Show TOC

 Enabling Certificate RevocationLocate this document in the navigation structure

Use

With the AS Java, you can use certificate revocation lists (CRLs) to make sure that a given certificate has not been revoked by the issuing Certificate Authority (CA).

Certificate revocation is available for the following use cases:

  • User authentication using the Secure Sockets Layer (SSL) protocol and X.509 client certificates.

    In this case, the check is integrated into the login module ClientCertLoginModule . If the user's certificate has been revoked, the user is denied access to the server.

  • Outgoing connections to other servers that use HTTPS, if the HTTPS Connection Factory is used to establish the connection, for example, connections that use the Destination service.

    In this case, the check is performed by the HTTPS Connection Factory. If the target server's certificate has been revoked, the connection is not established.

To verify whether a certificate has been revoked, the AS Java uses the Certificate Revocation Check service. For each use case, the service maintains a certificate revocation profile that contains the information needed to perform the check, for example, the name of the certificate issuer (CA) and its CRL distribution point. For checking user certificates, the service uses the profile named ClientCertLoginModule , and for checking server certificates, it uses the profile named SSLClientLib .

By default, the service is called for each of these use cases, however, the corresponding profiles are deactivated. Therefore, to check for revoked certificates, you must activate the corresponding profile.

Note

For more information about how the Certificate Revocation Check service works, see How the Certificate Check Revocation Service Works .

Prerequisites
  • Each CRL is digitally signed by its CA. Therefore, to verify the digital signature provided with the CRL, the corresponding CA root certificate needs to be imported into a keystore view on the AS Java. The default view to use is the TrustedCAs view.
  • The AS Java can connect to the each CRL distribution point used.
    Note

    By default the CRL distribution point specified in the certificate is used to locate the CRL. This location is determined by the issuing CA and is normally located at the CA's site.

    The distribution point may be located behind a proxy server, therefore, make sure the AS Java can connect to it.

    As an alternative, you can download the CRL from the distribution point and save it to a local file. In this case, you must make sure you keep the local file up-to-date.

Procedure
  1. Start the Certificate Revocation Check Management application.
    Note

    You can find the Certificate Revocation Check Management in the SAP NetWeaver Administrator under SAP NetWeaver Administrator ->Configuration Management ->Security->Certificates and Keys.

    As an alternative, you can start the Certificate Revocation Check Management application directly using the URL:

http://<host>:<port>/webdynpro/dispatcher/sap.com/tc~sec~certrevc~ui/LocalServiceApp

  1. Configure the Certificate Revocation Check service.

    Under Configuration  → Profiles:

    1. Select Edit to change to edit mode.
    2. Activate the profile for the use case where you want to check for certificate revocation.
    3. Select the error behavior:
      • Continue means that processing continues if an error other than a revoked certificate occurs. This ensures smooth operations in case of errors that are not related to the actual revocation check, for example, network errors when attempting to establish the connection to the CA's distribution point.
      • Error means that processing discontinues if such an error occurs.

In either case, the check returns an error if the certificate has been revoked.

  1. To edit attributes for individual certificate issuers that are contained in the profile, select the profile.

    The certificate issuers contained in the profile are displayed in the lower section of the screen.

    For each certificate issuer, you can:

    • Activate or deactivate the certificate issuer.

      If you deactivate an entry, no revocation check is performed for certificates issued by this CA.

    • Specify an alternative distribution point.

      Enter an alternative distribution point if you want to override the distribution point contained in the certificate being checked.

  2. Save the data.
Example

The following shows an example of the Certificate Revocation Check configuration.

List of Profiles

Active Profile Name Error Behavior Issuers

Activate

ClientCertLoginModule

Error

1

Inactive

SSLClientLib

Continue

1

Certificate Issuers for the Selected Profile (ClientCertLoginModule)

Active Certificate Issuer Alternative Distribution Point

Active

CN=ExampleCA, O=ExampleCompany, C=DE

file:///C:/LocalCRLs/ExampleCA.crl

Result

Certificates used for the corresponding use case are checked when the SSL connection is established. If the certificate has been revoked by the issuing CA, an error occurs.

Optional Tasks

In addition to activating the profiles, you can configure additional settings or perform optional tasks. See the following: