|
Perform the following steps to set up key generation for
certificate requests.
Before you begin- You need to know whether the ICSF token data set (TKDS) has already
been set up.
- You need to know whether you want PKI Services to generate
secure or clear keys.
- You need to know whether you want to restrict the use of clear
keys.
Procedure- If the ICSF token data set (TKDS) has not already been
set up, ask the ICSF programmer to set it up. (For information about
the TKDS, see z/OS Cryptographic Services ICSF Writing PKCS #11 Applications.)
The TKDS must be set up before PKI Services starts,
so if necessary stop and restart PKI Services after the
TKDS is set up. (For information about stopping and restarting PKI Services, see Starting and stopping PKI Services.
_______________________________________________________________
- Edit the SAF section of the PKI Services configuration
file, pkiserv.conf, and verify that the TokenName parameter
is specified. If it is not, choose a name for the token in the TKDS
that PKI Services will
use for storing the key pairs that it generates, and set TokenName to
the name you choose.
Rules: A token name must
follow these rules: - Up to 32 characters in length
- Permitted characters are:
- Alphanumeric
- National: "@" (X'5B'), "#" (X'7B'), or "$" (X'7C')
- Period: "." (X'4B')
- The first character must be alphabetic or national
- Lowercase letters can be used, but are folded to uppercase
- The IBM1047 code page is assumed
_______________________________________________________________
- Edit the SAF section of the PKI Services
configuration file, pkiserv.conf and set the SecureKey parameter
to T if you want PKI Services to generate secure
keys, or to F if you want PKI Services to generate
clear keys.
_______________________________________________________________
- If you want to restrict the generation of clear
keys, have the security administrator create a profile in the CRYPTOZ
class to do so. For example, if you set TokenName to
PKISRVD.PKITOKEN, to restrict PKI Services from generating clear keys
the security administrator issues the command:
RDEF CRYPTOZ CLEARKEY.PKISRVD.PKITOKEN UACC(NONE)
- Edit the General section of the PKI Services configuration
file, pkiserv.conf, and verify that the ReadyMessageForm parameter
is specified. If it is not:
- Copy the ready message form from the samples directory to
the runtime directory. Follow the instructions in Steps for copying files.
- Update the ReadyMessageForm parameter to
specify the full pathname or data set name of the ready message form.
- Customize the ready message form. Follow the instructions
in Customizing e-mail notifications sent to users.
_______________________________________________________________
- Set up the e-mail form that is sent if a user requests
that PKI Services recover
a certificate for which PKI Services generated
the keys. The form contains a list of certificates that can be recovered.
Edit the General section of the PKI Services configuration
file, pkiserv.conf and verify that the RecoverForm parameter
is specified. If it is not:
- Copy the recovery message form from the samples directory
to the runtime directory. Follow the instructions in Steps for copying files.
- Update the RecoverForm parameter to specify
the full pathname or data set name of the recovery message form.
- Customize the recovery message form. Follow the instructions
in Customizing e-mail notifications sent to users.
_______________________________________________________________
- If you want expired certificates whose keys were generated
by PKI Services to
be deleted from the ICL automatically after a certain time period,
edit the ObjectStore section of the PKI Services configuration
file, pkiserv.conf and update the RemoveExpiredCertsAndKeys parameter
to specify the time period after which the expired certificates should
be deleted.
_______________________________________________________________
- The RACF® administrator
must give the PKI Services daemon
the authorization it needs to use the PKCS #11 APIs. The following RACF commands set up the required
authorization in the CRYPTOZ class. (By default the daemon user ID
is PKISERVD, but you might be using a different user ID. Check the daemon variable
in Table 1 if
you're not sure what your daemon user ID is.)
SETROPTS CLASSACT(CRYPTOZ) GENERIC(CRYPTOZ) RACLIST(CRYPTOZ)
RDEFINE CRYPTOZ SO.daemon_id.* UACC(NONE)
RDEFINE CRYPTOZ USER.daemon_id.* UACC(NONE)
PERMIT SO.daemon_id.* CLASS(CRYPTOZ) ID(daemon_id) ACC(UPDATE)
PERMIT USER.daemon_id.* CLASS(CRYPTOZ) ID(daemon_id) ACC(CONTROL)
SETROPTS RACLIST(CRYPTOZ) REFRESH
Note: These commands
are included in the IKYSETUP REXX exec. If you have another reason
to rerun IKYSETUP, you can update the exec to set up the daemon user
ID's authorization in the CRYPTOZ class at the same time. If you don't
have another reason to rerun IKYSETUP, the RACF administrator can issue the commands manually.
_______________________________________________________________
- (Optional) Because PKI Services stores certificates
for which it generates the keys in the TKDS, it can recover those
certificates from the TKDS. To recover a certificate, a user must
provide the passphrase that was entered when the certificate was originally
requested. If the user has forgotten the passphrase, you can use the PKI Services exit to
allow the user to recover the passphrase by responding to security
questions. For more information, see Scenario 4: Allow users to recover a PKI generated key certificate when the passphrase is lost.
Decide whether you want to implement passphrase recovery, and if so,
write exit code to implement the function.
Results When you are done, PKI Services can generate
key pairs for certificate requests if asked to do so.
|