5.3.1 Downloading CRL
Access the LDAP server and download the invalid certificate list (CRL) from the specified attribute. Confirm in advance, the entry, attribute, and the CRL format to acquire the CRL with the LDAP administrator.
The crldownload command that downloads the CRL is described below:
The crldownload command cannot be used in the HP-UX (IPF) version of the product.
- Organization of this subsection
- (1) Format
- (2) Option
- (3) How to use
- (4) Usage example
(1) Format
crldownload -b search-base-DN -L LDAP-library-name -o file-name[-a attribute][-D bind-DN][-h host-name][-H][-p port-number][-w password] |
(2) Option
- -b search-base-DN
Specify DN of the stored entry of the CRL.
- -L LDAP-library-name
Specify the LDAP library file name to be used.
- -o file-name
Specify the file name that contains the CRL output.
- -a file-name ~<<certificateRevocationList;binary>>
Specify the attribute that stores the CRL.
- -D bind-DN
Specify the DN to bind. If you omit this option, an anonymous bind is executed.
- -h host-name ~<<localhost>>
Specify the host name or the IP address of the LDAP server to be accessed.
- -H
Specify when help is to be displayed. You cannot use this option in combination with other options.
- -p port-number ~((1-65535))<<389>>
Specify the port number of the LDAP server to be accessed.
- -w password ~<<NULL>>
Specify a password to be used when binding to the bind DN. When you omit this option, the password is not used.
(3) How to use
The following figure shows how to use the crldownload command.
Figure 5-3 Howto use the crldownload command
![[Figure]](figure/zu030400.gif)
- Use the crldownload command to access the entry storing the CRL.
- Acquire the CRL from the entry attributes. When the stored CRL is in the DER format, download the CRL in the directory specified in the SSLCRLDERPath directive. When the CRL is in PEM format, download the CRL in the directory specified in the SSLCRLPEMPath directive.
- Restart the Web server.
- The client sends the certificate when accessing by the SSL.
- Apply the acquired CRL when authenticating the client certificate.
- If authentication succeeds, the client can access the contents.
- #
- If there are files in the inappropriate format in directories specified in the SSLCRLPEMPath and the SSLCRLDERPath directives, the Web server is not started. Therefore, when you use the crldownload tool, make sure that the CRL is in the correct format before you store the CRL in these directories.
(4) Usage example
(a) Downloading CRL in the DER format
Execute the following script to download the CRL. The script file name is /opt/hitachi/httpsd/sbin/hws_getCRL.sh in UNIX version, and <Cosminexus-installation-directory>\httpsd\sbin\hws_getCRL.bat in Windows version.
- Executable script contents
Download the CRL that is stored in the DER format on the LDAP server and restart the Web server. At that time, messages that are output are stored in a log file.
- The CRL storage destination File name
- UNIX Version
- /opt/hitachi/httpsd/conf/ssl/crl/DER/rootCA.crl
- Windows Version
- <Cosminexus-installation-directory>\httpsd\conf\ssl\crl\DER\rootCA.crl
- Log file name
- UNIX Version
- /opt/hitachi/httpsd/conf/ssl/crl/crl.log
- Windows Version
- <Cosminexus-installation-directory>\httpsd\conf\ssl\crl\crl.log
- Script contents (for UNIX Version)
#!/bin/sh
#parameters
LIB=LDAP library name
HOST="ldap.server.hitachi.co.jp"
PORT="389"
BASE="cn=Company root CA, o=Hitachi, c=JP"
ATTR="certificateRevocationList;binary"
FILE="/opt/hitachi/httpsd/conf/ssl/crl/DER/rootCA.crl"
LOG="/opt/hitachi/httpsd/conf/ssl/crl/crl.log"
TMP="/opt/hitachi/httpsd/conf/ssl/crl/tmp-rootCA.crl"
#download
TOOL="/opt/hitachi/httpsd/sbin/crldownload"
HTTPSD="/opt/hitachi/httpsd/sbin/httpsdctl graceful"
LOGTIME=""
LANG=C
if `$TOOL -L $LIB -h $HOST -p $PORT -b "$BASE" -a "$ATTR" -o $TMP >> $LOG 2>&1`then
if `mv -f $TMP $FILE >> $LOG 2>&1`
then
$HTTPSD >> $LOG 2>&1
exit 0
else
LOGTIME=`date`
echo "[$LOGTIME] Moving $TMP to $FILE failed" >> $LOG
rm -f $TMP >> /dev/null 2>&1
fi
else
LOGTIME=`date`
fi
echo "[$LOGTIME] Stop restarting Cosminexus HTTP Server." >> $LOG
exit 1 |
- Script contents (for Windows Version)
@echo off
REM
REM #parameters
SETLOCAL
SET LIB="<Cosminexus-installation-directory>\httpsd\libldap\nsldap32v50.dll"
SET HOST="ldap.server.hitachi.co.jp"
SET PORT="389"
SET BASE="cn=Company root CA, o=Hitachi, c=JP"
SET ATTR="certificateRevocationList;binary"
SET FILE="<Cosminexus-installation-directory>\httpsd\conf\ssl\crl\DER\rootCA.crl"
SET FORM="DER"
SET LOG="<Cosminexus-installation-directory>\httpsd\conf\ssl\crl\crl.log"
SET TMPCRL="<Cosminexus-installation-directory>\httpsd\conf\ssl\crl\tmp-rootCA.crl"
REM #download
SET TOOL="<Cosminexus-installation-directory>\httpsd\sbin\crldownload.exe"
SET HTTPSD="<Cosminexus-installation-directory>\httpsd\httpsd.exe"
%TOOL% -L %LIB% -h %HOST% -p %PORT% -b %BASE% -a %ATTR% -o %TMPCRL% >> %LOG% 2>&1 || GOTO ERR
COPY %TMPCRL% %FILE% >> %LOG% 2>&1 || GOTO CPERR
DEL %TMPCRL% >> %LOG% 2>&1
%HTTPSD% -n "Cosminexus HTTP Server" -k restart >> %LOG% 2>&1
GOTO TOOLEND
:CPERR
ECHO Moving %TMPCRL% to %FILE% failed >> %LOG%
DEL %TMPCRL% >> %LOG% 2>&1
DEL %TMPSSL% >> %LOG% 2>&1
GOTO ERR
:ERR
ECHO Stop restarting Cosminexus HTTP Server. >> %LOG%
:TOOLEND
endlocal
echo on |
- How to execute the script (for UNIX Version)
/opt/hitachi/httpsd/sbin/hws_getCRL.sh |
- How to execute the script (for Windows Version)
C:\> "<Cosminexus-installation-directory>\httpsd\sbin\hws_getCRL.bat" |
(b) Downloading CRL and restarting the Web server at regular intervals
- UNIX Version
A super user or a user with permission from the super user can periodically download the CRL using the crontab command# and can restart the Web server.
In the crontab command, specify the time to execute the script that describes the crldownload or the crldownload command, download the CRL periodically and restart the Web server.
# This command is an OS command. Use this command to register and control the job to the cron. For details on how to specify the command, see the OS manual.
- How to specify the crontab command
# crontab -
minute hour date month day command |
- Each crontab file entry is configured with a line that consists of six fields. Each field is delimited with a space or a tab, and each line includes the respective value as shown below:
- Minutes: Minutes for command execution (from 0 to 59).
- Hours: Hours for command execution (from 0 to 23).
- Date: Date for command execution (from 1 to 31).
- Month: Month for command execution (from 1 to 12).
- Days: Days for command execution (from 0 to 6, to specify Monday to Saturday).
- Command: Shell commands for execution.
- * (Asterisk) denotes all valid values.
- An example of the crontab command
- Specify the following command to download the CRL every day at 8 a.m. and restart the Web server (to execute the script mentioned in (a)):
# crontab -
0 8 * * * /opt/hitachi/httpsd/sbin/hws_getCRL.sh
(stop the entry with <Ctrl>+<d> key)
# |
- Windows Version
You can use the at command# to periodically download the CRL and to restart the Web server.
In the at command, specify the time to execute a script that code the crldownload or crldownload command to download the CRL periodically and restart the Web server.
# This command is an OS command. For details on how to specify the command, see the OS manual.
- How to specify the at command
C:\>at [\\Computer name]Time[/every:Date[,...]|/next:Date[,...]]"Command" |
- An Example of the at command
- Specify the following command to download the CRL everyday at 8 a.m. and restart the Web server (to execute the script mentioned in (a)):
C:\>at 8:00 /every:M,T,W,Th,F,S,Su "<Cosminexus-installation-directory>\httpsd\sbin\hws_getCRL.bat" |