CCRL - certificate revocation lists transaction

Use the CCRL transaction to create and update the certificate revocation lists (CRLs) that are stored in an LDAP server. Use CCRL if you are implementing SSL in your CICS® regions and want each connection checked for a revoked certificate during the SSL handshake.

The CCRL transaction specifies the location of CRL repositories on the World Wide Web. CICS downloads the lists from the CRL repository at the specified URL and stores it in the LDAP server. You can specify more than one URL if you need to access multiple CRL repositories from different certificate authorities.

You can run the CCRL transaction from a terminal or from a START command. If you want to schedule regular updates, use the START command.

Prerequisites

Before you run the CCRL transaction, you must have the following set up in CICS:
  • An LDAP server that is set up and configured to store the certificate revocation lists. See Configuring an LDAP server for CRLsfor more information.
  • The CRLPROFILE system initialization parameter defined with the profile that authorizes CICS to access the LDAP server that stores the certificate revocation lists.

Running CCRL from a terminal

To run the transaction from a terminal, ensure that the terminal accepts mixed case so that you can enter the URLs.

  1. Enter the following command: CCRL url-list where url-list is a space-delimited list of URLs that contain the certificate revocation lists that you want to download.
    Example: 
    CCRL  http://crl.CertificateAuthority.com/CRLList1.crl  
		 http://crl.CertificateAuthority.com/CRLList2.crl
  2. Enter the administrator distinguished name and password for the LDAP server. This allows CICS to update the LDAP server with the CRLs that it downloads. The name and password are set in the file slapd.conf in the LDAP server.

Running CCRL from a START command

To run the transaction from a START command, use the following syntax:

EXEC CICS START TRANSID(CCRL) FROM (admin://adminDN:adminPW url-list) LENGTH (url-list-length) [INTERVAL(hhmmss)|TIME(hhmmss)]

where
  • url-list is a space-delimited list of URLs that contain the certificate revocation lists that you want to download.
  • url-list-length is the length of the URL list.
  • hhmmss is the interval or expiration time at which the CCRL transaction is scheduled to run.

If you enter an invalid URL, you receive an error message.

Example:

This example schedules the CCRL transaction to run in 96 hours.

EXEC CICS START TRANSID(CCRL)
          FROM ('admin://cn=ldapadmin:cics31ldap 
							http://crl.CertificateAuthority.com/CRLList1.crl
							http://crl.CertificateAuthority.com/CRLList2.crl')
			 				LENGTH(124) INTERVAL(960000)