PKI Services maintains two databases containing information about
certificate requests and issued certificates:
- The object store, or request database, holds records
to track active certificate requests and posting objects for certificates
and certificate revocation lists. Object store records are not permanent.
They are deleted when they are no longer needed:
- CRL posting requests and certificate posting requests are removed
when they are successfully posted to LDAP.
- Revocation requests are deleted at the end of revocation processing.
- When a certificate is retrieved by the requestor, the certificate
request is deleted after the time period specified by the parameter RemovedCompletedReqs in
the configuration file (by default one week).
- If a certificate is not retrieved by the requestor, the certificate
request is deleted after the time period specified by the parameter RemovedInactiveReqs in
the configuration file (by default four weeks).
- The issued certificate list (ICL) contains a permanent
record for each certificate that PKI Services issues.
There is one ICL record for each issued certificate.
You have two options for implementation of the object store and
ICL:
- VSAM data sets.
- DB2® tables. (This option
was introduced in z/OS® V1R13).
Some things you should consider when choosing which option to
use:
- VSAM is shipped with z/OS,
but you must purchase DB2.
- VSAM supports limited query functions and does not allow users
to create their own queries. DB2 allows
users to create queries.
Certificate revocation lists (CRLs) created temporarily in the
object store for LDAP posting are limited in size to approximately
32KB. You can avoid this limitation by enabling support for large
CRLs, which causes CRLs to be stored in the z/OS UNIX file
system instead of the object store. For more information, see Enabling support for large CRLs.