z/OS Cryptographic Services PKI Services Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


IKYP030I

z/OS Cryptographic Services PKI Services Guide and Reference
SA23-2286-00

IKYP030I
CRL APPROACHING MAXIMUM SIZE

Explanation

PKI Services is creating CRLs as part of CRL processing and has encountered at least one CRL that is approaching the maximum size for CRL posting objects in the object store. This can occur when large CRL posting has not been configured.

System action

PKI Services CRL processing continues. If the CRLs are all less than the record size limit of approximately 32K bytes, CRL processing within PKI Services functions normally. However, CRL processing outside of PKI Services might be adversely affected due to the size of the CRL. If any CRL exceeds the record size limit, PKI Services CRL processing will be unsuccessful, and the large CRLs will not be published to the LDAP directory. When this happens you will also receive message IKYC010I with the error code description Record too long.

System programmer response

It is imperative that you correct the situation immediately. You can take either of these approaches:
  • If you want to continue to use VSAM records or DB2® tables for LDAP posting, and if you are not yet using distribution point CRLs, start using them now. Edit the PKI Services configuration file and add the CRLDistSize directive to the CertPolicy section. If you are already using distribution point CRLs, decrease the value specified for the CRLDistSize directive. Make the appropriate changes and save the configuration file.
    Note: These changes will not result in an immediate reduction in the size of the CRL. You will continue to see this message until the revoked certificates on the CRL expire and are removed from the CRL.
  • Alternatively, you can enable large CRL posting. If you do this, PKI Services stores CRLs in a z/OS® UNIX file system instead of in a VSAM data set or DB2 table, and the record size limit of approximately 32K bytes does not apply. Edit the PKI Services configuration file and add the EnableLargeCRLPosting and LargeCRLPath directives to the CertPolicy section. In addition, you need to configure a z/OS UNIX file system to hold CRLs. For more information, see Enabling support for large CRLs.

Guideline: Enable large CRL posting.

Once the configuration file has been saved, stop and restart PKI Services. For more information, see (Optional) Steps for updating the configuration file.

Parent topic: Messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014