In version 9.6.0.1 and later, you can configure IBM® Rational® DOORS® Web Access to use public key infrastructure (PKI) certificate revocation lists (CRLs) for
managing user access.
Before you begin
To use CRLs, administrators must configure
IBM Rational DOORS and
Rational
DOORS Web Access to enable PKI
support and encryption compliance.
About this task
A CRL is a signed data structure that contains a time-stamped list that identifies
revoked certificates. Revoked certificates are no longer trusted for authentication.
Typically, CRLs block access when a user's employment status or assignment changes,
or when a user's certificate or the corresponding private key is compromised.
Client certificates and CRLs must meet these conditions:
- A Certificate Authority (CA) must sign the client certificate request and embed
extended information, such as the URL to the CRL file. If the client certificate
does not contain valid CRL extension details, the certificate is rejected.
- If the CRL is expired, Apache Tomcat refuses connections to the service.
- If an older CRL file that has not expired is loaded, the new CRL with revoked
certificates is not loaded.
- If a revoked certificate is listed in a new CRL file that has not yet been
loaded, users on the revocation list can still access the application.
Note: Rational DOORS Web Access supports both DER (binary) and PEM (base-64) formats for
CRLs. Rational DOORS only supports the DER format.
Procedure
To configure Rational DOORS Web Access to support CRLs, modify the script that
is used to start the Apache Tomcat server.
- Open the startup script for the Apache Tomcat server in an editor.
- On Windows systems, the
server.start.bat script file is in the Rational
DOORS Web Access installation directory; for example,
C:\Program Files\IBM\Rational\DOORS Web Access\9.version.
- On Linux systems, the server.start.sh script file
is in the Rational
DOORS Web Access installation
directory.
- Set the system properties to enable CRL support.
Note: SSL debugging can be enabled by adding this system property:
-Djavax.net.debug=sslor
or
-Djavax.net.debug=ssl,handshake
- Save and close the startup script file.