SSLCERTSTORES object property
Use SSLCERTSTORES to specify a list of LDAP servers to use for certificate revocation list (CRL) checking.
ALTER CF(my.cf) SSLCRL(ldap://crl1.ibm.com)
ALTER CF(my.cf) SSLCRL(ldap://crl1.ibm.com ldap://crl2.ibm.com)
When multiple LDAP servers are specified, JMS tries each one in turn until it finds a server with which it can successfully verify the queue manager's certificate. Each server must contain identical information.
A string in this format can be supplied by an application on the MQConnectionFactory.setSSLCertStores() method. Alternatively, the application can create one or more java.security.cert.CertStore objects, place these in a suitable Collection object, and supply this Collection object to the setSSLCertStores() method. In this way, the application can customize CRL checking. See your JSSE documentation for details on constructing and using CertStore objects.
- The first CertStore object in the Collection identified by sslCertStores is used to identify a CRL server.
- An attempt is made to contact the CRL server.
- If the attempt is successful, the server is searched for a match for the certificate.
- If the certificate is found to be revoked, the search process is over and the connection request fails with reason code MQRC_SSL_CERTIFICATE_REVOKED.
- If the certificate is not found, the search process is over and the connection is allowed to proceed.
- If the attempt to contact the server is unsuccessful, the next CertStore object is used to identify a CRL server and the process repeats from step 2.
If this was the last CertStore in the Collection, or if the Collection contains no CertStore objects, the search process has failed and the connection request fails with reason code MQRC_SSL_CERT_STORE_ERROR.
If your application uses setSSLCertStores() to set a Collection of CertStore objects, the MQConnectionFactory can no longer be bound into a JNDI namespace. Attempting to do so causes an exception. If the sslCertStores property is not set, no revocation checking is performed on the certificate provided by the queue manager. This property is ignored if no CipherSuite is set.