Authorizing CICS to access CRLs

When the certificate revocation lists are stored in the LDAP server, you need to authorize CICS to access them through System SSL.

The certificate revocation lists are stored in the LDAP server with an access class of critical, and can only be accessed by a user who has provided authentication credentials at LDAP bind time. These credentials are a user's distinguished name and an associated password. These details can be saved in a specialized profile in the LDAPBIND RACF class. To set up the profile, follow these steps:
  1. The password that is used in the profile must be encrypted before it is stored in the RACF database. To do this, you need to store a password encryption key in the KEYSMSTR RACF class by issuing one of the following RACF commands:
    • RDEFINE KEYSMSTR LDAP.BINDPW.KEY OWNER(userid) 
              SSIGNON(KEYENCRYPTED(keyvalue))
      Use this command when the password encryption key is stored by the integrated cryptographic service facility (ICSF).
    • RDEFINE KEYSMSTR LDAP.BINDPW.KEY OWNER(userid) 
              SSIGNON(KEYMASKED(keymask))
      Use this command when ICSF is not active.
  2. Create the profile using the following RACF command:
    RDEFINE LDAPBIND profile-name
                     PROXY(LDAPHOST(ldap-url)
                           BINDDN('ldap-distinguished-name')
                           BINDPW(password))
                     Start of changeUACC(NONE)End of change
    where:
    profile-name
    is the name of the RACF profile whose PROXY segment contains the following LDAP bind parameters
    ldap-url
    is a fully qualified URL of the LDAP server to be accessed. For example, LDAP://WINMVS28.HURSLEY.IBM.COM:3389.
    ldap-distinguished-name
    is the distinguished name of an LDAP user authorized to inquire on certificate revocation list attributes from the server. For example, CN=LDAPADMIN
    password
    is the password that authenticates the LDAP user. The password is case-sensitive.
  3. Start of changeAuthorize each CICS region user ID to access appropriate bind credentials in the LDAPBIND class by issuing one or more commands of the following form:
    PERMIT profile-name CLASS(LDAPBIND)
                        ACCESS(READ)
                        ID(region-userid)
    End of change