To use certificate revocation lists (CRLs), you must have
an LDAP server running. You will also need to perform some configuration
steps before you download the CRLs.
Before you begin
If you need to install and configure an LDAP server, read
the z/OS Security Server LDAP Server Admin and Use manual.
Procedure
- Ensure that the LDAP server is running. The default started
task name is LDAPSRV.
- In the file system in etc/ldap, edit
the configuration file slapd.conf as follows:
- Create an administrator distinguished name and password,
by providing values for adminDN and adminPW.
The CICS-supplied
CCRL transaction requires this information to update the LDAP server
with the certificate revocation lists.
- Create a suffix entry for every certificate authority
that you want to download CRLs from using CCRL. For each suffix, use
the syntax "O=certificate authority".
The
suffix is comprised of the Certificate Authority's distinguished name
that contains the organization or "O=" keyword, together with any
other keywords to the right of this. If the suffix contains any of
the special characters <,+;>\" you must escape
them by using two backslash characters. If you are using the
z/OS LDAP server and the suffix contains any characters that are not
in the required 1047 code page, the characters should be escaped by
encoding them as the 3-digit octal number of their Unicode representation,
preceded by an ampersand.
Example
For example you could specify the following suffixes in the
file slapd.conf: suffix "O=CompanyName"
suffix "O=CompanyName plc"
suffix "O=CompanyName,L=CompanyLocation,ST=CompanyArea,C=CompanyCountry"
suffix "O=CompanyName\\, Inc."
suffix "O=CompanyName\\, Inc.,C=CompanyCountry"
What to do next
When you have configured the LDAP server to include all of
your certificate authorities, run the CCRL transaction. For details,
see Running the CCRL transaction.