Running the CCRL transaction

The CICS-supplied transaction CCRL allows you to download and store certificate revocation lists (CRLs) that can be used in the SSL handshake to determine if client certificates are valid.

Before you begin

You need to configure an LDAP server to specify which certificate authorities you want to use and to create an administrator id and password. See Configuring an LDAP server for CRLs for detailed instructions.

About this task

Certificate revocation lists are available from certificate authorities such as Verisign. They are kept in CRL repositories that are available on the World Wide Web and can be downloaded and stored in an LDAP server. To populate the LDAP server and update certificate revocation lists, use the CICS-supplied transaction CCRL. You can run the CCRL transaction from a terminal or using a START command. Use the START command to schedule regular updates.

1. Specify the name of the LDAP server in the system initialization parameter CRLPROFILE.
2. Run the CCRL transaction
   • from a terminal. See Running CCRL from a terminal .
   • using a command. See Running CCRL from a START command.