Specifying the location of LDAP servers that hold certificate revocation lists (CRLs)

On a WebSphere MQ client system, you can specify the location of LDAP servers that hold certificate revocation lists (CRLs) in the following ways. They are listed in order of decreasing precedence.

  1. When a WebSphere MQ client application issues an MQCONNX call

  2. Using a client channel definition table

  3. Using Active Directory on Windows

See the relevant sections for more information about each of these ways.

The intention is that each LDAP server holds the same CRLs. The reason for configuring more than one LDAP server with CRLs is to provide higher availability. If one LDAP server is not available when it is required, a WebSphere MQ client can attempt to access another.

 

When a WebSphere MQ client application issues an MQCONNX call

On an MQCONNX call, the connect options structure, MQCNO, can reference an SSL configuration options structure, MQSCO. In turn, the MQSCO structure can reference one or more authentication information record structures, MQAIR. Each MQAIR structure contains all the information a WebSphere MQ client needs to access an LDAP server that holds CRLs. For example, one of the fields in an MQAIR structure is the host address or IP address of a system on which an LDAP server runs. This address can be followed by an optional port number enclosed in parentheses. The default port number is 389.

For more information about the MQAIR structure, see the WebSphere MQ Application Programming Reference.

 

Using a client channel definition table

On a server queue manager, you can create one or more authentication information objects. The attributes of an authentication object contain all the information that is needed to access an LDAP server that holds CRLs. One of the attributes specifies the host address or IP address of a system on which an LDAP server runs. This address can be followed by an optional port number enclosed in parentheses. The default port number is 389.

To enable a WebSphere MQ client to access LDAP servers that hold CRLs, the attributes of one or more authentication information objects can be included in a client channel definition table. This is done in the following ways:

On the server platforms AIX, HP-UX, Linux, OS/400, Solaris, and Windows
You can create a namelist that contains the names of one or more authentication information objects. You can then set the queue manager attribute, SSLCRLNameList, to the name of this namelist. By doing this, you enable the WebSphere MQ SSL support for the queue manager to access the LDAP servers that hold CRLs.

The attributes of the authentication information objects identified by the namelist are referred to collectively here as the CRL information. When you set the queue manager attribute, SSLCRLNameList, to the name of the namelist, the CRL information is copied into the client channel definition table associated with the queue manager. If the client channel definition table can be accessed from a client system as a shared file, or if the client channel definition table is then copied to a client system, the WebSphere MQ client on that system can use the CRL information in the client channel definition table to access LDAP servers that hold CRLs.

If the CRL information of the queue manager is changed subsequently, the change is reflected in the client channel definition table associated with the queue manager. If the queue manager attribute, SSLCRLNameList, is set to blank, all the CRL information is removed from the client channel definition table. These changes are not reflected in any copy of the table on a client system.

If you require the CRL information at the client and server ends of an MQI channel to be different, and the server queue manager is the one that is used to create the CRL information, you can do the following:

  1. On the server queue manager, create the CRL information for use on the client system.

  2. Copy the client channel definition table containing the CRL information to the client system.

  3. On the server queue manager, change the CRL information to what is required at the server end of the MQI channel.

On the server platform z/OS
On z/OS, a client channel definition table is generated by the MAKECLNT parameter of the COMMAND function of the WebSphere MQ utility program, CSQUTIL. The DISPLAY CHANNEL commands in the input data set determine which client-connection channel definitions are included in the table. Likewise, the DISPLAY AUTHINFO commands in the input data set determine which authentication information objects are used to form the CRL information in the table.

The contents of a client channel definition table generated on z/OS do not depend on the value of any queue manager attributes, such as SSLCRLNameList, and cannot be updated dynamically. The only way you can change the CRL information in a client channel definition table is to generate a new table by running CSQUTIL again.

 

Using Active Directory on Windows

On Windows systems with Active Directory, you can use the setmqcrl control command to publish the current CRL information in Active Directory. For information about this command and its syntax, see the WebSphere MQ System Administration Guide.

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.