CRLPROFILE

The profile must contain the name of the LDAP server and the distinguished name and password of a user who is authorized to extract certification revocation lists from it. For more information about setting up the profile, see Configuring LDAP for CICS use.

Specifying this parameter means that CICS checks each client certificate during the SSL negotiation for a revoked status using the certificate revocation lists in the LDAP server. If the certificate is revoked, CICS closes the connection immediately. If the CRLPROFILE parameter is omitted, CICS does not check the revoked status of certificates during SSL handshakes.

If the CRLPROFILE parameter is specified but is invalid, or if the specified profile contains invalid data, or if the LDAP server identified by the profile is unavailable when the CICS region starts, the CICS region disables its own access to the LDAP server and does not check the revoked status of certificates during SSL handshakes. Messages DFHSO0128 and DFHSO0129 report this problem. To restore access, you must fix the error and restart the CICS region.

The bind information for the LDAP server is cached in the SSL environment for the CICS region, which is managed by z/OS® System SSL. When you issue the PERFORM SSL REBUILD command, the bind information for the LDAP server is refreshed from the external security manager. The PERFORM SSL REBUILD command cannot restore access to the LDAP server if the CICS region has disabled it. The refresh only takes place for an LDAP server that was available to the CICS region at the time when the command was issued.