Use the CCRL transaction to create and update the certificate revocation lists (CRLs) that are stored in an LDAP server. You only need to use CCRL if you are implementing SSL in your CICS® regions and want each connection checked for a revoked certificate during the SSL handshake.
The CCRL transaction specifies the location of CRL repositories on the world wide web. CICS downloads the lists from the CRL repository at the specified URL and stores it in the LDAP server. You can specify more than one URL if you need to access multiple CRL repositories.
You can run the CCRL transaction from a terminal or from a START command. If you want to schedule regular updates, use the START command option.
To run the transaction from a terminal, ensure that your terminal accepts mixed case characters. Enter the following command: CCRL url-list where url-list is a space-delimited list of URLs that contain the certificate revocation lists that you want to download. You will then be prompted to provide the administrator distinguished name and password for the LDAP server. This allows CICS to update the LDAP server with the downloaded CRLs.
EXEC CICS START TRANSID(CCRL)
FROM('admin://adminDN:adminPW url-list')
LENGTH(url-list-length)
[INTERVAL(hhmmss)|TIME(hhmmss)]
where adminDN:adminPW is
the distinguished name and password of the LDAP server,url-list is
a space-delimited list of URLs that contain the certificate revocation lists
that you want to download, url-list-length is the length
of the URL list including the LDAP admin distinguished name and password,
and hhmmss is the interval or expiration time at which
the CCRL transaction is scheduled to run. EXEC CICS START TRANSID(CCRL)
FROM('admin://cn=ldapadmin:cics31ldap http://crl.CertificateAuthority.com/CRLList1.crl
http://crl.CertificateAuthority.com/CRLList2.crl')
LENGTH(132) INTERVAL(960000)
This would schedule the CCRL transaction to run in 96 hours and
download certificate revocation lists from two specified URLs.