The CICS-supplied transaction CCRL allows you to download
and store certificate revocation lists (CRLs) that can be used in
the SSL handshake to determine if client certificates are valid.
You need to configure an LDAP server to specify which certificate
authorities you want to use and to create an administrator id and
password. See
Configuring an LDAP server for CRLs for
detailed instructions.
Certificate revocation lists are available from certificate
authorities such as Verisign. They are kept in CRL repositories that
are available on the world wide web and can be downloaded and stored
in an LDAP server. To populate the LDAP server and update certificate
revocation lists, use the CICS-supplied transaction CCRL. You can
run the CCRL transaction from a terminal or using a START command.
Use the START command to schedule regular updates.
- Specify the name of the profile that authorizes CICS to
use the LDAP server in the CRLPROFILE system
initialization parameter.
- Run the CCRL transaction using one of the following methods: