You can use LDAP for storing CRLs (certificate revocation
lists) or Basic Authentication credentials. When certificate revocation
lists or credentials are stored in the LDAP server, you must authorize
CICS to access them.
About this task
Certificate revocation lists and passwords are stored in
the LDAP server with an access class of critical and can only
be accessed by a user who has provided authentication credentials
at LDAP bind time. These credentials are a user's distinguished name
and an associated password. You can save these details in a specialized
profile in the LDAPBIND RACF class. To set up the profile, follow
these steps:
Procedure
- The password that is used in the profile must be encrypted
before it is stored in the RACF database. To encrypt the password,
you must store a password encryption key in the KEYSMSTR RACF class
by issuing one of the following RACF commands:
- Create the profile using the following RACF command:
RDEFINE LDAPBIND profile-name
PROXY(LDAPHOST(ldap-url)
BINDDN('ldap-distinguished-name')
BINDPW(password))
UACC(NONE)
where:
- profile-name
- is the name of the RACF profile whose PROXY segment contains the
following LDAP bind parameters.
- ldap-url
- is a fully qualified URL of the LDAP server to be accessed; for
example,
LDAP://EXAMPLE.COM:3389
.
- ldap-distinguished-name
- is the distinguished name of an LDAP user authorized to inquire
on certificate revocation list attributes from the server; for example,
CN=LDAPADMIN
.
- password
- is the password that authenticates the LDAP user. The password
is case-sensitive.
- Authorize each CICS region user ID to access appropriate
bind credentials in the LDAPBIND class by issuing one or more commands
of the following form:
PERMIT profile-name CLASS(LDAPBIND)
ACCESS(READ)
ID(region-userid)
- Specify the profile name in the system initialization parameter CRLPROFILE for
each applicable CICS region.
Results
When you start a CICS region with the profile name
specified in theCRLPROFILE system initialization
parameter, the bind information for the LDAP server is cached in the
SSL environment for the CICS® region,
which is managed by z/OS® System
SSL. When you issue the PERFORM SSL REBUILD command for the CICS region,
the bind information for the LDAP server is refreshed from the external
security manager.
What to do next
If the CRLPROFILE parameter
is specified for a CICS region but is invalid, or if the specified
profile contains invalid data, or if the LDAP server identified by
the profile is unavailable when the CICS region starts, the CICS region
disables its own access to the LDAP server. Messages DFHSO0128 and
DFHSO0129 report this problem.
To restore access, you must fix
the error and restart the CICS region. The PERFORM SSL REBUILD command
cannot restore access to the LDAP server if the CICS region has disabled
it. The refresh only takes place for an LDAP server that was available
to the CICS region at the time when the command was issued.