situated at the upper left corner of the page.
A list of the available configurations is displayed.
Click the name of the configuration that you want to set up to install CRLs automatically.
In the navigation pane, select SSL.
The SSL Settings page is displayed.
Go to the Advanced Settings section of the page.
In the Update CRL Path field, enter the absolute path to the directory that contains the updated CRL files.
Click New Event.
The New CRL Update Event dialog box is displayed.
Specify the interval or time of the day at which the CRLs should be updated, and then click OK.
A message, confirming creation of the event, is displayed in the Console Messages pane.
The new event is displayed in the CRL Update Events list.
New events are enabled by default. To change the status, select the Enable/Disable check box.
To delete an event, click the Delete button.
In addition, the Deployment Pending message is displayed at the top of the main pane. You can either deploy the updated configuration immediately by clicking Deploy Changes, or you can do so later after making further changes as described in Section 4.3, "Deploying a Configuration."
Configuring Oracle Traffic Director to Install CRLs Automatically Using the CLI
To configure Oracle Traffic Director to install CRLs automatically, do the following:
Specify the directory in which the downloaded CRLs are stored, by using the set-pkcs11-prop command.
For example, the following command specifies /home/admin/crls as the directory in which downloaded CRLs are stored.
tadm> set-pkcs11-prop --config=soa crl-path=/home/admin/crls
OTD-70201 Command 'set-pkcs11-prop' ran successfully.
Schedule an event for Oracle Traffic Director to take the downloaded CRLs from the specified directory and install them automatically, by using the create-event command.
For example, the following command specifies that the CRLs for the configuration soa should be updated after every 86400 seconds (1 day).
tadm> create-event --config=soa --command=update-crl --interval=604800
OTD-70201 Command 'create-event' ran successfully.
For the updated configuration to take effect, you should deploy it to the Oracle Traffic Director instances by using the deploy-config command.
For more information about the CLI commands mentioned in this section, see the Oracle Traffic Director Command-Line Reference or run the commands with the --help option.
|
 Copyright © 2011, 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|