V9.6.0.1: Configuring DWA to support PKI certificate revocation lists
In version 9.6.0.1 and later, you can configure IBM®
Engineering Requirements Management DOORS® - Web
Access
(DWA) to
use public key infrastructure (PKI) certificate revocation lists (CRLs) for managing user
access.
Before you begin
- Enable PKI support for smart card authentication for DOORS and DWA. For details, see Configuring smart cards and certificates for DOORS and Configuring DWA to use smart cards.
- Enable the Java Secure Socket Extension (JSSE) provider. For details, see Configuring compliance for FIPS 140-2 in DWA.
- In the Apache Tomcat server.xml file, edit the HTTPS connector to enable client authentication by setting clientAuth="true". For details, see Configuring DWA to use SSL or TLS.
About this task
A CRL is a signed data structure that contains a time-stamped list that identifies revoked certificates. Revoked certificates are no longer trusted for authentication. Typically, CRLs block access when a user's employment status or assignment changes, or when a user's certificate or the corresponding private key is compromised.
Client certificates and CRLs must meet these conditions:
- A Certificate Authority (CA) must sign the client certificate request and embed extended information, such as the URL to the CRL file. If the client certificate does not contain valid CRL extension details, the certificate is rejected.
- If the CRL is expired, Apache Tomcat refuses connections to the service.
- If an older CRL file that has not expired is loaded, the new CRL with revoked certificates is not loaded.
- If a revoked certificate is listed in a new CRL file that has not yet been loaded, users on the revocation list can still access the application.
Note: DWA
supports both DER (binary) and PEM (base-64) formats for CRLs. DOORS
only supports the DER format.
Procedure
To configure DWA to support CRLs, modify the script that is used to start the Apache Tomcat server.