System administrators can create and update a CRL profile by using REST Administration APIs.
Only one CRL can exist inside a CRL profile. Before you can use a CRL profile, you must set
the UseClientCertificate property to true in the
security profile that you want to associate with this CRLProfile. When you set
UseClientCertificate to true, you must also
ensure that at least one trusted certificate is associated with the security profile. For
more information about configuring a security profile, see Configuring security profiles. For
more information about configuring trusted certificates, see Configuring trusted certificates.
-
To create a CRL profile, use the Eclipse Amlen REST API POST method
with the following Eclipse Amlen
configuration URI:
http://<admin-endpoint-IP:Port>/ima/v1/configuration/
-
Provide object configuration data in the payload of the POST method by using the
following schema. Content-type is set to
application/json. Ensure that capitalization and double quotation
marks are used as shown.
{
"CRLProfile":{
"<CRLProfName>":{
"CRLSource": "String",
"UpdateInterval": integer,
"RevalidateConnection": true|false,
"Overwrite": true|false
}
}
}
Where:
- CRLProfName
- Required.
- Specifies the name of the CRL profile.
- Before you can use a CRL profile, you must set
UseClientCertificate to true in the
security profile that you want to associate with the CRL profile. When you set
UseClientCertificate to true, ensure
that at least one trusted certificate is associated with the security profile.
- The name can be a maximum of 256 alphanumeric characters.
- The name must not have leading or trailing spaces and cannot contain control
characters, commas, double quotation marks, backslashes, or equal signs.
- CRLSource
- Required.
- Specifies the source of CRL file.
- The source can be a file that has been uploaded to the server or the source can be
a URL string.
- If the source is a URL, the format of the URL must be
http://<IPaddress>/<path to CRLfilename>. Only HTTP is
supported.
- Only one CRL file can exist inside a CRL profile.
- The maximum length is 2048.
-
Note: If the file that contains the CRLs is larger than 4 MB, and is not available as a remote URL,
you can copy the file to
/var/lib/amlen-server/userfiles on
Eclipse Amlen before you upload the file to the server. If the
server is running in a container, you use the docker cp command
cp /tmp/psk.csv
/var/lib/amlen-server/userfiles to copy the file to
Eclipse Amlen.
You can then import the
.psk file to the server by using the following
command:
curl -X POST http://localhost:9089/ima/v1/configuration -d '{"PreSharedKey":"psk.csv"}
Do
not provide a full path to the
.psk file in the payload. All file paths specified
in the payload are relative to
/var/lib/amlen-server/userfiles. Verify that the pre-shared key
file is uploaded by using the following
command:
curl -X GET http://localhost:9089/ima/v1/configuration/PreSharedKey {"Version":"v1", "PreSharedKey":"psk.csv"}
- UpdateInterval
- Specifies the interval in minutes to download a new copy of the CRL if
CRLSource is an URL.
- The default value is 60 minutes.
- RevalidateConnection: true|false
- Specifies whether all connections that are authorized by using the security
profile are re-validated when a new CRL file is uploaded or downloaded from
specified URL.
- The default value is false.
- Overwrite: true|false
- Specifies whether an existing certificate is overwritten.
- If you want to use a different source file or URL path, you must set this property
to true.
The following example shows a POST method to create a CRL profile by using cURL:
curl -X POST \
-H 'Content-Type: application/json' \
-d '{
"CRLProfile": {
"MyCRLProfile": {
"CRLSource": "file_crl.pem",
"UpdateInterval": 5,
"RevalidateConnection": false,
"Overwrite": false
}
}
}
' \
http://127.0.0.1:9089/ima/v1/configuration/
The following example shows an example response to the POST method:
{
"Version": "v1",
"Code": "CWLNA6011",
"Message": "The requested configuration change has completed successfully."
}