Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
gsk_get_directory_crls() z/OS Cryptographic Services System SSL Programming SC14-7495-00 |
|
Gets the certificate revocation lists stored in the LDAP
directory for the issuer.
Format
Parameters
ResultsThe function return value will be
0 if no error is detected. Otherwise, it will be one of the return
codes listed in the gskcms.h include file. These are some
possible errors:
UsageThe gsk_get_directory_crls() routine retrieves the certificate revocation lists (CRLs) stored in the LDAP directory for the specified issuer name. When matching UTF-8 encoded attribute values (gsk_string_utf8) in the issuer name, System SSL uses a case sensitive (exact match) comparison. The directory schema is defined by RFC 2587: PKIX LDAP Version 2 Schema. The revocation lists are stored as attributes of the issuer directory entry. Each CRL is encoded as defined by RFC 5280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. The certificateRevocationList attribute is used to retrieve revocation lists for end-entity certificates while the authorityRevocationList attribute is used to retrieve revocation lists for certification authority certificates. The dist_point_name parameter specifies the CRL distribution point name. This name is used as the distinguished name for the LDAP directory entry. The issuer_name parameter specifies the CRL issuer name. This name must match the issuer name stored in the CRL. Retrieved certificate revocation lists are cached so that it is not necessary to contact the LDAP server for subsequent requests for the same issuer. The cached revocation lists will be released when the gsk_close_directory() routine is called to close the directory handle. The cached entries will also be discarded at the end of the cache timeout specified by the GSK_CRL_CACHE_TIMEOUT environment variable (the default timeout is 24 hours). |
Copyright IBM Corporation 1990, 2014
|