98 lines
6.7 KiB
HTML
98 lines
6.7 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="concept" />
|
||
|
<meta name="DC.Title" content="Validation" />
|
||
|
<meta name="abstract" content="Digital Certificate Manager (DCM) provides tasks that allow you to validate a certificate or to validate an application to verify various properties that they each must have." />
|
||
|
<meta name="description" content="Digital Certificate Manager (DCM) provides tasks that allow you to validate a certificate or to validate an application to verify various properties that they each must have." />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzahurzahu4abunderstanddc.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzahurzahuvalidatecertsapps.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="validation_concept" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Validation</title>
|
||
|
</head>
|
||
|
<body id="validation_concept"><a name="validation_concept"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Validation</h1>
|
||
|
<div><p>Digital Certificate Manager (DCM) provides tasks that allow you
|
||
|
to validate a certificate or to validate an application to verify various
|
||
|
properties that they each must have.</p>
|
||
|
<p></p>
|
||
|
<div class="section"><h4 class="sectiontitle">Certificate validation</h4><p>When you validate a certificate,
|
||
|
Digital Certificate Manager (DCM) verifies a number of items pertaining to
|
||
|
the certificate to ensure the authenticity and validity of the certificate.
|
||
|
Validating a certificate ensures that applications that use the certificate
|
||
|
for secure communications or for signing objects are unlikely to encounter
|
||
|
problems when using the certificate.</p>
|
||
|
<p>As part of the validation process,
|
||
|
DCM checks that the selected certificate is not expired. DCM also checks that
|
||
|
the certificate is not listed in a Certificate Revocation List (CRL) as revoked,
|
||
|
if a CRL location exists for the CA that issued the certificate.</p>
|
||
|
<p><img src="./delta.gif" alt="Start of change" />If
|
||
|
you configure Lightweight Directory Access Protocol (LDAP) mapping to use
|
||
|
a CRL, DCM checks the CRL when validating the certificate to make sure the
|
||
|
certificate is not listed in the CRL. However, for the validation process
|
||
|
to accurately check the CRL, the directory server (LDAP server) configured
|
||
|
for LDAP mapping must contain the appropriate CRL. Otherwise, the certificate
|
||
|
will not validate correctly. You must provide a binding DN and password to
|
||
|
avoid having a certificate validate with a revoked status. Also, if you do
|
||
|
not specify a DN and password when you configure LDAP mapping you will be
|
||
|
binding anonymously to the LDAP server. An anonymous bind to an LDAP server
|
||
|
does not provide the level of authority needed to access "critical” attributes,
|
||
|
and the CRL is a “critical” attribute. In such a case, DCM may validate a
|
||
|
certificate with a revoked status because DCM is unable to obtain the correct
|
||
|
status from the CRL. If you want to access the LDAP server anonymously, you
|
||
|
need to use the Directory Server Web Administration Tool and select the "Manage
|
||
|
schema" task to change the security class (also referred to as "access class")
|
||
|
of the <span class="uicontrol">certificateRevocationList</span> and <span class="uicontrol">authorityRevocationList</span> attributes
|
||
|
from "critical" to "normal".<img src="./deltaend.gif" alt="End of change" /></p>
|
||
|
<p> DCM also checks that the CA certificate
|
||
|
for the issuing CA is in the current certificate store and that the CA certificate
|
||
|
is marked as trusted. If the certificate has a private key (for example, server
|
||
|
and client or object signing certificates), then DCM also validates the public-private
|
||
|
key pair to ensure that the public-private key pair match. In other words,
|
||
|
DCM encrypts data with the public key and then ensures that the data can be
|
||
|
decrypted with the private key. </p>
|
||
|
</div>
|
||
|
<div class="section"><h4 class="sectiontitle">Application validation</h4><p>When you validate an application,
|
||
|
Digital Certificate Manager (DCM) verifies that there is a certificate assignment
|
||
|
for the application and ensures that the assigned certificate is valid. Additionally,
|
||
|
DCM ensures that if the application is configured to use a Certificate Authority
|
||
|
(CA) trust list, that the trust list contains at least one CA certificate.
|
||
|
DCM then verifies that the CA certificates in the application CA trust list
|
||
|
are valid. Also, if the application definition specifies that Certificate
|
||
|
Revocation List (CRL) processing occur and there is a defined CRL location
|
||
|
for the CA, DCM checks the CRL as part of the validation process. </p>
|
||
|
<p>Validating
|
||
|
an application can help alert you to potential problems that an application
|
||
|
might have when it is performing a function that requires certificates. Such
|
||
|
problems might prevent an application either from participating successfully
|
||
|
in a Secure Sockets Layer (SSL) session or from signing objects successfully.
|
||
|
</p>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahurzahu4abunderstanddc.htm" title="View this information to better understand what digital certificates are and how they work. Learn about the different types of certificates and how you can use them as part of your security policy.">DCM concepts</a></div>
|
||
|
</div>
|
||
|
<div class="relconcepts"><strong>Related concepts</strong><br />
|
||
|
<div><a href="rzahurzahuvalidatecertsapps.htm" title="You can use Digital Certificate Manager (DCM) to validate individual certificates or the applications that use them. The list of things that DCM checks differs slightly depending on whether you are validating a certificate or an application.">Validate certificates and applications</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|