V9.6.0.1: Configuring Rational DOORS Web Access to support PKI certificate revocation lists

In version 9.6.0.1 and later, you can configure IBM® Rational® DOORS® Web Access to use public key infrastructure (PKI) certificate revocation lists (CRLs) for managing user access.

Before you begin

To use CRLs, administrators must configure IBM Rational DOORS and Rational DOORS Web Access to enable PKI support and encryption compliance.

About this task

A CRL is a signed data structure that contains a time-stamped list that identifies revoked certificates. Revoked certificates are no longer trusted for authentication. Typically, CRLs block access when a user's employment status or assignment changes, or when a user's certificate or the corresponding private key is compromised.

Client certificates and CRLs must meet these conditions:

  • A Certificate Authority (CA) must sign the client certificate request and embed extended information, such as the URL to the CRL file. If the client certificate does not contain valid CRL extension details, the certificate is rejected.
  • If the CRL is expired, Apache Tomcat refuses connections to the service.
  • If an older CRL file that has not expired is loaded, the new CRL with revoked certificates is not loaded.
  • If a revoked certificate is listed in a new CRL file that has not yet been loaded, users on the revocation list can still access the application.
Note: Rational DOORS Web Access supports both DER (binary) and PEM (base-64) formats for CRLs. Rational DOORS only supports the DER format.

Procedure

To configure Rational DOORS Web Access to support CRLs, modify the script that is used to start the Apache Tomcat server.

  1. Open the startup script for the Apache Tomcat server in an editor.
    • On Windows systems, the server.start.bat script file is in the Rational DOORS Web Access installation directory; for example, C:\Program Files\IBM\Rational\DOORS Web Access\9.version.
    • On Linux systems, the server.start.sh script file is in the Rational DOORS Web Access installation directory.
  2. Set the system properties to enable CRL support.
    • On Windows systems, add this code near the end of the file, before the cd %CATALINA_HOME%\bin entry:
      set JAVA_OPTS=%JAVA_OPTS% -Dcom.ibm.jsse2.checkRevocation=true -Dcom.ibm.security.enableCRLDP=true
    • On Linux systems, add this code before the export JAVA_OPTS entry:
      JAVA_OPTS=$JAVA_OPTS -Dcom.ibm.jsse2.checkRevocation=true -Dcom.ibm.security.enableCRLDP=true
    Note: SSL debugging can be enabled by adding this system property:
    -Djavax.net.debug=sslor 
    or
    -Djavax.net.debug=ssl,handshake
  3. Save and close the startup script file.

Example

For examples of how to make other edits in the startup script, see Configuring compliance for FIPS 140-2 in Rational DOORS Web Access.

Feedback