Enabling certificate validation and certificate revocation list support in native interceptors

You must modify the keystore configuration file so that Advanced Message Security can download CLRs from the Lightweight Directory Access Protocol (LDAP) server.

About this task

[IBM i] Enabling certificate validation and certificate revocation list support in native interceptors is not supported for Advanced Message Security on IBM® i.

Procedure

Add the following options to the configuration file:

Note: All the CRL stanza are optional and can be specified independently.

Option	Description
`crl.ldap.host=host_name`	LDAP server host name.
`crl.ldap.port=port_number`	LDAP server port number. You can specify up to 11 servers. Multiple LDAP hosts are used to ensure transparent failover in case of LDAP connection failure. It is expected that all LDAP servers are replicas and contain the same data. When the AMS Java interceptor successfully connects to an LDAP server, it does not attempt to download CRLs from the remaining servers provided.
`crl.cdp=off`	Use this option to check or use CRLDistributionPoints extensions in certificates.
`crl.ldap.version=3`	LDAP protocol version number. Possible values: 2 or 3.
`crl.ldap.user=cn=username`	Log in to the LDAP server. If this value is not specified, CRL attributes in LDAP must be world-readable
`crl.ldap.pass=password`	Password for the LDAP server.
`crl.ldap.cache_lifetime=0`	LDAP cache lifetime in seconds. Possible values: 0-86400.
`crl.ldap.cache_size=50`	LDAP cache size. This option can be specified only if the `crl.ldap.cache_lifetime` value is larger than `0`.
`crl.http.proxy.host=some.host.com`	Http proxy server port for CDP CRL retrieval.
`crl.http.proxy.port=8080`	Http proxy server port number.
`crl.http.max_response_size=204800`	The maximum size of CRL, in bytes, that can be retrieved from an HTTP server that is accepted by IBM Global Security Kit (GSKit).
`crl.http.timeout=30`	Waiting time for a server response, in seconds, after which AMS times outs.
`crl.http.cache_size=0`	HTTP cache size, in bytes.
`crl.unknown=ACCEPT`	Defines the behavior when a CRL server cannot be reached within a timeout period. Possible values: `ACCEPT` Allows the certificate `WARN` Allows the certificate and logs a warning `REJECT` Prevents the certificate from being used and logs an error