Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Setting up authorization to create and access CRLs and certificates z/OS Cryptographic Services PKI Services Guide and Reference SA23-2286-00 |
|
Certificate revocation lists (CRLs) in an LDAP directory have an attribute of critical, which allows only the LDAP administrator to read them. If you are configuring PKI Services for the first time, the LDAP programmer needs to set up an LDAP access control list (ACL) to allow users other than the LDAP administrator to read CRLs. If the ACL is not set up, only the LDAP administrator can retrieve CRLs from LDAP. Other users might get access violation messages if they attempt to retrieve a CRL from LDAP, and LDAP does not return the CRL. In addition, if the distinguished name to be used for LDAP binding is not the LDAP administrator, the LDAP programmer needs to set up another LDAP ACL to allow that distinguished name to create CRLs and certificates. You define the distinguished name to be used for LDAP binding in the AuthName1 line of the pkiserv.conf file. For more information about the AuthName1 line, see Tailoring the PKI Services configuration file for LDAP. For information about setting up LDAP ACLs, see the discussion of access control in z/OS IBM Tivoli Directory Server Administration and Use for z/OS. Tips: When setting up an LDAP ACL for PKI Services, consider these facts:
|
Copyright IBM Corporation 1990, 2014
|