You can configure CICS® to use certificate revocation lists (CRLs) to check
the validity of client certificates being used in SSL negotiations.
To use certificate revocation lists, you must install and configure
an LDAP server. Details on how to perform these tasks can be found in z/OS® V1R4.0
Security Server LDAP Server Admin and Use.
Certificate revocation lists are available from certificate authorities
such as Verisign. They are kept in CRL repositories that are available on
the world wide web and can be downloaded and stored in an LDAP server. To
populate the LDAP server and update certificate revocation lists, use the
CICS-supplied transaction CCRL. You can run the CCRL transaction from a terminal
or using a START command. To include CRLs in your LDAP server, follow these
steps:
- Configure the LDAP server to specify which certificate authorities
you want to use. See Configuring an LDAP server for CRLs.
Specify the name of the RACF profile that authorizes CICS
to access the CRLs in the LDAP server using the CRLPROFILE system initialization
parameter.
- Run the CCRL transaction. You can
choose to run the transaction from a terminal or using a START command. See Running the CCRL transaction for details.