V9.6.0.1: Configuring Rational DOORS Web Access to support PKI certificate revocation lists
In version 9.6.0.1 and later, you can configure IBM® Rational® DOORS® Web Access to use public key infrastructure (PKI) certificate revocation lists (CRLs) for
managing user access.
Before you begin
- Enable PKI support for smart card authentication for Rational DOORS and Rational DOORS Web Access. For details, see Configuring smart cards and certificates for Rational DOORS and Configuring Rational DOORS Web Access to use smart cards.
- Enable the Java Secure Socket Extension (JSSE) provider. For details, see Configuring compliance for FIPS 140-2 in Rational DOORS Web Access.
- In the Apache Tomcat server.xml file, edit the HTTPS connector to enable client authentication by setting clientAuth="true". For details, see Configuring Rational DOORS Web Access to use SSL or TLS.
About this task
A CRL is a signed data structure that contains a time-stamped list that identifies revoked certificates. Revoked certificates are no longer trusted for authentication. Typically, CRLs block access when a user's employment status or assignment changes, or when a user's certificate or the corresponding private key is compromised.
Client certificates and CRLs must meet these conditions:
- A Certificate Authority (CA) must sign the client certificate request and embed extended information, such as the URL to the CRL file. If the client certificate does not contain valid CRL extension details, the certificate is rejected.
- If the CRL is expired, Apache Tomcat refuses connections to the service.
- If an older CRL file that has not expired is loaded, the new CRL with revoked certificates is not loaded.
- If a revoked certificate is listed in a new CRL file that has not yet been loaded, users on the revocation list can still access the application.
Note: Rational DOORS Web Access supports both DER (binary) and PEM (base-64) formats for
CRLs. Rational DOORS only supports the DER format.
Procedure
To configure Rational DOORS Web Access to support CRLs, modify the script that is used to start the Apache Tomcat server.