Question & Answer
Question
When implementing AT-TLS, how can I check for certificate revocation?
Answer
Starting with z/OS V2R2 Communications Server, applications requiring validation of the partner's certificate can optionally check to see if the certificate has been revoked.
Certificate revocation checking can be done using any of these three methods:
using a certificate revocation list (CRL) obtained from an LDAP server
using a certificate revocation list (CRL) obtained from an HTTP server
using the certificate revocation status obtained from an OCSP (Online Certificate Status Protocol) responder
Connections that are used by System SSL to contact the CRL service should not fall under an enabled AT-TLS policy because these connections can be made before the AT-TLS policy is installed.
You can configure any combination of certificate revocation by using the following AT-TLS policy statements:
TTLSGskHttpCdpParms
TTLSGskLdapParms
TTLSGskOcspParms
Use the TTLSGskHttpCdpParms statement to define a set of HTTP parameters that are used for Certificate Revocation List (CRL) checking for an AT-TLS environment action.
Use the TTLSGskLdapParms statement to define a set of LDAP parameters to be used for Certificate Revocation List (CRL) checking for an AT-TLS environment action.
Use the TTLSGskOcspParms statement to define a set of OCSP parameters to use for Certificate Revocation List (CRL) checking for an AT-TLS environment action
Product Synonym
ZOSCS COMMSERVER
Was this topic helpful?
Document Information
Modified date:
05 October 2015
UID
dwa1231282