backup_dsn |
The data set that will contain a backup
copy of the PKI Services certificate
and private key. |
No |
When you also set ca_domain: 'daemon.ca_domain.KEY.BACKUP.P12BIN'
When
you do not set ca_domain: 'daemon.KEY.BACKUP.P12BIN'
Note: The daemon refers
to the daemon variable in this table.
|
ca_domain |
The unique name for the CA when you establish
multiple PKI Services CAs. If
specified, the first eight characters must uniquely identify the CA.
The characters of the CA_domain value are limited
to the following character set: alphanumeric characters (a
- z, A - Z, 0 - 9) and
the hyphen (-). In addition, the first character
must not be a number or hyphen.
|
No |
"" Guideline: Do not
change the default (null) value until you perform advanced customization.
(See Adding a new CA domain.)
|
ca_expires |
The date that the PKI Services CA certificate
expires. By default, IKYSETUP calculates the CA certificate expiration
date based on the value of ca_exyears. For information
about setting this variable, see Specifying when the CA certificate and Web server certificates expire.
|
No |
2030/01/01 The
date format is yyyy/mm/dd.
|
ca_exyears |
The life span of the PKI Services CA certificate,
expressed in years. By default, IKYSETUP calculates the expiration
date for the CA certificate by adding the number of years specified
in ca_exyears to the date that IKYSETUP is run. For
information about setting this variable, see Specifying when the CA certificate and Web server certificates expire.
|
No |
20 |
ca_ring |
The name of the PKI Services SAF key
ring. |
pkiserv.conf SAF KeyRing
value
|
When you also set ca_domain: CAring.ca_domain When
you do not set ca_domain: CAring
|
cacert_dsn |
The data set that will contain the PKI Services certificate
to assist the backup process. |
No |
When you also set ca_domain: 'daemon.ca_domain.CACERT.DERBIN'
When
you do not set ca_domain: 'daemon.CACERT.DERBIN'
Note: daemon refers
to the daemon variable in this table.
|
caStore |
The name of the PKI Services PKCS #11 token |
No |
When you also set ca_comain or daemon:
daemon.CATOKEN.ca_domain When
you do not set ca_comain or daemon: CATOKEN
|
daemon |
The PKI Services daemon user
ID. If you also set ca_domain, you can choose
to assign a unique user ID to the daemon for each CA domain. Example: For
a ca_domain called BankA, you might choose user
ID PKISRVDA.
|
pkiserv.conf SAF KeyRing
value
|
PKISRVD |
export_dsn |
The data set that will contain the Web server's
root CA certificate for copying to file system. |
No |
When you also set ca_domain: 'daemon.ca_domain.WEBROOT.DERBIN'
When
you do not set ca_domain: 'daemon.WEBROOT.DERBIN'
Note: daemon refers
to the daemon variable in this table.
|
log_dsn |
The log data set name. |
No |
When you also set ca_domain: 'your-id.ca_domain.IKYSETUP.LOG'
When
you do not set ca_domain: 'your-id.IKYSETUP.LOG'
Note: - The your-id refers to the RACF® ID of the person running IKYSETUP. (You
do not need to add this; MVS™ adds
this for you.)
- Changing the default is not suggested.
|
pkigroup |
The PKI Services administration
group. This is a RACF group
containing the list of user IDs that are authorized to use PKI Services administration
functions. If you also set ca_domain, you can
choose to assign a unique group name to the administration group for
each CA domain. Example: For a ca_domain called
BankA, you might choose group name PKIGRPA.
|
No |
PKIGRP |
pkigroup1, pkigroup2 |
PKI Services administrative groups for granular
control of administrative functions. |
No |
PKIGRP1, PKIGRP2 |
ra_backup_dsn |
The data set that will contain a backup
copy of the PKI Services RA
certificate and private key. This name should be similar but not
identical to the backup_dsn value.
|
No |
When you also set ca_domain: 'daemon.ca_domain.RAKEY.BACKUP.P12BIN'
When
you do not set ca_domain: 'daemon.RAKEY.BACKUP.P12BIN'
Note: The daemon refers
to the daemon variable in this table.
|
signing_ca_label |
The label of the CA certificate that is
the superior (signer) of the PKI Services CA. If specified,
the value must match the label of an existing CERTAUTH certificate
in RACF that has a private
key. Use this value to create a CA hierarchy when you establish multiple PKI Services CAs. |
No |
"" |
surrog |
The surrogate user ID for PKI Services. If you
also set ca_domain, you can choose to assign a
unique user ID as the surrogate user ID for each CA domain. Example: For
a ca_domain called BankA, you might choose user
ID PKISERVA.
Note: This cannot be an existing user ID (because
IKYSETUP creates the user ID with the NOPASSWORD attribute).
|
Surrogate user ID in httpd*.conf |
PKISERV |
vsamhlq |
The high-level qualifier of the VSAM data
sets for PKI Services. Note: The RACF administrator gets this information
from the MVS programmer.
|
- ObjectStore *DSN values in pkiserv.conf
- Data sets names in IKYCVSAM
|
Same as the daemon variable
earlier in this table. |
web_expires |
The date that the Web server certificate
expires. By default, IKYSETUP calculates the Web server certificate
expiration date based on the value of web_exyears.
For information about setting this variable, see Specifying when the CA certificate and Web server certificates expire.
|
No |
2015/01/01 The
date format is yyyy/mm/dd.
|
web_exyears |
The life span of the Web server certificate,
expressed in years. By default, IKYSETUP calculates the expiration
date for the Web server certificate by adding the number of years
specified in web_exyears to the date when IKYSETUP
is run. For information about setting this variable, see Specifying when the CA certificate and Web server certificates expire.
|
No |
5 |
web_label |
The label for the Web server's certificate. |
No |
SSL Cert |
webserver |
The Web server's daemon user ID. |
See Web server documentation. |
WEBSRV |