Show TOC Start of Content Area

Procedure documentation Installing Certificate Revocation Lists  Locate the document in its SAP Library structure

Use

Certificate Revocation List files (CRLs) are provided by a CA, and identify credentials that can no longer be trusted. CRLs prevent you from applying a digital signature that is no longer valid, and let you know when digital signatures on incoming documents are invalid. CRLs should be updated on a regular basis (for example, daily or weekly).

CRLs are identified by the CRL distribution point (CRLdp), which is specified as a URL in the certificate itself.

The following values must be specified when you install the CRL:

CRL Values

Value

Description

URL

Must match the URL found in the CRLdp field of the certificate.

Filename

The file name of the CRL.

 

Caution

If you do not specify a URL/file name combination, the server does not have access to CRLs so that signatures chaining off that Trusted Anchor are considered invalid. However, if the certificate does not contain a CRLdp field to identify a URL for its CRLs, revocation checking cannot be performed and the server considers the signatures as always valid.

For releases lower SAP NetWeaver 7.31 SP7, ADS does not support a base64 encoded format. The CRL file format must be in binary format.

Procedure

To install a CRL file:

...

       1.      Navigate to http://<server>:<port>/nwa  to start the SAP NetWeaver Administrator.

 

<server> is the AS Java where the Adobe document services are installed and <port> is the HTTP port of the AS Java.

       2.      Choose Configuration Management    Infrastructure    Adobe Document Services.

       3.      Select Certificate Revocation Lists from the Show dropdown list and choose Manage CRL Files.

       4.      Choose Add New File.

       5.      Browse the CRL file and choose Upload.

       6.      Select Certificate Revocation Lists from the Show drop down list and choose Add New Object.

       7.      Specify the URL of the CRL you installed.

       8.      In the CRL File field, choose the name of the CRL file, and save.

       9.      Restart the Document Services Trust Manager and PDF Manipulation Module service for the changes to take effect. (See How to Restart a Service.)

 

 

Force Option to update CRL

To force the CRL update, the parameter CRLInvalidationPeriod in Document Service Trust Manager has to be set. The default value of this parameter is -1, which means that the CRL update is not forced. The measure unit is in seconds. After setting the parameter, ADS retrieves the CRL information if CRL is older than this parameter time. This is independent from the CRL attribute Next Update.

Procedure

...

       1.      Start the Configtool where the ADS is installed.

       2.      Select the node server    cluster data    template    instance    services  com.adobe~TrustManagerService.

       3.      Set the value for CRLInvalidationPeriod.

       4.      Save the value.

       5.      Restart the AS Java server for the changes to take effect.

 

 

Setting up HTTP Proxy on AS Java (Optional)

The CRL file is updated automatically from the CRL distribution point. If a HTTP proxy is required to access the file, it is necessary to maintain the Java parameter of the HTTP proxy. For information about adding Java Virtual Machine (JVM) system parameters, see Configuring JVM Parameters.

Procedure

Define the JVM System Parameters:

http.proxyHost=<proxy host name>

http.proxyPort=<Proxy Port number>

http.nonProxyHosts=<rule to bypass proxy server>

End of Content Area