TTLSGskLdapParms statement

Use the TTLSGskLdapParms statement to define a set of LDAP parameters to be used for Certificate Revocation List (CRL) checking for an AT-TLS environment action. A TTLSGskLdapParms statement can be specified inline in a TTLSEnvironmentAction statement or referenced by an TTLSEnvironmentAction statement.

Syntax


>>-TTLSGskLdapParms--+------+--| Put Braces and Parameters on Separate Lines |-><
                     '-name-'                                                    

Put Braces and Parameters on Separate Lines

|--+-{-------------------------------+--------------------------|
   +-| TTLSGskLdapParms Parameters |-+   
   '-}-------------------------------'   

TTLSGskLdapParms Parameters

   .---------------------------.   
   V                           |   
|------GSK_LDAP_SERVER value---+-------------------------------->

>--+--------------------------------------------+--------------->
   '-GSK_LDAP_USER value-GSK_LDAP_USER_PW value-'   

>--+----------------------------+------------------------------->
   '-GSK_LDAP_SERVER_PORT value-'   

>--+-----------------------------+------------------------------>
   '-GSK_CRL_CACHE_TIMEOUT value-'   

>--+------------------------------------+-----------------------|
   '-GSK_CRL_SECURITY_LEVEL--+-Low----+-'   
                             +-Medium-+     
                             '-High---'

Parameters

name

A string 1 - 32 characters in length specifying the name of this TTLSGskLdapParms statement.

Rule: If this TTLSGskLdapParms statement is not specified inline within another statement, a name value must be provided. If a name is not specified for an inlineTTLSGskLdapParms statement, a nonpersistent system name is created.

GSK_LDAP_SERVER

Specifies an LDAP server host name. The name can contain an optional port number separated from the name by a colon. The name can be a DNS resource name, a dotted-decimal IPv4 address or a colon-separated IPv6 address enclosed in square brackets (for example, [1080::8:800:200C:417A]). The maximum length of the host name is 255 characters. Valid values for the port number, if specified, are 1 - 65 535. Up to five GSK_LDAP_SERVER statements can be defined.

GSK_LDAP_USER

Specifies the distinguished name to use when connecting to the LDAP server. The maximum length of the name is 512 characters.

Rule: Comment indicators and embedded blanks are treated as part of the value for this attribute. For example:

GSK_LDAP_USER  cn=cert #label
value used:   cn=cert #label

Restriction: When the value contains embedded blanks, you must specify the entire value within the first 1 536 characters of the configuration file line.

GSK_LDAP_USER_PW

Specifies the password to use when connecting to the LDAP server. The maximum length of the password is 512 characters.

GSK_LDAP_SERVER_PORT

Specifies the LDAP server port. This port is used if a port is not specified on the LDAP server host name. Valid values are in the range 1 - 65 535.

GSK_CRL_CACHE_TIMEOUT

Sets the CRL cache timeout in hours. Valid values are in the range 0 - 720.

GSK_CRL_SECURITY_LEVEL

Specifies the level of security to use when contacting an LDAP server. Valid values are:

Low: Specifies that certificate validation does not fail if the LDAP server cannot be contacted.
Medium: Specifies that certificate validation requires the LDAP server to be able to be contacted, but it does not require a CRL to be defined.
High: Specifies that certificate validation requires the LDAP server to be contactable, and a CRL must be defined.

Tip: The located CRLs are cached according to the GSK_CRL_CACHE_TIMEOUT paramenter setting of the SSL environment.