(Optional) Query a Certificate Revocation List (CRL)

If desired, you can instruct RSE daemon to check one or more Certificate Revocation List(s) (CRL) to add extra security to the validation process.

This is done by adding CRL related environment variables to rsed.envvars. The following sample definitions are available in rsed.envvars:
GSK_CRL_SECURITY_LEVEL
Specifies the level of security SSL applications will use when contacting LDAP servers to check CRLs for revoked certificates during certificate validation. The default is MEDIUM. Uncomment and change to enforce the usage of the specified value. The following values are valid:
  • LOW - Certificate validation will not fail if the LDAP server cannot be contacted.
  • MEDIUM - Certificate validation requires the LDAP server to be contactable, but does not require a CRL to be defined. This is the default.
  • HIGH - Certificate validation requires the LDAP server to be contactable and a CRL to be defined.
Note: This directive requires z/OS 1.9 or higher.
GSK_LDAP_SERVER
Specifies one or more blank-separated LDAP server host names. Uncomment and change to enforce the usage of the specified LDAP servers to obtain their CRL.

The host name can either be a TCP/IP address or an URL. Each host name can contain an optional port number separated from the host name by a colon (:).

GSK_LDAP_PORT
Specifies the LDAP server port. The default is 389. Uncomment and change to enforce the usage of the specified value.
GSK_LDAP_USER
Specifies the distinguished name to use when connecting to the LDAP server. Uncomment and change to enforce the usage of the specified value.
GSK_LDAP_PASSWORD
Specifies the password to use when connecting to the LDAP server. Uncomment and change to enforce the usage of the specified value.
Refer to the Cryptographic Services System Secure Sockets Layer Programming (SC24-5901) for more information on these and other environment variables used by z/OS System SSL.
Note: Be careful when specifying other z/OS System SSL environment variables (GSK_* ) in rsed.envvars, as they might change the way RSE daemon handles SSL connections and certificate authentication.