The object store and ICL

PKI Services maintains two databases containing information about certificate requests and issued certificates:

The object store, or request database, holds records to track active certificate requests and posting objects for certificates and certificate revocation lists. Object store records are not permanent. They are deleted when they are no longer needed:
- CRL posting requests and certificate posting requests are removed when they are successfully posted to LDAP.
- Revocation requests are deleted at the end of revocation processing.
- When a certificate is retrieved by the requestor, the certificate request is deleted after the time period specified by the parameter RemovedCompletedReqs in the configuration file (by default one week).
- If a certificate is not retrieved by the requestor, the certificate request is deleted after the time period specified by the parameter RemovedInactiveReqs in the configuration file (by default four weeks).
The issued certificate list (ICL) contains a permanent record for each certificate that PKI Services issues. There is one ICL record for each issued certificate.

You have two options for implementation of the object store and ICL:

VSAM data sets.
DB2® tables. (This option was introduced in z/OS® V1R13).

Some things you should consider when choosing which option to use:

VSAM is shipped with z/OS, but you must purchase DB2.
VSAM supports limited query functions and does not allow users to create their own queries. DB2 allows users to create queries.

Certificate revocation lists (CRLs) created temporarily in the object store for LDAP posting are limited in size to approximately 32 KB. You can avoid this limitation by enabling support for large CRLs, which causes CRLs to be stored in the z/OS UNIX file system instead of the object store. For more information, see Enabling support for large CRLs.