The following listing might not be identical to the code sample
shipped with the product. For the most current sample, see the
httpd.conf sample
IBM HTTP Server configuration
directives in the source directory
/usr/lpp/pkiserv/samples/.
#---------------------------------------------------------------------#
# Licensed Materials - Property of IBM #
# 5694-A01 #
# (C) Copyright IBM Corp. 2001,2011 #
# Status = HKY7780 #
# #
# Change-Activity: #
# $L1=PKIS4 , HKY7708, 020429, JWS: PKI Services #
# $L2=PKIS13B, HKY7780, 100628, SSD: PKI Release XIII Updates #
# #
# Change Descriptions: #
# A - Multiple application support @L1A #
# A - Added support for PKI ActiveX @L2A #
#---------------------------------------------------------------------#
# For a secure system, set the default User ID to %%CLIENT%%
UserId %%CLIENT%%
# SSL support using a SAF keyring
keyfile SSLring SAF
# OR
# May use a gskkyman key database instead of SAF keyring
#keyfile /etc/key.kdb
sslmode on
sslport 443
Normalmode on
Protection PublicUser {
ServerId PublicUser
UserID PKISERV
Mask Anyone
}
Protect /PKIServ/public-cgi/* PublicUser
Protect /PKIServ/ssl-cgi-bin/* PublicUser
Protect /PKIServ/* PublicUser
Protect /Customers/public-cgi/* PublicUser
Protect /Customers/ssl-cgi-bin/* PublicUser
Protect /Customers/* PublicUser
Protection AuthenticatedUser {
ServerId AuthenticatedUser
AuthType Basic
PasswdFile %%SAF%%
UserID %%CLIENT%%
Mask All
}
Protect /PKIServ/ssl-cgi-bin/auth/* AuthenticatedUser
Protect /Customers/ssl-cgi-bin/auth/* AuthenticatedUser
Protection SurrogateUser {
ServerId SurrogateUser
AuthType Basic
PasswdFile %%SAF%%
UserID PKISERV
Mask All
}
Protect /PKIServ/ssl-cgi-bin/surrogateauth/* SurrogateUser
Protect /Customers/ssl-cgi-bin/surrogateauth/* SurrogateUser
Redirect /PKIServ/ssl-cgi/*
https://<server-domain-name>/PKIServ/ssl-cgi-bin/*
Redirect /PKIServ/ssl-cgi/auth/*
https://<server-domain-name>/PKIServ/ssl-cgi-bin/auth/*
Redirect /PKIServ/ssl-cgi/surrogateauth/*
https://<server-domain-name>/PKIServ/ssl-cgi-bin/surrogateauth/*
Redirect /Customers/ssl-cgi/*
https://<server-domain-name>/Customers/ssl-cgi-bin/*
Redirect /Customers/ssl-cgi/auth/*
https://<server-domain-name>/Customers/ssl-cgi-bin/auth/*
Redirect /Customers/ssl-cgi/surrogateauth/*
https://<server-domain-name>/Customers/ssl-cgi-bin/surrogateauth/*
Redirect /PKIServ/clientauth-cgi/*
https://<server-domain-name>:1443/PKIServ/clientauth-cgi/*
Redirect /Customers/clientauth-cgi/*
https://<server-domain-name>:1443/Customers/clientauth-cgi/*
Exec /PKIServ/public-cgi/* <application-root>/PKIServ/public-cgi/*
Exec /PKIServ/ssl-cgi-bin/* <application-root>/PKIServ/ssl-cgi-bin/*
Exec /Customers/public-cgi/* <application-root>/PKIServ/public-cgi/*
Exec /Customers/ssl-cgi-bin/* <application-root>/PKIServ/ssl-cgi-bin/*
Pass /PKIServ/cacerts/* /var/pkiserv/*
Pass /PKIServ/PKIXEnroll/* /usr/lpp/pkiserv/ActiveX/PKIXEnroll/*
Pass /PKIServ/PKICEnroll/* /usr/lpp/pkiserv/ActiveX/PKICEnroll/*
AddType .cer application/x-x509-user-cert ebcdic 0.5 # Browser Certificate
AddType .der application/x-x509-ca-cert binary 1.0 # CA Certificate
The source of the following sample
IBM HTTP Server configuration
directives for your
/etc/httpd1443.conf file
is
/usr/lpp/pkiserv/samples/httpd2.conf.
#---------------------------------------------------------------------#
# Licensed Materials - Property of IBM #
# 5694-A01 #
# (C) Copyright IBM Corp. 2001,2011 #
# Status = HKY7780 #
# #
# Change-Activity: #
# $L1=PKIS4 , HKY7708, 020429, JWS: PKI Services #
# $L2=PKIS13B, HKY7780, 100628, SSD: PKI Release XIII Updates #
# #
# Change Descriptions: #
# A - Multiple application support @L1A #
# A - Added support for PKI ActiveX @L2A #
#---------------------------------------------------------------------#
# For a secure system, set the default User ID to %%CLIENT%%
UserId %%CLIENT%%
# SSL support using a SAF keyring
keyfile SSLring SAF
# OR
# May use a gskkyman key database instead of SAF keyring
#keyfile /etc/key.kdb
sslmode on
sslport 1443
Normalmode off
SSLClientAuth strong
SSLX500CARoots local_and_x500
SSLX500Host <ldap-server-name>
SSLX500Port <ldap-port-number>
SSLX500UserID <ldap-distinguished-name>
SSLX500Password <ldap-password>
Protection RenewRevokeUser {
ServerId RenewRevokeUser
AuthType Basic
UserID PKISERV
SSL_CLIENTAUTH Client
Mask Anyone
}
Protect /PKIServ/clientauth-cgi/* RenewRevokeUser
Protect /Customers/clientauth-cgi/* RenewRevokeUser
Protect /PKIServ/PKIXEnroll/* RenewRevokeUser
Protect /PKIServ/PKICEnroll/* RenewRevokeUser
Protection AuthenticatedAdmin {
ServerId AuthenticatedAdmin
AuthType Basic
UserID %%CERTIF%%
SSL_CLIENTAUTH Client
Mask Anyone
}
Protect /PKIServ/clientauth-cgi/auth/* AuthenticatedAdmin
Protect /Customers/clientauth-cgi/auth/* AuthenticatedAdmin
Redirect /PKIServ/public-cgi/*
http://<server-domain-name>/PKIServ/public-cgi/*
Redirect /PKIServ/ssl-cgi/*
https://<server-domain-name>/PKIServ/ssl-cgi-bin/*
Redirect /Customers/public-cgi/*
http://<server-domain-name>/Customers/public-cgi/*
Redirect /Customers/ssl-cgi/*
https://<server-domain-name>/Customers/ssl-cgi-bin/*
Exec /PKIServ/clientauth-cgi/* <application-root>/PKIServ/clientauth-cgi-bin/*
Exec /Customers/clientauth-cgi/* <application-root>/PKIServ/clientauth-cgi-bin/*
Pass /PKIServ/PKIXEnroll/* /usr/lpp/pkiserv/ActiveX/PKIXEnroll/*
Pass /PKIServ/PKICEnroll/* /usr/lpp/pkiserv/ActiveX/PKICEnroll/*
z/OS Cryptographic Services PKI Services Guide and Reference
Copyright IBM Corporation 1990, 2014