Setting up authorization to create and access CRLs and certificates

Certificate revocation lists (CRLs) in an LDAP directory have an attribute of critical, which allows only the LDAP administrator to read them. If you are configuring PKI Services for the first time, the LDAP programmer needs to set up an LDAP access control list (ACL) to allow users other than the LDAP administrator to read CRLs. If the ACL is not set up, only the LDAP administrator can retrieve CRLs from LDAP. Other users might get access violation messages if they attempt to retrieve a CRL from LDAP, and LDAP does not return the CRL.

In addition, if the distinguished name to be used for LDAP binding is not the LDAP administrator, the LDAP programmer needs to set up another LDAP ACL to allow that distinguished name to create CRLs and certificates. You define the distinguished name to be used for LDAP binding in the AuthName1 line of the pkiserv.conf file. For more information about the AuthName1 line, see Tailoring the PKI Services configuration file for LDAP.

For information about setting up LDAP ACLs, see the information about access control in z/OS IBM Tivoli Directory Server Administration and Use for z/OS.

Tips: When setting up an LDAP ACL for PKI Services, consider these facts:
  • You can use the entryOwner attribute to allow an application to read and write LDAP entries without having to use the LDAP administrator bind credentials.
  • You can use a propagating ACL (the aclPropagate attribute is set to TRUE ) to allow the defined ACL to cover new CRLs created by PKI Services.
Parent topic: Tailoring the LDAP configuration for PKI Services