To use certificate revocation lists (CRLs), you must have an LDAP
server running. You will also need to perform some configuration steps before
you download the CRLs.
If you need to install and configure an LDAP server, read the z/OS
V1R4 Security Server LDAP Server Admin and Use manual.
- Ensure that the LDAP server is running. The default started task
name is LDAPSRV.
- In the hierarchical file system (HFS) in etc/ldap,
edit the configuration file slapd.conf as follows:
- Create an administrator distinguished name and password, by
providing values for adminDN and adminPW. The CICS-supplied CCRL
transaction requires this information to update the LDAP server with the certificate
revocation lists.
- Create a suffix entry for every certificate authority that you
want to download CRLs from using CCRL. For each suffix, use the syntax "O=certificate
authority". The suffix is comprised of
the Certificate Authority's distinguished name that contains the organization
or "O=" keyword, together with any other keywords to the right of this. If
the suffix contains any of the special characters <,+;>\" you
must escape them by using two backslash characters. If you are using
the z/OS LDAP server and the suffix contains any characters that are not in
the required 1047 code page, the characters should be escaped by encoding
them as the 3-digit octal number of their Unicode representation, preceded
by an ampersand.
For example you could specify the following suffixes in the file
slapd.conf:
suffix "O=CompanyName"
suffix "O=CompanyName plc"
suffix "O=CompanyName,L=CompanyLocation,ST=CompanyArea,C=CompanyCountry"
suffix "O=CompanyName\\, Inc."
suffix "O=CompanyName\\, Inc.,C=CompanyCountry"
When you have configured the LDAP server to include all of your certificate
authorities, run the CCRL transaction. For details, see
Running the CCRL transaction.