If desired, you can instruct RSE daemon to check one or more Certificate
Revocation List(s) (CRL) to add extra security to the validation process.
This is done by adding CRL related environment variables to
rsed.envvars.
The following sample definitions are available in
rsed.envvars:
- GSK_CRL_SECURITY_LEVEL
- Specifies the level of security SSL applications will use when contacting
LDAP servers to check CRLs for revoked certificates during certificate validation.
The default is MEDIUM. Uncomment and change to enforce the
usage of the specified value. The following values are valid:
- LOW - Certificate validation will not fail if the LDAP
server cannot be contacted.
- MEDIUM - Certificate validation requires the LDAP server
to be contactable, but does not require a CRL to be defined. This is the default.
- HIGH - Certificate validation requires the
LDAP server to be contactable and a CRL to be defined.
Note: This directive requires z/OS 1.9 or higher.
- GSK_LDAP_SERVER
- Specifies one or more blank-separated LDAP server host names. Uncomment
and change to enforce the usage of the specified LDAP servers to obtain their
CRL.
The host name can either be a TCP/IP address or an URL. Each host
name can contain an optional port number separated from the host name by a
colon (:).
- GSK_LDAP_PORT
- Specifies the LDAP server port. The default is 389.
Uncomment and change to enforce the usage of the specified value.
- GSK_LDAP_USER
- Specifies the distinguished name to use when connecting to the LDAP server.
Uncomment and change to enforce the usage of the specified value.
- GSK_LDAP_PASSWORD
- Specifies the password to use when connecting to the LDAP server. Uncomment
and change to enforce the usage of the specified value.
Refer to the
Cryptographic Services System Secure Sockets Layer Programming (SC24-5901)
for more information on these and other environment variables used by z/OS
System SSL.
Note: Be careful when specifying other z/OS System SSL environment
variables (GSK_* ) in rsed.envvars, as they might change
the way RSE daemon handles SSL connections and certificate authentication.