IKYP030I CRL APPROACHING MAXIMUM SIZE
Explanation
PKI Services is creating CRLs as part of CRL processing and has encountered at least one CRL that is approaching the maximum size for CRL posting objects in the object store. This can occur when large CRL posting has not been configured.
System action
PKI Services CRL processing continues. If the CRLs are all less than the record size limit of approximately 32 K bytes, CRL processing within PKI Services functions normally. However, CRL processing outside of PKI Services might be adversely affected due to the size of the CRL. If any CRL exceeds the record size limit, PKI Services CRL processing is unsuccessful, and the large CRLs are not published to the LDAP directory. When this happens you also receive message IKYC010I with the error code description, Record too long.
System programmer response
- If you want to continue to use VSAM records or DB2® tables for LDAP posting, and if you are not
yet using distribution point CRLs, start using them now. Edit the PKI Services configuration
file and add the CRLDistSize directive to the CertPolicy section. If you are already using distribution point
CRLs, decrease the value specified for the CRLDistSize directive. Make the appropriate changes and save the configuration
file. Note: These changes do not result in an immediate reduction in the size of the CRL. You continue to see this message until the revoked certificates on the CRL expire and are removed from the CRL.
- Alternatively, you can enable large CRL posting. If you do this, PKI Services stores CRLs in a z/OS® UNIX file system instead of in a VSAM data set or DB2 table, and the record size limit of approximately 32 K bytes does not apply. Edit the PKI Services configuration file and add the EnableLargeCRLPosting and LargeCRLPath directives to the CertPolicy section. In addition, you need to configure a z/OS UNIX file system to hold CRLs. For more information, see Enabling support for large CRLs.
Guideline: Enable large CRL posting.
When the configuration file is saved, stop and restart PKI Services. For more information, see (Optional) Steps for updating the configuration file.