Using certificate revocation lists (CRLs)
You can configure CICS® to use certificate revocation lists (CRLs) to check the validity of client certificates being used in SSL negotiations.
To use certificate revocation lists, you must install and
configure an LDAP server. Details on how to perform these tasks can
be found in z/OS® Security Server LDAP Server
Admin and Use. You also need to authorize CICS to access the
LDAP server, as described in Configuring
LDAP for CICS use.
A certificate revocation list details the revoked certificates
from a certificate authority. Certificate authorities keep these
lists in CRL repositories that are available on the World Wide Web
and can be downloaded and stored in an LDAP server. To populate the
LDAP server and update certificate revocation lists, use the CICS-supplied
transaction CCRL.