ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahu_5.4.0.1/rzahurzahucrl2managecrls.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Manage CRL locations" />
<meta name="abstract" content="Digital Certificate Manager (DCM) allows you to define and manage Certificate Revocation List (CRL) location information for a specific Certificate Authority (CA) to use as part of the certificate validation process." />
<meta name="description" content="Digital Certificate Manager (DCM) allows you to define and manage Certificate Revocation List (CRL) location information for a specific Certificate Authority (CA) to use as part of the certificate validation process." />
<meta name="DC.Relation" scheme="URI" content="rzahurzahumanagedcm.htm" />
<meta name="DC.Relation" scheme="URI" content="rzahurzahucertrevlist.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzahy/rzahyrzahywelpo.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzahy/rzahyess-pi.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzahucrl2_manage_crls" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Manage CRL locations</title>
</head>
<body id="rzahucrl2_manage_crls"><a name="rzahucrl2_manage_crls"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Manage CRL locations</h1>
<div><p>Digital Certificate Manager (DCM) allows you to define and manage
Certificate Revocation List (CRL) location information for a specific Certificate
Authority (CA) to use as part of the certificate validation process.</p>
<div class="section"> <p> DCM, or an application that requires CRL processing, can use
the CRL to determine that the CA that issued a specific certificate has not
revoked the certificate. When you define a CRL location for a specific CA,
applications that support the use of certificates for client authentication
can access the CRL. </p>
<p>Applications that support the use of certificates
for client authentication can perform CRL processing to ensure more stringent
authentication for certificates that they accept as valid proof of identity.
Before an application can use a defined CRL as part of the certificate validation
process, the DCM application definition must require that the application
perform CRL processing. </p>
<p><span class="uicontrol">How CRL processing works</span></p>
<p>When
you use DCM to validate a certificate or application, DCM performs CRL processing
by default as part of the validation process. If there is no CRL location
defined for the CA that issued the certificate that you are validating, DCM
cannot perform CRL checking. However, DCM can attempt to validate other important
information about the certificate, such as that the CA signature on the specific
certificate is valid and that the CA that issued it is trusted.  </p>
<p><span class="uicontrol">Define
a CRL location</span></p>
<p>To define a CRL location for a specific CA,
follow these steps: </p>
</div>
<ol><li class="stepexpand"><span><a href="rzahurzahu66adcmstart.htm#rzahu66a-dcm_start">Start
DCM</a>. </span></li>
<li class="stepexpand"><span>In the navigation frame, select <span class="uicontrol">Manage CRL Locations</span> to
display a list of tasks.</span> <div class="note"><span class="notetitle">Note:</span> If you have questions about how
to complete a specific form in this guided task, select the question mark
(<span class="uicontrol">?</span>) at the top of the page to access the online help. </div>
</li>
<li class="stepexpand"><span>Select <span class="uicontrol">Add CRL location</span> from the task list
to display a form that you can use to describe the CRL location and how DCM
or the application will access the location.</span></li>
<li class="stepexpand"><span>Complete the form and click <span class="uicontrol">OK</span>. You must
give the CRL location a unique name, identify the LDAP server that hosts the
CRL, and provide connection information that describes how to access the LDAP
server. Now you need to associate the CRL location definition with a specific
CA</span></li>
<li class="stepexpand"><span>In the navigation frame, select <span class="uicontrol">Manage Certificates</span> to
display a list of tasks.</span></li>
<li class="stepexpand"><span>Select <span class="uicontrol">Update CRL location assignment</span> from
the task list to display a list of CA certificates.</span></li>
<li class="stepexpand"><span>Select the CA certificate from the list to which you want to assign
the CRL location definition that you created and click <span class="uicontrol">Update CRL
Location Assignment</span>. A list of CRL locations displays.</span></li>
<li class="stepexpand"><span>Select the CRL location from the list that you want to associate
with the CA and click <span class="uicontrol">Update Assignment</span>. A message
displays at the top of the page to indicate that the CRL location has been
assigned to the Certificate Authority (CA) certificate.</span></li>
</ol>
<div class="section"> <div class="note"><span class="notetitle">Note:</span> <img src="./delta.gif" alt="Start of change" />To anonymously bind to an LDAP server
for CRL processing, you must use the Directory Server Web Administration Tool
and select the "Manage schema" task to change the security class (also referred
to as "access class") of the certificateRevocationList and authorityRevocationList
attributes from "critical" to "normal", and leave both the <span class="uicontrol">Login
distinguished name</span> field and the <span class="uicontrol">Password</span> field
blank. <img src="./deltaend.gif" alt="End of change" /></div>
<p>Having defined a location for a CRL for a specific CA, DCM
or other applications can use it when performing CRL processing. However,
before CRL processing can work, the Directory Services server must contain
the appropriate CRL. Also, you must configure both the Directory Server (LDAP)
and client applications to use SSL, and <a href="rzahumngsyscertapp.htm#mng_sys_cert_app">assign
a certificate to the applications in DCM</a>. </p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahurzahumanagedcm.htm" title="Use this information to learn how to use DCM to manage your certificates and the applications that use them. Also, you can learn about how to digitally sign objects and how to create and operate your own Certificate Authority.">Manage DCM</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzahurzahucertrevlist.htm" title="A Certificate Revocation List (CRL) is a file that lists all invalid and revoked certificates for a specific Certificate Authority (CA).">Certificate Revocation List (CRL) Locations</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="../rzahy/rzahyrzahywelpo.htm">IBM Directory Server for iSeries (LDAP)</a></div>
<div><a href="../rzahy/rzahyess-pi.htm">Enable SSL on the Directory Server</a></div>
</div>
</div>
</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!DOCTYPE html`
			`PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">`
			`<html lang="en-us" xml:lang="en-us">`
			`<head>`
			`<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />`
			`<meta name="security" content="public" />`
			`<meta name="Robots" content="index,follow" />`
			`<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />`
			`<meta name="DC.Type" content="task" />`
			`<meta name="DC.Title" content="Manage CRL locations" />`
			`<meta name="abstract" content="Digital Certificate Manager (DCM) allows you to define and manage Certificate Revocation List (CRL) location information for a specific Certificate Authority (CA) to use as part of the certificate validation process." />`
			`<meta name="description" content="Digital Certificate Manager (DCM) allows you to define and manage Certificate Revocation List (CRL) location information for a specific Certificate Authority (CA) to use as part of the certificate validation process." />`
			`<meta name="DC.Relation" scheme="URI" content="rzahurzahumanagedcm.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rzahurzahucertrevlist.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="../rzahy/rzahyrzahywelpo.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="../rzahy/rzahyess-pi.htm" />`
			`<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />`
			`<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />`
			`<meta name="DC.Format" content="XHTML" />`
			`<meta name="DC.Identifier" content="rzahucrl2_manage_crls" />`
			`<meta name="DC.Language" content="en-us" />`
			`<!-- All rights reserved. Licensed Materials Property of IBM -->`
			`<!-- US Government Users Restricted Rights -->`
			`<!-- Use, duplication or disclosure restricted by -->`
			`<!-- GSA ADP Schedule Contract with IBM Corp. -->`
			`<link rel="stylesheet" type="text/css" href="./ibmdita.css" />`
			`<link rel="stylesheet" type="text/css" href="./ic.css" />`
			`<title>Manage CRL locations</title>`
			`</head>`
			`<body id="rzahucrl2_manage_crls"><a name="rzahucrl2_manage_crls"><!-- --></a>`
			`<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>`
			`<h1 class="topictitle1">Manage CRL locations</h1>`
			`<div><p>Digital Certificate Manager (DCM) allows you to define and manage`
			`Certificate Revocation List (CRL) location information for a specific Certificate`
			`Authority (CA) to use as part of the certificate validation process.</p>`
			`<div class="section"> <p> DCM, or an application that requires CRL processing, can use`
			`the CRL to determine that the CA that issued a specific certificate has not`
			`revoked the certificate. When you define a CRL location for a specific CA,`
			`applications that support the use of certificates for client authentication`
			`can access the CRL. </p>`
			`<p>Applications that support the use of certificates`
			`for client authentication can perform CRL processing to ensure more stringent`
			`authentication for certificates that they accept as valid proof of identity.`
			`Before an application can use a defined CRL as part of the certificate validation`
			`process, the DCM application definition must require that the application`
			`perform CRL processing. </p>`
			`<p><span class="uicontrol">How CRL processing works</span></p>`
			`<p>When`
			`you use DCM to validate a certificate or application, DCM performs CRL processing`
			`by default as part of the validation process. If there is no CRL location`
			`defined for the CA that issued the certificate that you are validating, DCM`
			`cannot perform CRL checking. However, DCM can attempt to validate other important`
			`information about the certificate, such as that the CA signature on the specific`
			`certificate is valid and that the CA that issued it is trusted. </p>`
			`<p><span class="uicontrol">Define`
			`a CRL location</span></p>`
			`<p>To define a CRL location for a specific CA,`
			`follow these steps: </p>`
			`</div>`
			`<ol><li class="stepexpand"><span><a href="rzahurzahu66adcmstart.htm#rzahu66a-dcm_start">Start`
			`DCM</a>. </span></li>`
			`<li class="stepexpand"><span>In the navigation frame, select <span class="uicontrol">Manage CRL Locations</span> to`
			`display a list of tasks.</span> <div class="note"><span class="notetitle">Note:</span> If you have questions about how`
			`to complete a specific form in this guided task, select the question mark`
			`(<span class="uicontrol">?</span>) at the top of the page to access the online help. </div>`
			`</li>`
			`<li class="stepexpand"><span>Select <span class="uicontrol">Add CRL location</span> from the task list`
			`to display a form that you can use to describe the CRL location and how DCM`
			`or the application will access the location.</span></li>`
			`<li class="stepexpand"><span>Complete the form and click <span class="uicontrol">OK</span>. You must`
			`give the CRL location a unique name, identify the LDAP server that hosts the`
			`CRL, and provide connection information that describes how to access the LDAP`
			`server. Now you need to associate the CRL location definition with a specific`
			`CA</span></li>`
			`<li class="stepexpand"><span>In the navigation frame, select <span class="uicontrol">Manage Certificates</span> to`
			`display a list of tasks.</span></li>`
			`<li class="stepexpand"><span>Select <span class="uicontrol">Update CRL location assignment</span> from`
			`the task list to display a list of CA certificates.</span></li>`
			`<li class="stepexpand"><span>Select the CA certificate from the list to which you want to assign`
			`the CRL location definition that you created and click <span class="uicontrol">Update CRL`
			`Location Assignment</span>. A list of CRL locations displays.</span></li>`
			`<li class="stepexpand"><span>Select the CRL location from the list that you want to associate`
			`with the CA and click <span class="uicontrol">Update Assignment</span>. A message`
			`displays at the top of the page to indicate that the CRL location has been`
			`assigned to the Certificate Authority (CA) certificate.</span></li>`
			`</ol>`
			`<div class="section"> <div class="note"><span class="notetitle">Note:</span> <img src="./delta.gif" alt="Start of change" />To anonymously bind to an LDAP server`
			`for CRL processing, you must use the Directory Server Web Administration Tool`
			`and select the "Manage schema" task to change the security class (also referred`
			`to as "access class") of the certificateRevocationList and authorityRevocationList`
			`attributes from "critical" to "normal", and leave both the <span class="uicontrol">Login`
			`distinguished name</span> field and the <span class="uicontrol">Password</span> field`
			`blank. <img src="./deltaend.gif" alt="End of change" /></div>`
			`<p>Having defined a location for a CRL for a specific CA, DCM`
			`or other applications can use it when performing CRL processing. However,`
			`before CRL processing can work, the Directory Services server must contain`
			`the appropriate CRL. Also, you must configure both the Directory Server (LDAP)`
			`and client applications to use SSL, and <a href="rzahumngsyscertapp.htm#mng_sys_cert_app">assign`
			`a certificate to the applications in DCM</a>. </p>`
			`</div>`
			`</div>`
			`<div>`
			`<div class="familylinks">`
			`<div class="parentlink"><strong>Parent topic:</strong> <a href="rzahurzahumanagedcm.htm" title="Use this information to learn how to use DCM to manage your certificates and the applications that use them. Also, you can learn about how to digitally sign objects and how to create and operate your own Certificate Authority.">Manage DCM</a></div>`
			`</div>`
			`<div class="relconcepts"><strong>Related concepts</strong><br />`
			`<div><a href="rzahurzahucertrevlist.htm" title="A Certificate Revocation List (CRL) is a file that lists all invalid and revoked certificates for a specific Certificate Authority (CA).">Certificate Revocation List (CRL) Locations</a></div>`
			`</div>`
			`<div class="relinfo"><strong>Related information</strong><br />`
			`<div><a href="../rzahy/rzahyrzahywelpo.htm">IBM Directory Server for iSeries (LDAP)</a></div>`
			`<div><a href="../rzahy/rzahyess-pi.htm">Enable SSL on the Directory Server</a></div>`
			`</div>`
			`</div>`
			`</body>`
			`</html>`