z/OS Cryptographic Services PKI Services Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


The pkiserv.conf configuration file

z/OS Cryptographic Services PKI Services Guide and Reference
SA23-2286-00

This topic includes a code sample of the pkiserv.conf configuration file.

The pkiserv.conf file is the configuration file for the PKI Services daemon. By default, you can find this file in the /usr/lpp/pkiserv/samples/ directory. For more information about the sections of the pkiserv.conf configuration file and the parameters, see (Optional) Steps for updating the configuration file and Table 1.

The following listing might not be identical to the code sample shipped with the product. For the most current sample, see the pkiserv.conf file in the source directory /usr/lpp/pkiserv/samples/.

# Licensed Materials - Property of IBM
# 5650-ZOS
# Copyright IBM Corp. 2001, 2013
# Status = HKY7790

[OIDs]
#
# Supported Distinguished Name OIDs
#
C=2.5.4.6
O=2.5.4.10
OU=2.5.4.11
CN=2.5.4.3
L=2.5.4.7
ST=2.5.4.8
TITLE=2.5.4.12
POSTALCODE=2.5.4.17
STREET=2.5.4.9
MAIL=0.9.2342.19200300.100.1.3
EMAIL=1.2.840.113549.1.9.1
SERIALNUMBER=2.5.4.5
UNSTRUCTUREDNAME=1.2.840.113549.1.9.2
UNSTRUCTUREDADDRESS=1.2.840.113549.1.9.8
DNQUALIFIER=2.5.4.46
DC=0.9.2342.19200300.100.1.25
UID=0.9.2342.19200300.100.1.1
BUSINESSCATEGORY=2.5.4.15
JURISDICTIONCOUNTRY=1.3.6.1.4.1.311.60.2.1.3
JURISDICTIONSTATEPROV=1.3.6.1.4.1.311.60.2.1.2
JURISDICTIONLOCALITY=1.3.6.1.4.1.311.60.2.1.1
#
# Signature Algorithm OIDs
#
sha-1WithRSAEncryption=1.2.840.113549.1.1.5
sha-256WithRSAEncryption=1.2.840.113549.1.1.11
sha-384WithRSAEncryption=1.2.840.113549.1.1.12
sha-512WithRSAEncryption=1.2.840.113549.1.1.13
sha-224WithRSAEncryption=1.2.840.113549.1.1.14
md-5WithRSAEncryption=1.2.840.113549.1.1.4
md-2WithRSAEncryption=1.2.840.113549.1.1.2
id-dsa-with-sha1=1.2.840.10040.4.3
ecdsa-with-sha1=1.2.840.10045.4.1
ecdsa-with-sha224=1.2.840.10045.4.3.1
ecdsa-with-sha256=1.2.840.10045.4.3.2
ecdsa-with-sha384=1.2.840.10045.4.3.3
ecdsa-with-sha512=1.2.840.10045.4.3.4

# If your organization will be using CertificatePolicies extensions
# on certificates that are created by this CA, the following
# entry assigns a symbolic name to a registered OID that identifies
# your organization's certificate usage policy.  This symbolic name
# is used later in the [CertPolicy] section of this configuration
# file to specify the certificate policy information.
#
MyPolicy=1.2.3.4

[ObjectStore]
# Database implementation, either VSAM or DB2. Default is VSAM.
# Specify
# DBType=VSAM
# or
# DBType=DB2

# If DBType is DB2, configure the following additional keywords:
#     DBPackage                 DBSubsystem
# These keywords will be ignored if DBType is set to VSAM.
#
# If DBType is VSAM, configure the following additional keywords:
#     ObjectDSN                 ObjectTidDSN      ObjectStatusDSN
#     ObjectRequestorDSN        ICLDSN            ICLStatusDSN
#     ICLRequestorDSN
# These keywords will be ignored if DBType is set to DB2.
#
# Regardless of the setting for DBType, verify the setting of
# the following keywords in this ObjectStore section:
#     SharedPLEX                RemoveCompletedReqs
#     RemoveInactiveReqs        RemoveExpiredCerts
#     RemoveExpiredCertsAndKeys

# Is the database implementation, whether it be VSAM datasets
# or DB2, shared in a sysplex with other instances of PKI
# Services?  True (T) or False (F).
# Note: The SharedPLEX keyword below replaces the SharedVSAM
#       keyword in PKI Services V1R13.  This keyword has the
#       same meaning as the SharedVSAM keyword has in prior
#       version of PKI Services.
#
SharedPLEX=F

# Name of the DB2 Package this instance of PKI will be using in
# in the DB2 sub system specified by the DBSubsystem keyword. If
# DBSubsystem is missing or not specified, this keyword will be
# ignored.
#
# DBPackage=MasterCA

# Name of the DB2 Sub system. If DBPackage is missing or not
# specified, this keyword will be ignored.
#
# DBSubsystem=DSN9

# Data set name of the VSAM request (object store) base CLUSTER
#
ObjectDSN='pkisrvd.vsam.ost'

# Data set name of the VSAM object store PATH for the transaction ID
# (TID) alternate index.
#
ObjectTidDSN='pkisrvd.vsam.ost.path'

# Data set name of the VSAM object store PATH for the status alternate
# index
#
ObjectStatusDSN='pkisrvd.vsam.ost.status'

# Data set name of the VSAM object store PATH for the requestor
# alternate index
#
ObjectRequestorDSN='pkisrvd.vsam.ost.requestr'

# Data set name of the VSAM issued certificate list (ICL) base CLUSTER
#
ICLDSN='pkisrvd.vsam.icl'

# Data set name of the VSAM ICL PATH for the status alternate index
#
ICLStatusDSN='pkisrvd.vsam.icl.status'
# Data set name of the VSAM ICL PATH for the requestor alternate index
#
ICLRequestorDSN='pkisrvd.vsam.icl.requestr'

# How many days (d) or weeks (w) should completed requests remain in
# the object store before being removed?
# Specify 0d to indicate completed requests should not be removed
#
RemoveCompletedReqs=1w

# How many days (d) or weeks (w) should inactive requests remain in the
# object store before being removed?
# Specify 0d to indicate inactive requests should not be removed
#
RemoveInactiveReqs=4w

# How many days (d) or weeks (w) should expired certificates remain in
# the ICL before being removed?
# Specify 0d to indicate expired certificates should not be removed
#
#RemoveExpiredCerts=26w

# How many days (d) or weeks (w) should expired certificates and Keys
# remain in the ICL and TKDS? Specify 0d to indicate expired
# certificates and keys should not be removed
#
#RemoveExpiredCertsAndKeys=520w

[CertPolicy]
# What signature algorithm should be used to sign certificates that are
# created?  The name of the signature algorithm must match one of the
# Signature Algorithm OIDs listed in the [OIDs] section of this
# configuration file.
#
SigAlg1=sha-256WithRSAEncryption

# How often should the certificate creation thread scan the database
# for approved certificate requests?
#
CreateInterval=3m

# How many days or weeks prior to the expiration of a certificate should
# the expiration warning be sent. If not specified, expiration warning
# will not be sent.
#
ExpireWarningTime=4w

# How often should certificate revocation lists (CRL) be created?
#
TimeBetweenCRLs=1d

# How long is a certificate revocation list (CRL) valid?
#
CRLDuration=2d

# Specify the number of certificates that each CRL distribution point
# will represent. The default is 0 which indicates distribution point
# CRLs should not be created.
#
CRLDistSize=500

# Specify the constant portion of the CRL distribution point relative
# distinguished name. The distribution point number is appended to this
# value to form the common name. The default value is "CRL".
#
CRLDistName=CRL

# Should an Authority Revocation List(ARL) Distribution Point be
# created? 'F' (default) indicates an ARL DP will not be created.
# 'T' indicates an ARL DP will be created if the CRLDistSize is
# greater than zero.
#
ARLDist=F

# Full path of the directory where CRL distrubution point files are to
# be stored for http protocol URI CRL distribution points.
# Defaults to "/var/pkiserv/"
# Ignored if no http protocol CRLDistURIn are defined
#
CRLDistDirPath=/var/pkiserv/

# Values for the CRL distribution point extension URI fields for the
# protocols(ldap, http) you choose. This is repeatable. The first one
# always starts with CRLDistURI1,  followed by CRLDistURI2, 3, ...n,
# if necessary.  Uncomment and update the desired directive to enable
# URI CRL distribution point that you need. If more than one URI field
# is needed, remember to increase the field number sequentially by the
# order of one, e.g. CRLDistURI2, CRLDistURI3...

# For ldap protocol, you may specify the LDAP server indicated in the LDAP
# section below, e.g.,
#
#CRLDistURI1=LdapServer1

# or specify a skeleton URL which contains the protocol type, the domain
# name and the port, if needed, e.g.,
#
#CRLDistURI1=ldap://myotherldapserver.mycompany.com:389/

# For http protocol, specify the complete URL minus the file name of the
# distribution point CRL file, e.g.,
#
#CRLDistURI1=http://www.mycompany.com/PKIServ/cacerts/

# Enable large (>32KB) CRL posting support which will store CRLs in
# a local directory prior to being posting to LDAP.
# T - True, CRLs are stored in a local file system directory before
#           being posted to LDAP
# F - False, CRLs are stored in Object Store posting object record(s)
#            before being posted to LDAP. Warning, a CRL (distribution
#            point or master) larger than 32KB will fail to be created
#            and not be posted to LDAP. (This is the Default)
#
#EnableLargeCRLPosting=F

# Full path of the local directory where CRLs are saved prior to
# posting to LDAP.
# Defaults to /var/pkiserv/.
# This keyword is ignored if large CRL posting is not enabled.
#
#LargeCRLPostPath=/var/pkiserv/

# Should this CA create CRLs that contain a critical Issuing
# Distribution Point extension?
# T = True, CRLs will be created with a critical Issuing Distribution
#           Point extension. (This is the default value if not
#           specified.)
# F = False, CRLs will be created with no Issuing Distribution Point
#            extension.
#
#CRLIDPExt=T

# What type of OCSP request is desired?
#  'none'  - No OCSP responder support (This is the default)
#  or
#  'basic' - The OCSP responder is enabled, but will not verify the
#            optional request signature.
#
OCSPType=none

# Enable the Simple Certificate Enrollment Protocol (SCEP)
# T = True, SCEP is enabled
# F = False, SCEP is disabled (default if not specified)
#
EnableSCEP=F

# Enable the Certificate Management Protocol (CMP)
# T = True, CMP is enabled
# F = False, CMP is disabled (default if not specified)
#
EnableCMP=F

# Should the CA restrict certificate requests to a validity period
# that does not exceed the CA certificate life time?
# T = True, requests with a validity period that exceeds the CA's
#           will fail.
# F = False, requests are not constrained to the CA's validity
#            period(this is the default value if not specified)
#
#CertValidityConstraint=F

#
# Should certificate path length constraints be enabled/enforced
# by this CA?
# T = True, The CA certificate will be examined at initialization
#           to verify it meets path length constraint requirements
#           and enables the setting of the pathLenConstraint
#           field in the Basic Constraint extension of intermediate
#           CA certificates created by this CA.
# F = False, Certificate path length constraints will not be
#            enforced in the CA certificate used by this CA, and
#            intermediate CA certificates created by this CA will
#            not include a pathLenConstraint field in the Basic
#            Constraint extension. (this is the default value if
#            not specified)
#
#EnablePathLenConstraint=F

#
# Specify the certification path length constraint value to be
# included in the Basic Constraints extension of intermediate
# CA certificates created by this CA.
# - The EnablePathLenConstraint keyword must be set to T, otherwise
#   the PathLength keyword will be ignored.
# - The valid value range for this keyword is 0 to 16, however the
#   value specified must be less than the pathLenConstraint value
#   in the PKI CA certificate if it is present.
#
#PathLength=1

# CertificatePolicies certificate extension information, indicating the
# policy under which the certificate has been issued and the purposes
# for which the certificate may be used. This extension contains a
# sequence of one or more policy information terms, each term comprised
# of an OID and an optional qualifier.

# Should the CA require that the CertificatePolicies extension be
# included on all certificates that are created?
# T = True, the CertificatePolicies extension will be added to all
#             certificates, and will include all PolicyName<n> entries
#             specified in this file.  Any policies that are
#             specified in the CertPolicies input parameter or listed
#             in the CONSTANT section of the template used to
#             generate the certificate are ignored.
# F = False,  the CertificatePolicies extension will only be added
#             to certificates when a certificate policy is specified
#             in the CertPolicies input parameter or in the
#             CONSTANT section of the template when a certificate is
#             requested. (This is the default value)
#
PolicyRequired=F

# Should the CertificatePolicies certificate extension be made a
# critical extension?
# T = True, the extension will be marked Critical
# F = False, the extension will not be marked Critical (This is the
#            default)
#
PolicyCritical=F

# List of CertificatePolicies extensions identifiers that may be added
# to certificates created by this CA.
# The policy name is the symbolic name for a certificate policy OID
# and must match the name of a policy that is listed in the [OIDs]
# section of this configuration file.
#
PolicyName1=MyPolicy

# Should the CertificatePolicies certificate extension include
# any optional qualifiers?  Qualifiers may be Certification
# Practice Statement (CPS) Pointer and User Notice.  User Notice
# may have two optional fields: Notice Reference and Explicit Text.
# To include these optional qualifiers for certificates created
# using the certificate policy <n>, uncomment the appropriate
# entries below and tailor them to suit your purpose.  Note that
# for the CA to conform with current standards, Notice Reference
# should not be used.
#
# CPS<n> = Specifies the URI for the CPS associated with PolicyName<n>.
# Policy<n>Org = Names the organization that has prepared the User
#                      Notice Reference information associated
#                      with PolicyName<n>.
# Policy<n>Notice<m> = Identifies the number of a textual
#                      statement, prepared by Policy<n>Org,
#                      for the User Notice Reference associated
#                      with PolicyName<n>.  More than one
#                      textual statement may apply.
# UserNoticeText<n> =  Specifies the User Notice Explicit Text
#                      information associated with PolicyName<n>.
#                      For the CA to conform with current standards,
#                      this textual statement must not exceed 200
#                      characters.
#
#Policy1Org=MyOrganization
#Policy1Notice1=3
#Policy1Notice2=17
UserNoticeText1=This is some very lawyerly statement for the relying party to read 
and make decisions based on.
CPS1=http://www.mycompany.com/cps.html

# Length of certificate suspension grace period in day or weeks (d,w).
# Certificates which remained suspended for longer than this period are
# automatically revoked.
# The default value is 0d which indicates the grace period is unlimited.
#MaxSuspendDuration=120d

# Specify the email address of an administrator who will receive an
# email notification when a certificate request state becomes pending
# approval. Repeat for each administrator to receive pending approval
# notifications. The first one always starts AdminNotifyNew1, followed
# by AdminNotifyNew2, 3, ...n, if necessary. The field number increases
# sequentially by the order of one. Uncomment and update the desired
# email address to enable the notification.
#
#AdminNotifyNew1=adminA@abc.com

# Specify the email address of an administrator who will receive an
# email notification containing a list of requests that are pending
# approval when the maintenance processing is run. Repeat for each
# administrator to receive an email reminder. The first one always
# starts AdminNotifyReminder1, followed by AdminNotifyReminder2, 3,
# ...n, if necessary. The field number increases sequentially by the
# order of one. Uncomment and update the desired email address to
# enable the notification.
#
#AdminNotifyReminder1=adminA@abc.com

# Enable granular authority control for the administrative functions on
# different templates. If enabled, appropriate RACF(or equivalent
# product) protection profiles must be set up accordingly.
# T = True, granular authority control is enabled
# F = False, granular authority control is disabled (default if not
#            specified)
#
#AdminGranularControl=F

# Should a console message be issued when the CRL processing finishes?
# none - No console message will be issued
#        (this is the default value if not specified)
# file - A console message will be issued after the CRLs are available
#        in the file system
# This keyword will be ignored unless large CRL posting support is
# enabled (EnableLargeCRLPosting=T) or at least one http protocol CRL
# distribution point URI is defined.
#
#CRLWTONotification=none

[General]
InitialThreadCount=10

# Timeout value for the exit program. Default is 30 seconds (30s).
ExitTimeout=30s

# full pathname or data set name containing the 'your certificate is
# ready to be retrieved' message form. Defaults to no message issued
ReadyMessageForm=/etc/pkiserv/readymsg.form

# full pathname or data set name containing the 'your certificate
# request has been rejected' message form. Defaults to no message issued
RejectMessageForm=/etc/pkiserv/rejectmsg.form

# full pathname or data set name containing the 'your certificate is
# about to expire' message form. Defaults to no message issued
ExpiringMessageForm=/etc/pkiserv/expiringmsg.form

# full pathname or data set name containing the request(s) pending for
# approval message form. Defaults to no notification sent.
AdminNotifyForm=/etc/pkiserv/pendingmsg.form

# full pathname or data set name containing the renewed certificate
# message form for automatic certificate renewal.
# If absent, automatic certificate renewal is disabled.
RenewCertForm=/etc/pkiserv/renewcertmsg.form

# full pathname or data set name containing information on
# the list of certificates that match the criteria specified
# to recover key generated certificates.
# If absent, recovery query results will not be sent.
RecoverForm=/etc/pkiserv/recoverymsg.form

# Time of day to run the PKI maintenance task in 24 hour time format
# (HH:MM). The valid range is 00:00-23:59. The default value is 00:00
# (midnight).
#MaintRunTime=01:00

# Days of the week to run the PKI maintenance task in 0-6 format. The
# value specified is a list of numbers between 0 and 6. 0 represents
# Sunday and 6 represents Saturday.  No spaces or any other characters
# are permitted. Order of the digits is not important. Repeat digits
# are not allowed.
# The default value is everyday of the week: 0123456
#MaintRunDays=0123456

# Should the PKI maintenance task run when the PKI daemon is started?
# True (T) or False (F). Default value is True.
#RunMaintAtStart=T

[SAF]
KeyRing=PKISRVD/CAring
#TokenName=PKISRVD.PKIToken

# The Label name for the PKI RA certificate connected to the Key ring
#   specified in the KeyRing value above
#
RALabel=Local PKI RA

# Should the CA generate secure keys in the Token Data Set (TKDS)
# when it has key generation capability?
# Valid SecureKey values are:
# T - True indicates secure keys are generated in the TKDS
# F - False (or absence of this keyword) indicates clear keys
#     will be generated in the TKDS. Note: Installation
#     configuration policy may override the ability to create
#     clear keys causing clear key requests to create secure
#     keys.
# If TokenName is not specified, the SecureKey keyword
# will be ignored.
# SecureKey=T

[LDAP]
NumServers=1
PostInterval=5m
Server1=myldapserver.mycompany.com:389
AuthName1=CN=root
AuthPwd1=root
#
# Should the CA post certificates and CRLs to the LDAP server with the
# binary attribute?
# T = True, post certificates and CRLs with the binary attribute
# F = False, post certificates and CRLs without the binary attribute
#            (this is the default value if not specified)
# Note: If NumServers is greater than one, you need one value for
# each corresponding server, eg. UseBinaryAttr1 is for Server1.
# If the corresponding UseBinaryAttrn is missing, it defaults to F.
# UseBinaryAttr1=F
CreateOUValue= Created by PKI Services
RetryMissingSuffix=T
# Name of the LDAPBIND Class profile containing the bind information
# for LDAP server 1. This key is optional. Used in place of keys
# Server1, AuthName1, and AuthPwd1.
#BindProfile1=LOCALPKI.BINDINFO.LDAP1
Parent topic: Reference information

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014