z/OS Cryptographic Services PKI Services Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Examining the TEMPLATE section

z/OS Cryptographic Services PKI Services Guide and Reference
SA23-2286-00

The TEMPLATE section follows the APPLICATION section and contains several sample templates. The following example is an excerpt from the TEMPLATE section of the pkiserv.tmpl file. (The vertical ellipses indicate omitted sections.)
# ========================================================================= 
#
# Template Name - 2-Year PKI Browser Certificate For Authenticating
#                 to z/OS  1 
#
# Function - Creates a 2-Year certificate good for authenticating to z/OS.
⋮
# User input fields:
#  Requestor - optional
#  PassPhrase - required
#  PublicKey - required (Provided by the browser itself)
#  NotifyEmail - optional
⋮
# =========================================================================
#
<TEMPLATE NAME=2-Year PKI Browser Certificate For Authenticating To z/OS>  2 
<TEMPLATE NAME=PKI Browser Certificate>
<NICKNAME=2YBZOS>
<AUTORENEW=Y>
<CONTENT>  3 
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd">
<HTML lang="en"><HEAD>
<TITLE> Web Based PKIX Certificate Generation Application Pg 2</TITLE>  4 
%%-copyright%%  5 
%%-AdditionalHead[browsertype]%%
</HEAD>

<BODY>
<H1>2-Year PKI Browser Certificate For Authenticating To z/OS</H1>  6 
<p>
<H2>Choose one of the following:</H2>
⋮
#<FORM NAME="CertReq" METHOD=POST ACTION=  7 
#              "/[application]/ssl-cgi-bin/careq.rexx" onSubmit=
    "return ValidateEntry(this)">

<INPUT NAME="Template" TYPE="hidden" VALUE="[tmplname]">
<p> Enter values for the following field(s)  8 
<SCRIPT LANGUAGE="JavaScript">  9 
<!--
⋮
//-->
</SCRIPT>
 %%Requestor (optional)%%
 %%NotifyEmail (optional)%%
 %%PassPhrase%%
 %%PublicKey2[browsertype]%%

<p>
<INPUT TYPE="Submit" VALUE="Submit certificate request">
<INPUT TYPE="reset" VALUE="Clear">
</FORM>
<p>
<H3><li>Pick Up a Previously Issued Certificate</H3>
<FORM METHOD=GET ACTION="/[application]/ssl-cgi/caretrieve.rexx"> 
<INPUT NAME="Template" TYPE="hidden" VALUE="[tmplname]">
<INPUT TYPE="submit" VALUE="Retrieve your certificate">
</FORM>
</ul>
<p>%%-pagefooter%%  10 
</BODY>
</HTML>
</CONTENT>
<APPL>  11 
 %%UserId%%
 %%HostIdMap=@host-name%%
</APPL>
<CONSTANT>  12 
 %%CommonName=%%
 %%OrgUnit=Class 1 Internet Certificate CA%%
 %%Org=The Firm%%
 %%KeyUsage=handshake%%
 %%ExtKeyUsage=clientauth%%
 %%NotBefore=0%%
 %%NotAfter=730%%
 %%SignWith=PKI:%%
</CONSTANT>
<SUCCESSCONTENT>  13 
 %%-requestok%%
</SUCCESSCONTENT>
<FAILURECONTENT>  14 
 %%-requestbad%%
</FAILURECONTENT>

<RETRIEVECONTENT>  15 
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd">
<HTML lang="en"><HEAD>
%%-copyright%%
<TITLE> Web Based PKIX Certificate Generation Application Pg 3</TITLE>
<SCRIPT LANGUAGE="JavaScript">
<!--
⋮
//-->
</SCRIPT>
</HEAD>

<BODY>
<H1> Retrieve Your [tmplname]</H1>  16 
<H3>Please bookmark this page</h3>
⋮
#<FORM NAME=retrieveform METHOD=POST ACTION=  17 
#      "/[application]/ssl-cgi-bin/cagetcert.rexx" onSubmit=
⋮
</FORM>
⋮
<p>%%-pagefooter%%
</BODY>
</HTML>
</RETRIEVECONTENT>
<RETURNCERT>  18 
%%returnbrowsercert[browsertype]%%
</RETURNCERT>
</TEMPLATE>
The numbers in the following list refer to the highlighted tags in the preceding excerpt of the TEMPLATE section.
  1. The template begins with a block comment identifying the template and explaining its use and fields.
  2. There are three names for each certificate (except for SAF templates, which do not include nicknames). The first TEMPLATE NAME line defines the true (actual, complete) name of the certificate. The next TEMPLATE NAME line defines an alias. (This simply differentiates browser from server certificates.) The NICKNAME defines an 8-character string. In each template for which you want certificates to be automatically renewed, insert the AUTORENEW tag immediately following the NICKNAME tag, if it is not already there, and set it to Y.
  3. The CONTENT subsection contains the HTML to display a Web page to the end user requesting this type of certificate. (The CGI script catmpl.rexx displays this content.)
  4. The title contains the heading that appears at the very top of the browser when the Web page is displayed.
  5. The %%-copyright%% named field displays the copyright statement.
  6. The heading is the main heading on the Web page for requesting the selected certificate.
  7. The ACTION tag indicates that the CGI script that gets control when the user clicks the Submit certificate request button is careq.rexx.
  8. Fields for which the user can supply input include %%Requestor%%, %%PassPhrase%%,%%NotifyEmail%%, and %%PublicKey2%%. (These fields are named fields that are defined in the INSERT section, which is shown later.) All fields not marked optional are required. %%PublicKey2%% contains the substitution variable, [browsertype]. This is replaced at run time with IE or NS, depending on the browser the user has. This is necessary because the browsers behave differently for key generation and certificates.
  9. This JavaScript script provides the underlying logic for the text entry that the user must perform.
  10. The %%-pagefooter%% named field is defined in the INSERT section (shown later). This contains the e-mail address of the PKI Services administrator.
  11. The APPL subsection indicates the fields that careq.rexx itself provides, in this case, %%UserId%% and %%HostIdMap%%. (These are set from the IBM HTTP Server environment variable REMOTE_USER.)
  12. The CONSTANT subsection has hardcoded values to use, for example (for the non-SAF certificates), the signing certificate is PKI:.
  13. The SUCCESSCONTENT subsection contains the HTML to display upon successfully requesting the certificate. It includes the %%-requestok%% named field. (This is defined in the INSERT section, shown in Examining the INSERT section . See list item 1.)
  14. The FAILURECONTENT subsection contains the HTML to display when the certificate request is unsuccessful. This subsection contains the %%-requestbad%% named field. (This named field is defined in the INSERT section, shown in Examining the INSERT section.)
  15. The -requestok INSERT (mentioned in list item 13) includes an ACTION that calls caretrieve.rexx, which displays the HTML in the RETRIEVECONTENT subsection. The first time the Web page is displayed, it includes the transaction ID associated with the certificate request. If the user leaves the Web page and then returns, the transaction ID field must be filled in. Entering the transaction ID and clicking the Continue button calls cagetcert.rexx.
  16. The main heading on the Web page is "Retrieve Your (Name of Certificate)".
  17. The ACTION is to call cagetcert.rexx as list item 15 indicates.
  18. The RETURNCERT subsection contains the %%return10cert%% named field, which is defined in an INSERT. (See list item 4.)
Parent topic: Examining the pkiserv.tmpl file

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014