Perform the following steps to plan additional CA domains.
- Determine how many instances of PKI Services (CA domains) you
will operate in addition to the initial domain you configured when
you originally customized PKI Services.
For each CA domain, you
need to pick a nickname to use as the CA domain name. The CA domain
name is used to qualify the resources used by that CA domain. For
example, the CA domain named Employees uses the following
resources:
If you are implementing the object store and ICL using DB2®, you need a unique DB2 package name for each CA domain. Use the
CA domain name for the package name. You should also use a unique
name for the DB2 plan._______________________________________________________
- Decide how you will administer multiple CA domains. Will you share
a common set of administrators across all your CA domains or
will you have a dedicated set of administrators for each CA
domain?
If you use a dedicated set for each CA domain, you
need to pick a second nickname for each CA domain, for its administrative
domain.
_______________________________________________________
- Determine your CA domain names. Unless you renamed the default
domain names when you originally customized PKI Services, the initial
name for the application domain is Customers and
its administrative domain name is PKIServ. Your new
CA domain names (nicknames) must differ from these values.
Rules
for domain names: - Domain names are 1 - 8 characters.
- For REXX CGI execs, domain names can exceed 8 characters if the
first 8 characters are unique from your other domain names.
- For Java™ server pages (JSPs)
domain names cannot exceed 8 characters.
- The characters in the domain name are limited to the following
character set: alphanumeric characters (a - z, A
- Z, 0 - 9) and the hyphen (-).
- The first character must not be a number or hyphen.
_______________________________________________________
- Record information about your CA domains in Table 1 and Table 2.
Row 1 in
each table is already filled in with the defaults for an initial CA
domain (Customers). Row 2 in each table is
an example of a new CA domain managed by the same (shared) group of
administrators. Row 3 in each table is an example of the same
CA domain from Row 2 managed by a dedicated group of
administrators.
The rows in each table that are already filled
in use the default values for the following variables when PKI Services
was installed. (Your MVS™ programmer
might have chosen different directories.)
- Installation variable
- Default directory name
- install-dir
- /usr/lpp/pkiserv
- runtime-dir
- /etc/pkiserv
- Fill in the values for new CA domains, administrative domains,
and directories in Table 1. You can add
your information in the blank lines below or you can modify or cross
out the sample rows.
Table 1. Multiple CA domains: Worksheet #2 for planning your
domain names |
CA domain
name (runtime directory)
|
Truncated CA
domain name
|
Administrative domain
name (runtime directory)
|
---|
1. |
Customers (/etc/pkiserv) |
CUSTOMER |
PKIServ (/etc/pkiserv) |
2. |
Employees (/etc/pkiserv/employees) |
EMPLOYEE |
PKIServ (/etc/pkiserv) |
3. |
Employees (/etc/pkiserv/employees) |
EMPLOYEE |
AdmEmployees (/etc/pkiserv/employees) |
4. |
|
|
|
5. |
|
|
|
- Fill in your RACF® user
IDs, groups, and VSAM data set qualifiers or DB2 package names in Table 2.
You can add your information in the blank lines below or you can modify
or cross out the sample rows.
Table 2. Multiple CA domains: Worksheet #3 for
planning your RACF identifiers, z/OS UNIX identifiers,
and VSAM data set names or DB2 package
names. Use row 2 for shared administrators, row 3 for
dedicated administrators. Row 4 is the same as row 3 but specifies
a DB2 package name instead of
VSAM data set qualifiers. |
Daemon
user ID (UID)
|
Surrogate
user ID (UID)
|
PKI administration
group name (GID)
|
VSAM data set
qualifiers or
DB2 package name
|
---|
1. |
PKISRVD (554) |
PKISERV (555) |
PKIGRP (655) |
PKISRVD.VSAM |
2. |
PKISRVD (554) |
PKISERV (555) |
PKIGRP (655) |
PKISRVD.EMPLOYEE.VSAM |
3. |
PKIDEMP (556) |
PKISEMP (557) |
PKIGEMP (657) |
PKISRVD.EMPLOYEE.VSAM |
4. |
PKIDEMP (556) |
PKISEMP (557) |
PKIGEMP (657) |
MasterCA |
5. |
|
|
|
|