z/OS Cryptographic Services PKI Services Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Subtask 1: Steps for planning additional CA domains

z/OS Cryptographic Services PKI Services Guide and Reference
SA23-2286-00

Perform the following steps to plan additional CA domains.
  1. Determine how many instances of PKI Services (CA domains) you will operate in addition to the initial domain you configured when you originally customized PKI Services.

    For each CA domain, you need to pick a nickname to use as the CA domain name. The CA domain name is used to qualify the resources used by that CA domain. For example, the CA domain named Employees uses the following resources:

    Examples:
    • Web page URLs (in mixed case)
      • If you implement the Web application using REXX CGI execs:
        http://webserver-domain-name/Employees/public-cgi/camain.rexx
      • If you implement the Web application using JSPs:
        http://webserver-domain-name/PKIServ_Web/Employee/ApplicationName/pkimain.jsp
        Note that the CA domain name is independent of the application domain name.
    • Data set qualifiers (in upper case) - VSAM ICL data set 
      PKISRVD.EMPLOYEE.VSAM.ICL
    • Path names (in lower case)
      /etc/pkiserv/employees/pkiserv.conf
    If you are implementing the object store and ICL using DB2®, you need a unique DB2 package name for each CA domain. Use the CA domain name for the package name. You should also use a unique name for the DB2 plan.

    _______________________________________________________

  2. Decide how you will administer multiple CA domains. Will you share a common set of administrators across all your CA domains or will you have a dedicated set of administrators for each CA domain?

    If you use a dedicated set for each CA domain, you need to pick a second nickname for each CA domain, for its administrative domain.

    _______________________________________________________

  3. Determine your CA domain names. Unless you renamed the default domain names when you originally customized PKI Services, the initial name for the application domain is Customers and its administrative domain name is PKIServ. Your new CA domain names (nicknames) must differ from these values.
    Rules for domain names:
    • Domain names are 1 - 8 characters.
      • For REXX CGI execs, domain names can exceed 8 characters if the first 8 characters are unique from your other domain names.
      • For Java™ server pages (JSPs) domain names cannot exceed 8 characters.
    • The characters in the domain name are limited to the following character set: alphanumeric characters (a - z, A - Z, 0 - 9) and the hyphen (-).
    • The first character must not be a number or hyphen.

    _______________________________________________________

  4. Record information about your CA domains in Table 1 and Table 2.

    Row 1 in each table is already filled in with the defaults for an initial CA domain (Customers). Row 2 in each table is an example of a new CA domain managed by the same (shared) group of administrators. Row 3 in each table is an example of the same CA domain from Row 2 managed by a dedicated group of administrators.

    The rows in each table that are already filled in use the default values for the following variables when PKI Services was installed. (Your MVS™ programmer might have chosen different directories.)
    Installation variable
    Default directory name
    install-dir
    /usr/lpp/pkiserv
    runtime-dir
    /etc/pkiserv
    1. Fill in the values for new CA domains, administrative domains, and directories in Table 1. You can add your information in the blank lines below or you can modify or cross out the sample rows.
      Table 1. Multiple CA domains: Worksheet #2 for planning your domain names
       

      CA domain
      name (runtime directory)

      Truncated CA
      domain name

      Administrative domain
      name (runtime directory)
      1. Customers (/etc/pkiserv) CUSTOMER PKIServ (/etc/pkiserv)
      2. Employees (/etc/pkiserv/employees) EMPLOYEE PKIServ (/etc/pkiserv)
      3. Employees (/etc/pkiserv/employees) EMPLOYEE AdmEmployees (/etc/pkiserv/employees)
      4.      
      5.      
    2. Fill in your RACF® user IDs, groups, and VSAM data set qualifiers or DB2 package names in Table 2. You can add your information in the blank lines below or you can modify or cross out the sample rows.
      Table 2. Multiple CA domains: Worksheet #3 for planning your RACF identifiers, z/OS UNIX identifiers, and VSAM data set names or DB2 package names. Use row 2 for shared administrators, row 3 for dedicated administrators. Row 4 is the same as row 3 but specifies a DB2 package name instead of VSAM data set qualifiers.
       

      Daemon
      user ID (UID)

      Surrogate
      user ID (UID)

      PKI administration
      group name (GID)

      VSAM data set
      qualifiers or
      DB2 package name
      1. PKISRVD (554) PKISERV (555) PKIGRP (655) PKISRVD.VSAM
      2. PKISRVD (554) PKISERV (555) PKIGRP (655) PKISRVD.EMPLOYEE.VSAM
      3. PKIDEMP (556) PKISEMP (557) PKIGEMP (657) PKISRVD.EMPLOYEE.VSAM
      4. PKIDEMP (556) PKISEMP (557) PKIGEMP (657) MasterCA
      5.        
Parent topic: Adding a new CA domain

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014