With the AS Java, you can use certificate revocation lists (CRLs) to make sure that a given certificate has not been revoked by the issuing Certificate Authority (CA).
Certificate revocation is available for the following use cases:
In this case, the check is integrated into the login module ClientCertLoginModule . If the user's certificate has been revoked, the user is denied access to the server.
In this case, the check is performed by the HTTPS Connection Factory. If the target server's certificate has been revoked, the connection is not established.
To verify whether a certificate has been revoked, the AS Java uses the Certificate Revocation Check service. For each use case, the service maintains a certificate revocation profile that contains the information needed to perform the check, for example, the name of the certificate issuer (CA) and its CRL distribution point. For checking user certificates, the service uses the profile named ClientCertLoginModule , and for checking server certificates, it uses the profile named SSLClientLib .
By default, the service is called for each of these use cases, however, the corresponding profiles are deactivated. Therefore, to check for revoked certificates, you must activate the corresponding profile.
For more information about how the Certificate Revocation Check service works, see How the Certificate Check Revocation Service Works .
By default the CRL distribution point specified in the certificate is used to locate the CRL. This location is determined by the issuing CA and is normally located at the CA's site.
The distribution point may be located behind a proxy server, therefore, make sure the AS Java can connect to it.
As an alternative, you can download the CRL from the distribution point and save it to a local file. In this case, you must make sure you keep the local file up-to-date.
You can find the Certificate Revocation Check Management in the SAP NetWeaver Administrator under SAP NetWeaver Administrator ->Configuration Management ->Security->Certificates and Keys.
As an alternative, you can start the Certificate Revocation Check Management application directly using the URL:
http://<host>:<port>/webdynpro/dispatcher/sap.com/tc~sec~certrevc~ui/LocalServiceApp
Under Configuration → Profiles:
In either case, the check returns an error if the certificate has been revoked.
The certificate issuers contained in the profile are displayed in the lower section of the screen.
For each certificate issuer, you can:
If you deactivate an entry, no revocation check is performed for certificates issued by this CA.
Enter an alternative distribution point if you want to override the distribution point contained in the certificate being checked.
The following shows an example of the Certificate Revocation Check configuration.
List of Profiles
Active | Profile Name | Error Behavior | Issuers |
---|---|---|---|
Activate |
ClientCertLoginModule |
Error |
1 |
Inactive |
SSLClientLib |
Continue |
1 |
Certificate Issuers for the Selected Profile (ClientCertLoginModule)
Active | Certificate Issuer | Alternative Distribution Point |
---|---|---|
Active |
CN=ExampleCA, O=ExampleCompany, C=DE |
file:///C:/LocalCRLs/ExampleCA.crl |
Certificates used for the corresponding use case are checked when the SSL connection is established. If the certificate has been revoked by the issuing CA, an error occurs.
In addition to activating the profiles, you can configure additional settings or perform optional tasks. See the following: