To use certificate revocation lists (CRLs), you must have
an LDAP server running. You will also need to perform some configuration
steps before you download the CRLs.
Procedure
- Ensure that the LDAP server is running. The default started
task name is LDAPSRV.
- In the file system in etc/ldap, edit
the configuration file slapd.conf as follows:
- Create an administrator distinguished name and password,
by providing values for adminDN and adminPW.
The CICS-supplied
CCRL transaction requires this information to update the LDAP server
with the certificate revocation lists.
- Create a suffix entry for every certificate authority
that you want to download CRLs from using CCRL. For each suffix, use
the syntax "O=certificate authority".
The
suffix is comprised of the Certificate Authority's distinguished name
that contains the organization or "O=" keyword, together with any
other keywords to the right of this. If the suffix contains any of
the special characters <,+;>\" you must escape
them by using two backslash characters. If you are using the
z/OS LDAP server and the suffix contains any characters that are not
in the required 1047 code page, the characters should be escaped by
encoding them as the 3-digit octal number of their Unicode representation,
preceded by an ampersand.
Example
For example you could specify the following suffixes in the
file slapd.conf: suffix "O=CompanyName"
suffix "O=CompanyName plc"
suffix "O=CompanyName,L=CompanyLocation,ST=CompanyArea,C=CompanyCountry"
suffix "O=CompanyName\\, Inc."
suffix "O=CompanyName\\, Inc.,C=CompanyCountry"
What to do next
When you have configured the LDAP server to include all of
your certificate authorities, run the CCRL transaction. For details,
see Running the CCRL transaction.