Using certificate revocation lists

You can configure CICS® to use certificate revocation lists (CRLs) to check the validity of client certificates being used in SSL negotiations.

To use certificate revocation lists, you must install and configure an LDAP server. Details on how to perform these tasks can be found in z/OS® V1R4.0 Security Server LDAP Server Admin and Use.
Certificate revocation lists are available from certificate authorities such as Verisign. They are kept in CRL repositories that are available on the world wide web and can be downloaded and stored in an LDAP server. To populate the LDAP server and update certificate revocation lists, use the CICS-supplied transaction CCRL. You can run the CCRL transaction from a terminal or using a START command. To include CRLs in your LDAP server, follow these steps:
  1. Configure the LDAP server to specify which certificate authorities you want to use. See Configuring an LDAP server for CRLs.
  2. Start of changeSpecify the name of the RACF profile that authorizes CICS to access the CRLs in the LDAP server using the CRLPROFILE system initialization parameter.End of change
  3. Run the CCRL transaction. You can choose to run the transaction from a terminal or using a START command. See Running the CCRL transaction for details.