SSL/TLS and Secure Shell connections can be configured to authenticate hosts using digital certificates. To ensure that certificates have not been revoked, you can configure InfoConnect to check for certificate revocation using CRLs or using an OCSP responder.
When CRL checking is enabled, InfoConnect always checks for CRLs in any location specified in the CRL Distribution Point (CDP) field of the certificate. In addition, InfoConnect can also be configured to check for CRLs located in an LDAP directory or using an OCSP responder.
InfoConnect's default value for certificate revocation checking is based on your current system setting. If your system is configured to do CRL checking, InfoConnect sessions will check for certificate revocation using CRLs by default.
NOTE:When InfoConnect is running in DOD PKI mode, certificate revocation is always enabled and cannot be disabled.
To enable CRL checking by default for all SSH sessions
In Internet Explorer, choose Tools > Internet Options > Advanced.
Under Security, selectCheck for server certificate revocation.
You can enable certificate revocation checking using either a CRL or an OCSP responder.
To enable certificate revocation checking for VT Secure Shell sessions
Open the Reflection Secure Shell Settings dialog box.
Click the PKI tab.
Select either Use OCSP or Use CRL.
To enable certificate revocation checking for 3270, 5250 and VT SSL/TLS sessions
Open the Security Properties dialog box.
On the SSL/TLS tab, click Configure PKI. (Use SSL/TLS security must be selected.)
Select either Use OCSP or Use CRL.
To enable certificate revocation checking for ALC, UTS, and T27 sessions
Open the TCP/UDP Path Options dialog box.
Set Security type to the level of encryption you require and click PKI Settings.
Select either Use OCSP or Use CRL.