Certificate Revocation List (CRL) Processing Service

The Certificate Revocation List Processing service confirms that your business processes correctly authenticate your trading partners. This service confirms that other Sterling B2B Integrator services that request digital certificates are only given valid certificates. This service also notifies you when an attempt is made to check in a revoked certificate.

The following table provides an overview of the CRL Processing service:

System name CRLProcessingService
Graphical Process Modeler (GPM) category All Services
Description This service processes a version 2 digital Certificate Revocation List (CRL). Specifically, this service:
  • Marks those certificates in the Sterling B2B Integrator database which appear on the list as revoked or held
  • Checks the cache and notifies you that a specific certificate is revoked when an attempt is made to check in that system or trusted certificate.
Note: The notification only occurs if you enable CRL caching in Sterling B2B Integrator.
Business usage Use this service to confirm that your business processes correctly authenticate your trading partners. This service confirms that other Sterling B2B Integrator services that request digital certificates are only given valid certificates. Valid certificates are those that have not been revoked or held. Also use this service if you want to be notified when an attempt is made to check in a revoked certificate.
Usage example The CRL Processing service should be placed in a scheduled business process that downloads CRLs at the required interval. (The required interval varies by authority and trading community.)
Note: The CRL does not contain certificates; it lists those certificates that should be revoked.
For more information, see How the CRL Processing Service Works.
Preconfigured? No
Requires third party files? No
Platform availability All supported Sterling B2B Integrator platforms
Related services The HTTP Client adapter and the LDAP adapter are often used in conjunction with this service because these adapters can be used to download the CRL. This service confirms that other services which request the use of digital certificates are given them only if the certificate has not been revoked or is being held.
Application requirements The list passed to this service must be formatted according to the CRL version 2 specification published by the Internet Engineering Task Force (IETF) in document http://www.ietf.org/rfc/rfc3280.txt.
Initiates business processes? No
Invocation This service must be preceded by a service or adapter that can collect the CRL and hand it off to this one. In addition, the entire chain of authorization for the CRL must be in the Sterling B2B Integrator CA certificate store before this service can run.
Business process context considerations This service processes the CRL; it does not download the CRL. Before processing the CRL, this service attempts to verify the signature on the CRL. This service can verify the CRL only if the following certificates are in the Sterling B2B Integrator certificate store:
  • The certificate used to sign the CRL
  • Any intermediate certificates between that certificate and the CA root certificate
  • The CA root issuing certificate
Returned status values
Returned status values:
  • Success – The CRL processed correctly.
  • Error – The CRL did not process correctly.
For a complete description of the errors, see the log file.
Restrictions This service only processes the following CRL critical extensions:
  • crlNumber
  • baseCRLNumber
  • IssuingDistributionPoints.
Persistence level None
Testing considerations Enable the ShowTranscripts parameter in the CRL Processing service configuration. When enabled, operations on each certificate in the list are recorded.

How the CRL Processing Service Works

The Certificate Revocation List is periodically issued by the certificate authority to identify those certificates that should be revoked.

The Certificate Revocation List Processing service takes a CRL as input and does the following:
  1. It verifies the CRL using a certificate in the CA certificate store in the Sterling B2B Integrator database.
  2. Once verified, it checks the CRL expiration date. If the CRL is expired, the default behavior is for the service to fail. You can allow the service to continue by changing the FailOnExpiredCRL parameter to false.
  3. The service then begins to process the CRL. If the CRL has a critical extension that the application does not understand, the default behavior for this service is to fail. You can allow the service to continue by changing the FailOnUnsupportedCRLCritExtns parameter to false.
  4. For each entry in the CRL, the service looks in the trusted certificate and system certificate tables for a corresponding certificate entry.
    Note: You can turn off processing of the system certificates by adding the parameter RevokePrivateKeys to the BMPL and setting it to false.

    For each record in the system certificate or trusted certificate table which corresponds to an entry in the CRL, the service does the following:

    • If the status of the entry is OK and the CRL indicates the certificate is revoked, the service sets the status in the table to revoked.
    • If the status of the entry is OK and the CRL indicates the certificate is held, the service sets the status in the table to held.

      When the status is set to revoked or held, the API calls which attempt to load the certificate or key from the database will fail at runtime.

    • If the status of the entry is held and the CRL indicates the certificate should be removed from the CRL, the service sets the status in the table to OK. This allows the API calls which attempt to load the certificate or key from the database to succeed at runtime.
  5. The service then determines if it is a base CRL or a delta CRL and adds it to the Sterling B2B Integrator database according to the following rules:
    • If there is no corresponding CRL of that type and issuer, the service simply adds the CRL to the database.
    • If there is an existing CRL, the service uses the CRL number to add the most recent CRL to the database.

      - If the CRL numbers are identical, the service uses the thisUpdate date in the CRLs to determine which is the most recent.

      - If there are no CRL numbers, the thisUpdate date is used.

  6. The service updates the CRL cache.

    The CRL cache is a standard cache that maintains CRL information in memory and is checked by Sterling B2B Integrator when you try to upload a certificate and by the certificate loading APIs. The cache consists of information from one base CRL and possibly one delta CRL for each issuer.

    Note: CRLs are verified when they are loaded into the cache. By default, CRLs that are expired or that have unsupported critical extensions do not update the CRL cache. However, you can change the default by setting the LoadExpiredCRLs and LoadUnsuppCritExtnCRLs parameter to true in the security.properties file.

Implementing the CRL Processing Service

To implement the CRL Processing service, complete the following tasks:
  1. Activate your license for the CRL Processing service. See Installing Sterling B2B Integrator.
  2. Create a CRL Processing service configuration. See Managing Services and Adapters.
  3. Configure the CRL Processing service.
  4. Use the CRL Processing service in a business process.

Configuring the CRL Processing Service

To configure the CRL Processing service, you must specify settings for the following fields in the GPM.

Note: You must use the Advanced button in the GPM Service Editor to set the values for the fields listed in the following table. These fields do not automatically appear in the Service Editor. The default values are used if these fields are not defined in the GPM.
Field Description
Config Name of the service configuration. Required.
ShowTranscripts Tells the service whether to put log information into the WFC advanced status. For debug information, debug logging must be enabled in the security log. Optional. Valid values are true and false (default is false).
FailOnExpiredCRL Tells the service whether to fail if the CRL is expired. The only reason to not fail in this situation is for testing. Optional. Valid values are true and false (default is true).
FailOnUnsupportedCRLCritExtns Tells the service whether to fail if it encounters a critical extension it does not understand when processing a CRL. In most cases, Sterling B2B Integrator should not process CRLs with un-supported critical extensions. There may be extraordinary or testing situations where you want to turn this off. Optional. Valid values are true and false (default is true).

Output from Business Process to Service

The preceding table describes the information that is passed from the business process to the CRL Processing service.

Business Process Example

The following example illustrates how to pass values to the service for the parameters in the previous table:

<process name="1CRL">
  <sequence name="optional">
    <operation name="One">
      <participant name="1CRL"/>
        <output message="noopout">
         <assign to="." from="*"></assign>
         <assign to="ShowTranscripts">true</assign> 
         <assign to="FailOnExpiredCRL">false</assign>
         <assign to="FailOnUnsupportedCRLCritExtns">false</assign>
        </output>
        <input message="noopin">
         <assign to="." from="*"></assign>
        </input>
    </operation>
  </sequence> 
</process>