Use SSLCRC to control what certificate revocation status values CLI will allow a TLS connection to be made.
Value | Description |
---|---|
allow | Establish the session if the certificate chain status is GOOD or UNKNOWN. Client products will not establish a session when the certificate is definitively REVOKED. This is the default value for CLI. |
require | Client products will establish a session when the certificate chain status is definitively GOOD, and return an error for any other status. |
Certificate revocation status is only checked if sslmode=verify-full. For any other values of sslmode, certificate status is not checked.
The parameter can be set in the following locations:
clispb.dat (For more information, see System Parameter Block (SPB) Processing.)
Add the following line to clispb.dat:
sslcrc={allow | require}
Environment variable
Set the following environment variable prior to running the client application:
Non-Windows:
$ export SSLCRC={allow | require}
Windows:
C:\> set SSLCRC={allow | require}
DBCAREA Connection string
The connect_ptr parameter in the DBCAREA structure can be set to a string containing the sslocsp attribute:
dbcarea.connect_ptr = "sslcrc={allow | require}"
The order of precedence for the these methods is as follows:
- clispb.dat
- Environment variable
- dbcarea.connect_ptr