Enabling certificate revocation lists (CRLs) on z/OS

Advanced Message Security supports Certificate Revocation List (CRL) checking of the digital certificates used to protect data messages

About this task

When enabled, Advanced Message Security will validate recipient certificates when messages are put to a privacy protected queue, and validate sender certificates when messages are retrieved from a protected queue (integrity or privacy). Validation in this case includes verification that relevant certificates are not registered in a relevant CRL.

Advanced Message Security uses IBM® System SSL services to validate sender and recipient certificates. You can find detailed documentation regarding System SSL certificate validation in the z/OS® Cryptographic Services System Secure Sockets Layer Programming manual.

To enabled CRL checking, you specify the location of a CRL configuration file via the CRLFILE DD in the started task JCL for the AMS address space. A sample CRL configuration file that can be customized is provided in thlqual.SCSQPROC(CSQ40CRL). Settings permitted in this file are as follows:

Table 1. Advanced Message Security CRL configuration variables
Variable	Valid values	Description
crl.ldap.host.`N`	`hostname -or- hostname:port`	The ipaddr/hostname of your LDAP server that hosts CRLs of your issuer certificates. If you do not specify a port number for your LDAP server, the port number specified by crl.ldap.port is used. You can specify up to 10 CRL LDAP server host names, as described here.
crl.ldap.port	`port`	The TCP/IP port number of your LDAP server.
crl.ldap.user	`ldap_user`	The LDAP user name to use when connecting to the LDAP server.
crl.ldap.pass	`ldap_password`	The LDAP password associated with the crl.ldap.user.

You can specify multiple LDAP server host names and ports as follows:

crl.ldap.host.1 = hostname -or hostname:port
crl.ldap.host.2 = hostname -or hostname:port
crl.ldap.host.3 = hostname -or hostname:port

You can specify up to 10 host names. If you do not specify a port number for your LDAP servers, the port number specified by crl.ldap.port is used. Each LDAP server must use the same crl.ldap.user/password combination for access.

When the CRLFILE DD is specified the configuration is loaded during initialization of the Advanced Message Security address space and CRL checking is enabled. If the CRLFILE DD is not specified, or the CRL configuration file is unavailable, or invalid, CRL checking is disabled.

AMS performs a CRL check using IBM System SSL certificate validation services as follows:

Table 2. Advanced Message Security CRL checks
Operation	Quality of protection	Certificate(s) checked
PUT	Privacy	Recipient(s)
GET	Integrity/Privacy	Sender

If a message operation fails a CRL check Advanced Message Security performs the following actions:

Table 3. Advanced Message Security CRL check failure behavior
Operation	CRL check failure
PUT	The message is not put to the target queue. A completion code of MQCC_FAILED and a reason code of MQRC_SECURITY_ERROR is returned to the application.
GET	The message is removed from the target queue and moved to the system protection error queue. A completion code of MQCC_FAILED and a reason code of MQRC_SECURITY_ERROR is returned to the application.

AMS for z/OS uses IBM System SSL services to validate certificates, which includes CRL and trust checking.

IBM MQ uses a security setting where certificate validation requires the LDAP server to be contactable, but does not require a CRL to be defined.

Note: It is the responsibility of administrators to ensure relevant LDAP services are available and to maintain CRL entries for relevant Certificate Authorities.