IBM Support

When implementing AT-TLS, how can I check for certificate revocation?

Question & Answer


Question

When implementing AT-TLS, how can I check for certificate revocation?

Answer

Starting with z/OS V2R2 Communications Server, applications requiring validation of the partner's certificate can optionally check to see if the certificate has been revoked.

Certificate revocation checking can be done using any of these three methods:

  • using a certificate revocation list (CRL) obtained from an LDAP server

  • using a certificate revocation list (CRL) obtained from an HTTP server

  • using the certificate revocation status obtained from an OCSP (Online Certificate Status Protocol) responder

Connections that are used by System SSL to contact the CRL service should not fall under an enabled AT-TLS policy because these connections can be made before the AT-TLS policy is installed.

You can configure any combination of certificate revocation by using the following AT-TLS policy statements:

  • TTLSGskHttpCdpParms

  • TTLSGskLdapParms

  • TTLSGskOcspParms

Use the TTLSGskHttpCdpParms statement to define a set of HTTP parameters that are used for Certificate Revocation List (CRL) checking for an AT-TLS environment action.

Use the TTLSGskLdapParms statement to define a set of LDAP parameters to be used for Certificate Revocation List (CRL) checking for an AT-TLS environment action.

Use the TTLSGskOcspParms statement to define a set of OCSP parameters to use for Certificate Revocation List (CRL) checking for an AT-TLS environment action

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Document Information

Modified date:
05 October 2015

UID

dwa1231282

Page Feedback