Use the CCRL transaction to create and update the
certificate revocation lists (CRLs) that are stored in an LDAP server. You
only need to use CCRL if you are implementing SSL in your CICS® regions and
want each connection checked for a revoked certificate during the SSL handshake.
For more information about using certificate revocation lists, see the CICS RACF® Security Guide.
The CCRL transaction specifies the location of CRL repositories on the world wide web. CICS downloads the lists from the CRL repository at the specified URL and stores it in the LDAP server. You can specify more than one URL if you need to access multiple CRL repositories from different certificate authorities.
Before you run the CCRL transaction, you must have the following set up in CICS:
You can run the CCRL transaction from a terminal or from a START command. If you want to schedule regular updates, use the START command option.
To run the transaction from a terminal, ensure that the terminal accepts mixed case so that you can enter the URLs.
CCRL http://crl.CertificateAuthority.com/CRLList1.crl
http://crl.CertificateAuthority.com/CRLList2.crl
To run the transaction from a START command, using the following syntax: EXEC CICS START TRANSID(CCRL) FROM (admin://adminDN:adminPW url-list) LENGTH (url-list-length) [INTERVAL(hhmmss)|TIME(hhmmss)], where url-list is a space-delimited list of URLs that contain the certificate revocation lists that you want to download, url-list-length is the length of the URL list, and hhmmss is the interval or expiration time at which the CCRL transaction is scheduled to run. For example you could specify:
EXEC CICS START TRANSID(CCRL)
FROM ('admin://cn=ldapadmin:cics31ldap
http://crl.CertificateAuthority.com/CRLList1.crl
http://crl.CertificateAuthority.com/CRLList2.crl')
LENGTH(124) INTERVAL(960000)
This would schedule the CCRL transaction to run in 96 hours. If you enter an invalid URL, you will receive an error message.