The object store and ICL
PKI Services maintains two databases containing information about
certificate requests and issued certificates:
- The object store, or request database, holds records
to track active certificate requests and posting objects for certificates
and certificate revocation lists. Object store records are not permanent.
They are deleted when they are no longer needed:
- CRL posting requests and certificate posting requests are removed when they are successfully posted to LDAP.
- Revocation requests are deleted at the end of revocation processing.
- When a certificate is retrieved by the requestor, the certificate request is deleted after the time period specified by the parameter RemovedCompletedReqs in the configuration file (by default one week).
- If a certificate is not retrieved by the requestor, the certificate request is deleted after the time period specified by the parameter RemovedInactiveReqs in the configuration file (by default four weeks).
- The issued certificate list (ICL) contains a permanent record for each certificate that PKI Services issues. There is one ICL record for each issued certificate.
You have two options for implementation of the object store and
ICL:
- VSAM data sets.
- DB2® tables. (This option was introduced in z/OS® V1R13).
- VSAM is shipped with z/OS, but you must purchase DB2.
- VSAM supports limited query functions and does not allow users to create their own queries. DB2 allows users to create queries.
Certificate revocation lists (CRLs) created temporarily in the object store for LDAP posting are limited in size to approximately 32 KB. You can avoid this limitation by enabling support for large CRLs, which causes CRLs to be stored in the z/OS UNIX file system instead of the object store. For more information, see Enabling support for large CRLs.