z/OS Cryptographic Services PKI Services Guide and Reference
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


(Optional) Steps for updating the configuration file

z/OS Cryptographic Services PKI Services Guide and Reference
SA23-2286-00

Before you begin

The following table provides information about parameters in the pkiserv.conf configuration file. (It omits parameters for the LDAP section. For information about these parameters, see Table 1.) Read the parameter descriptions, and examine the values provided in the sample configuration file, shown in the rightmost column, to ensure that the values meet your company's requirements. As necessary, cross out the sample values and enter the information appropriate to your own organization's needs and policies.
Table 1. Information needed for updating the configuration file
Parameter Information needed Where to get this information Sample value or your customized value
OIDs section      
MyPolicy A registered Object ID identifying your organization's usage policy, for example:
1.2.3.4
 If you are creating your own certificate policy, see Using certificate policies for information on creating certificate policies. Otherwise, do not change this information. 1.2.3.4

If you need to use the CertificatePolicies extension, replace 1.2.3.4 with the value of your Object ID:

ObjectStore section      
DBType Repository for the object store and issued certificate list (ICL). Valid values are:
  • VSAM
  • DB2
The default value is VSAM.

If DBType is VSAM, specify values for the parameters ObjectDSN, ObjectTidDSN, ObjectStatusDSN, ObjectRequestorDSN, ICLDSN, ICLStatusDSN, and ICLRequestorDSN. If DBType is DB2, these parameters are ignored.

If DBType is DB2, specify values for the parameters DBPackage and DBSubsystem. If DBType is VSAM, these parameters are ignored.

 UNIX programmer decides this value. VSAM
DBPackage Name of the DB2® package this instance of PKI Services uses for the object store and ICL in the DB2 subsystem specified by the DBSubsystem parameter. If DBType is VSAM, this parameter is ignored. DB2 programmer decides this value. MasterCA
DBSubsystem Name of the DB2 subsystem or group attachment used by this instance of PKI Services. If DBType is VSAM, this parameter is ignored. DB2 programmer decides this value. DSN9
ObjectDSN VSAM data set name for the object store base cluster. This is the request database. Each VSAM request record consists of a fixed header followed by a variable-length section.

If DBType is DB2, this parameter is ignored.

Guideline: If you are adding a new CA domain, insert the ca_domain value from Table 1 as the second qualifier in the data set name. Example: 'pkisrvd.employee.vsam.ost'

 For the high-level qualifier before the period, see the vsamhlq variable in Table 1. The name of the file (after the period) can change; the MVS™ programmer who creates the VSAM data sets usually decides these names. 'pkisrvd.vsam.ost'

Note that this begins with the VSAM high-level qualifier.

ObjectTidDSN VSAM data set name for the object store transaction ID (TID) alternate index.

If DBType is DB2, this parameter is ignored.

Guideline: If you are adding a new CA domain, insert the ca_domain value from Table 1 as the second qualifier in the data set name. Example: 'pkisrvd.employee.vsam.ost.path'

 For the high-level qualifier before the period, see the vsamhlq variable in Table 1. The name of the file (after the period) can change; the MVS programmer who creates the VSAM data sets usually decides these names. 'pkisrvd.vsam.ost.path'

Note that this begins with the VSAM high-level qualifier.
ObjectStatusDSN VSAM data set name for the object store status alternate index.

If DBType is DB2, this parameter is ignored.

Guideline: If you are adding a new CA domain, insert the ca_domain value from Table 1 as the second qualifier in the data set name. Example: 'pkisrvd.employee.vsam.ost.status'

 For the high-level qualifier before the period, see the vsamhlq variable in Table 1. The name of the file (after the period) can change; the MVS programmer who creates the VSAM data sets usually decides these names. 'pkisrvd.vsam.ost.status'

Note that this begins with the VSAM high-level qualifier.
ObjectRequestorDSN VSAM data set name for the object store requestor alternate index.

If DBType is DB2, this parameter is ignored.

Guideline: If you are adding a new CA domain, insert the ca_domain value from Table 1 as the second qualifier in the data set name. Example: 'pkisrvd.employee.vsam.ost.requestr'

 For the high-level qualifier before the period, see the vsamhlq variable in Table 1. The name of the file (after the period) can change; the MVS programmer who creates the VSAM data sets usually decides these names. 'pkisrvd.vsam.ost.requestr'

Note that this begins with the VSAM high-level qualifier.
ICLDSN VSAM data set name for the ICL base cluster.

This data set contains the certificates that have been issued. Each VSAM ICL record consists of a fixed header followed by a variable-length section containing the BER-encoded certificates.

If DBType is DB2, this parameter is ignored.

Guideline: If you are adding a new CA domain, insert the ca_domain value from Table 1 as the second qualifier in the data set name. Example: 'pkisrvd.employee.vsam.icl'

 For the high-level qualifier before the period, see the vsamhlq variable in Table 1. The name of the file (after the period) can change; the MVS programmer who creates the VSAM data sets usually decides these names. 'pkisrvd.vsam.icl'

Note that this begins with the VSAM high-level qualifier.
ICLStatusDSN VSAM data set name for ICL status alternate index.

If DBType is DB2, this parameter is ignored.

Guideline: If you are adding a new CA domain, insert the ca_domain value from Table 1 as the second qualifier in the data set name. Example: 'pkisrvd.employee.vsam.icl.status'

 For the high-level qualifier before the period, see the vsamhlq variable in Table 1. The name of the file (after the period) can change; the MVS programmer who creates the VSAM data sets usually decides these names. 'pkisrvd.vsam.icl.status'

Note that this begins with the VSAM high-level qualifier.
ICLRequestorDSN VSAM data set name for ICL requestor alternate index.

If DBType is DB2, this parameter is ignored.

Guideline: If you are adding a new CA domain, insert the ca_domain value from Table 1 as the second qualifier in the data set name. Example: 'pkisrvd.employee.vsam.icl.requestr'

 For the high-level qualifier before the period, see the vsamhlq variable in Table 1. The name of the file (after the period) can change; the MVS programmer who creates the VSAM data sets usually decides these names. 'pkisrvd.vsam.icl.requestr'

Note that this begins with the VSAM high-level qualifier.
RemoveCompletedReqs Time period that completed certificate requests remain in the object store before automatic deletion.This is a number followed by d (days) or w (weeks). If not specified, the default is 1w (one week). The value 0d disables the deletion of completed requests (not suggested). UNIX programmer decides this value. 1w
RemoveInactiveReqs Time period that incomplete, inactive certificate requests remain in the object store before automatic deletion. This is a number followed by d (days) or w (weeks). If not specified, the default is 4w (four weeks). The value 0d disables the deletion of inactive requests (not suggested). UNIX programmer decides this value. 4w
RemoveExpiredCertsAndKeys Time period that keys and expired certificates with keys generated by PKI Services remain in the ICL and TKDS before automatic deletion. This is a number followed by d (days) or w (weeks). If you do not specify this parameter, or you set the value to 0d, expired certificates will not be removed. UNIX programmer decides this value. 520w
RemoveExpiredCerts Time period that expired certificates with keys that were not generated by PKI Services remain in the ICL before automatic deletion. This is a number followed by d (days) or w (weeks). If you do not specify this parameter, or you set the value to 0d, expired certificates will not be removed. UNIX programmer decides this value. 0d
SharedPLEX Indicates whether you intend to share a single copy of the PKI Services object store and the issued certificate list (ICL) among multiple images in a sysplex. This is T (True) or F (False).
Note: This keyword has the same meaning as the SharedVSAM keyword in releases prior to z/OS® V1R13. If the SharedVSAM parameter is present from an earlier release, it will continue to work. If both SharedVSAM and SharedPLEX are present, SharedPLEX takes precedence.
 UNIX programmer decides this value. F
CertPolicy section      
AdminGranularControl Enables granular authority control for administrative functions based on CA domain name, certificate template name, and the administrative function being performed. If enabled, appropriate RACF® protection profiles must be set up. If T (True), granular authority control is enabled. If F (False), granular authority is disabled. F is the default. UNIX programmer decides this value. F
AdminNotifyNewn The email address to which notification should be sent immediately when a request is created and requires approval. The notification is only sent once. There can be multiple entries, where n is 1 for the first entry and increases sequentially for additional entries. The mailing address is in the form <userid>@<system>. UNIX programmer decides this value.

Do not change this information until you set up administrator notification of requests pending approval.

 abigail@mycompany.com
AdminNotifyRemindern The email address to which reminder notifications of requests pending approval should be sent when the daily maintenance task runs. There can be multiple entries, where n is 1 for the first entry and increases sequentially for additional entries. The mailing address is in the form <userid>@<system>. UNIX programmer decides this value.

Do not change this information until you set up administrator notification of requests pending approval.

 abigail@mycompany.com
ARLDist Indicates whether an authority revocation list (ARL) distribution point will be created. F (the default) indicates no ARL distribution point will be created. T indicates that an ARL distribution point will be created if CRLDistSize is greater than zero. UNIX programmer decides this value.

Do not change this information until you perform advanced customization. See Creating a distribution point ARL for more information.

 F
CertValidityConstraint Specifies whether the validity period of a certificate should be constrained within the CA's certificate life time. If T (True), requests with a validity period that exceeds the CA's validity period fail. If F (False), requests are not constrained to the CA's validity period. F is the default. UNIX programmer decides this value. F
CPSn The Uniform Resource Identifier (URI) for the Certification Practice Statement (CPS) that is associated with PolicyNamen. The value is in the form: 
http://www.mycompany
   .com/cps.html
Do not change this information until you perform advanced customization. See Using certificate policies for more information. http://www.mycompany.com/    cps.html

If you changed PolicyRequired=F to PolicyRequired=T, you need to replace the sample value with a valid URI to your published Certificate Practice Statement.
CreateInterval How often the certificate creation thread scans the database for approved requests. This is a number followed by w (weeks), d (days), h (hours), m (minutes), or s (seconds). UNIX programmer decides this value. 3m
CRLDistDirPath The full path for the file system directory where PKI Services is to save each DP CRL, as specified by the HTTP URI in the CRLDistributionPoints extension. This value is ignored if you do not create a CRLDistributionPoints extension or if the URI protocol is ldap. This value can be specified with or without the trailing slash.

The default value is /var/pkiserv/.

 UNIX programmer decides this value.

Do not change this information until you perform advanced customization. See Customizing distribution point CRLs for more information.

 /var/pkiserv/
CRLDistName Constant portion of the (leaf-node) relative distinguished name for a distribution point (DP) CRL, if DP CRL processing is being performed.

The default value is CRL.

 UNIX programmer decides this value.

Do not change this information until you perform advanced customization. See Customizing distribution point CRLs for more information.

 CRL
CRLDistSize An integer value that represents the maximum number of certificates that can appear on one DP CRL.

If you do not specify this parameter, or you set the value to 0, DP CRLs will not be created.

 UNIX programmer decides this value.

Do not change this information until you perform advanced customization. See Customizing distribution point CRLs for more information.

 500
CRLDistURIn Optional: Specifies a URI format name for the DP CRL. You can specify multiple names using parameters CRLDistURI1, CRLDistURI2, and so forth. This value is ignored if you do not create DP CRLs by specifying CRLDistSize with a value greater than zero. Specify this only if you want a URI-format name, in addition to the distinguished name format, built in the CRLDistributionPoints extension. UNIX programmer decides this value.

Do not change this information until you perform advanced customization. See Customizing distribution point CRLs for more information.
CRLDuration The amount of time that a certificate revocation list is valid. This is a number followed by w (weeks), d (days), h (hours), m (minutes), or s (seconds). UNIX programmer decides this value. 2d
CRLIDPExt Specifies whether certificate revocation lists (CRLs) should be created with a critical Issuing Distribution Point (IDP) extension. If T (True), CRLs are created with a critical IDP extension. If F (False), CRLs are created without the IDP extension. The default is T. UNIX programmer decides this value. T
CRLWTONotification Specifies whether a console message is issued when CRL processing ends. If set to none, no console message is issued. If set to file, a console message is issued after the CRL is available in the file system. This keyword is ignored if either of the following conditions is true:
  • HTTP protocol is not specified for CRL distribution.
  • Large CRL posting is not enabled.
 UNIX programmer decides this value. none
EnableCMP Specifies whether support for certificate management protocol (CMP) messages is enabled. If T (True), CMP messages that are supported are accepted. If F (False), all CMP messages are rejected. F is the default. UNIX programmer decides this value. F
EnableLargeCRLPosting Specifies whether large CRL posting is enabled. If T, CRLs are saved in a z/OS UNIX directory before the LDAP posting thread processes them. If F, CRLs are saved in the object store (either VSAM data set or DB2 table, depending on which you are using), and are subject to a size limit of approximately 32KB. The default is F. UNIX programmer decides this value.

Do not change this information until you perform advanced customization. See Enabling support for large CRLs for more information.

 F
EnablePathLenConstraint Specifies whether certificate path length constraints are enforced by the CA. The value is T (True) or F (False). If T, the CA certificate is examined at initialization to verify that it meets path length constraint requirements. If so, the pathLenConstraint field is set in the basic constraints extension of the intermediate CA certificates created by this CA. If not specified, or F, certificate path length constraint is not enforced in the CA certificate used by the CA, and intermediate CA certificates created by this CA do not include a pathLenConstraint field in the basic constraints extension. UNIX programmer decides this value. F
EnableSCEP Specifies whether Simple Certificate Enrollment Protocol (SCEP) is allowed. This is T (True) or F (False). UNIX programmer decides this value.

Do not change this information until you perform advanced customization. See Enabling Simple Certificate Enrollment Protocol (SCEP) for more information.

 F
ExpireWarningTime
Note: You need a value for this parameter only if you are sending e-mail notifications to users when certificates are expiring, or automatically renewing certificates when they are expiring and sending them to the owners.

This parameter indicates how soon before certificate expiration to send a warning message or a renewed certificate (that is, the number of days or weeks before the day and time the certificate expires).

If automatic certificate renewal is active, this parameter indicates how soon before certificate expiration to renew the certificate and send it to the owner.

This name-value pair is optional. Its absence indicates no expiration checking is performed and no automatic certificate renewal occurs. Also, if the name-value pair is present but has an incorrect value or if PKI Services is configured to operate without LDAP, no expiration checking or automatic certificate renewal is done.

 UNIX programmer decides this value. 4w
LargeCRLPostPath The full path for the file system directory where PKI Services is to save each CRL for posting to LDAP, if support for large CRLs is enabled. This value can be specified with or without the trailing slash, and can be the same as the value of CRLDistDirPath. The default value is /var/pkiserv/. UNIX programmer decides this value.

Do not change this information until you perform advanced customization. See Enabling support for large CRLs for more information.

 /var/pkiserv/crls
MaxSuspendDuration The length of the certificate suspension grace period in weeks or days. This is a number followed by w (weeks) or d (days). Certificates that remain suspended for longer than this period are automatically revoked. If you do not specify this parameter, or you set it to 0d, the grace period is unlimited. UNIX programmer decides this value. 120d
OCSPType The type of OCSP responder support desired:
  • none (the default)
  • basic
If you do not specify this parameter, or you set the value to none, the responder is not enabled.		 Change to basic if you want to enable the responder. none
PathLength Specifies the certificate path length constraint value to be included in the basic constraints extension of intermediate CA certificates created by the CA. Valid values are 0 - 16. The value specified must be less than the pathLenConstraint value in the PKI CA certificate, if it is present. This keyword is ignored if the EnablePathLenConstraint keyword is not set to T. UNIX programmer decides this value. 1
PolicyCritical Indicates whether the CertificatePolicies extension should be marked critical. The value is T (True) or F (False). UNIX programmer decides this value.

Do not change this information until you perform advanced customization. See Using certificate policies for more information.

 F
PolicyRequired Indicates whether the CertificatePolicies extension should be included in all certificates that are created. The value is T (True) or F (False). T indicates that the CertificatePolicies extension is added to all certificates, and includes all PolicyNamen entries specified in the configuration file. Any policies specified in the CertPolicies input parameter or listed in the CONSTANT subsection in the template file are ignored. F indicates that the CertificatePolicies extension is added to a certificate only when a certificate policy is specified in the CertPolicies input parameter or in the CONSTANT section of the template when a certificate is requested. UNIX programmer decides this value.

Do not change this information until you perform advanced customization. See Using certificate policies for more information.

 F
PolicyNamen A list of CertificatePolicies extensions that are added to all created certificates when PolicyRequired=T. The policy name is the symbolic name for a certificate policy OID and must match the name of a policy that is listed in the OIDs section. Do not change this information until you perform advanced customization. See Using certificate policies for more information. MyPolicy

If you changed PolicyRequired=F to PolicyRequired=T, replace the name MyPolicy with the same policy name used in the OIDs section.
PolicynOrg The name of the organization that has prepared the User Notice Reference information associated with PolicyNamen. For example: International Business Machines, Inc. Do not change this information until you perform advanced customization. See Using certificate policies for more information. My Company, Inc.

If you changed PolicyRequired=F to PolicyRequired=T, you need to specify your own value for this.
PolicynNoticem Specifies the number of a textual statement, prepared by PolicynOrg for the User Notice Reference associated with PolicyNamen. More than one textual statement can apply. Do not change this information until you perform advanced customization. See Using certificate policies for more information. 1

If you changed PolicyRequired=F to PolicyRequired=T, you need to specify your own value for this parameter.
SigAlg1 The nickname assigned to the Object ID for the signature algorithm in the OIDs section.

The supported algorithms and their nicknames are listed in Table 1.

Guideline: The MD2 and MD5 hashes have been found to be vulnerable to attack. Avoid specifying md-5WithRSAEncryption and md-2WithRSAEncryption if possible.

 The supported algorithms and their nicknames are listed in Table 1.

Do not change this information until you perform advanced customization. See Updating the signature algorithm for more information.

 sha-256WithRSAEncryption
TimeBetweenCRLs

How often a certificate revocation list (CRL) should be created.

This is a number followed by w (weeks), d (days), h (hours), m (minutes), or s (seconds).

Tip: If you want PKI Services to create a CRL immediately, instead of waiting for the TimeBetweenCRLs interval to pass, use the createcrls utility. For more information, see Using the createcrls utility.

 UNIX programmer decides this value. 1d
UserNoticeTextn The User Notice Explicit Text information associated with PolicyNamenFor example: Certificate for IBM internal use only. For the CA to conform with current standards, this textual statement must not exceed 200 characters. Do not change this information until you perform advanced customization. See Using certificate policies for more information. statement

If you changed PolicyRequired=F to PolicyRequired=T, you need to replace the variable statement with your own value.
General section      
ExitTimeout Length of time that PKI Services waits for the autorenew preprocessing and postprocessing exit to return. If not specified, PKI Services waits for at most 30 seconds. PKI Services cancels the exit program if it runs longer than the specified time. The maximum value allowed is 1 hour. Any time specified greater will be run for the maximum amount of time. UNIX programmer decides this value. 10s
InitialThreadCount Number of threads (at least 2 and no more than 100) the PKI Services daemon should create at program initialization. UNIX programmer decides this value. 10
MaintRunDays The days on which the daily maintenance task is to run. This is a list of digits between 0 and 6, representing the days of the week, with 0 representing Sunday, and 6 representing Saturday. The digits listed represent the days on which the task is to run. No spaces or other characters can be specified, and digits cannot be repeated. The digits can be specified in any order. If not specified, the task runs every day. UNIX programmer decides this value. 0123456
MaintRunTime The time (local time) at which the daily maintenance task is to run, in the format hh:mm, where hh represents the hour (00 to 23) and mm represents the minutes (00 to 59). 00:00 represents midnight. If not specified, the task runs once per day at midnight local time. UNIX programmer decides this value. 01:00
RunMaintAtStart Indicates whether the daily maintenance task should run during PKI Services startup, in addition to the time and days specified by the MaintRunTime and MaintRunDays parameters. The value T (True) indicates that the task should run during PKI Services startup. The value F (False) indicates that the task should not run during PKI Services startup. If not specified, the daily maintenance task runs during PKI Services startup. UNIX programmer decides this value. T
ReadyMessageForm The full path name or data set name containing the 'Your certificate is ready' message form.
  • If you are not setting up PKI Services to generate keys for certificates, this name-value pair is optional. If you do not specify this name-value pair, no message is sent.
  • If you are setting up PKI Services to generate keys for certificates, this name-value pair is required. If you do not specify this name-value pair, requests to have PKI Services generate keys for certificates fail.

Guideline: If you are adding a new CA domain, use the ca_domain value from Table 1 as the second qualifier in the path name. Example: /etc/pkiserv/employees/readymsg.form

 UNIX programmer decides this value. /etc/pkiserv/readymsg.form
RejectMessageForm The full path name or data set name containing the 'Your certificate request has been rejected' message form. By default, no message is issued. Using this name-value pair is optional.

Guideline: If you are adding a new CA domain, use the ca_domain value from Table 1 as the second qualifier in the path name. Example: /etc/pkiserv/employees/rejectmsg.form

 UNIX programmer decides this value. /etc/pkiserv/rejectmsg.form
ExpiringMessageForm The full path name or data set name containing the 'Your certificate is about to expire' message form. By default, no message is issued. If your team has specified a value for ExpireWarningTime (see the ExpireWarningTime row in this table), then ExpiringMessageForm is required. Otherwise an error is logged and no expiring message processing is performed.

Guideline: If you are adding a new CA domain, use the ca_domain value from Table 1 as the second qualifier in the path name. Example: /etc/pkiserv/employees/expiringmsg.form

 UNIX programmer decides this value. /etc/pkiserv/expiringmsg.form
AdminNotifyForm The full path name or data set name containing the ‘request(s) pending for approval’ message form. Defaults to no notification sent.

Guideline: If you are adding a new CA domain, use the ca_domain value from Table 1 as the second qualifier in the path name. Example: /etc/pkiserv/employees/pendingmsg.form

 UNIX programmer decides this value. AdminNotifyForm=/etc/pkiserv/pendingmsg.form
RenewCertForm The full path name or data set name containing the 'renewed certificate'. Defaults to no certificate sent.

Guideline: If you are adding a new CA domain, use the ca_domain value from Table 1 as the second qualifier in the path name. Example: /etc/pkiserv/employees/renewcertmsg.form

 UNIX programmer decides this value. RenewCertForm=/etc/pkiserv/renewcertmsg.form
RecoverForm The full path name or data set name containing the 'list of certificates that satisfy your search criteria for recovery' message form. Use this name-value pair if you are setting up PKI Services to generate keys for certificate requests, and want users to be able to recover those certificates.

Guideline: If you are adding a new CA domain, use the ca_domain value from Table 1 as the second qualifier in the path name. Example: /etc/pkiserv/employees/recoverymsg.form

 UNIX programmer decides this value. RecoverForm=/etc/pkiserv/recoverymsg.form
SAF section      
KeyRing The fully qualified name of the SAF key ring for PKI Services to use. (This must consist of an uppercase user ID and a case-sensitive ring name separated by a slash (.) See the ca_ring and daemon values in Table 1. PKISRVDCAring
RA_label The label of your PKI Services registration authority (RA) certificate. See the ra_label value in Table 1. Local PKI RA
SecureKey Indicates whether keys generated by PKI Services are secure keys or clear keys. The value can be T (True) or F (False). T indicates that secure keys are generated in the TKDS. F or the absence of this keyword indicates that clear keys or secure keys are generated in the TKDS according to the installation configuration policy. SecureKey is ignored if TokenName is not specified. UNIX programmer decides this value. F
TokenName The name of a token in the ICSF PKCS #11 token data set (TKDS) that PKI Services uses to store key pairs that it generates for certificates. If this keyword is not specified, PKI Services cannot generate key pairs for certificates. If this keyword is specified, the TKDS must be set up before PKI Services starts. For information on setting up the TKDS, see z/OS Cryptographic Services ICSF Writing PKCS #11 Applications. UNIX programmer decides this value. It must meet the requirements for a token name:
  • Up to 32 characters in length
  • Permitted characters are:
    • Alphanumeric
    • National: @ X'5B', # X'7B', or $ X'7C'
    • Period . X'4B'
  • The first character must be alphabetic or national
  • Lowercase letters can be used, but are folded to uppercase
  • The IBM1047 code page is assumed
 PKISRVD.PKIToken
LDAP section      
  For information about the LDAP section, see Table 1.    
Note:
  1. Keep in mind that everything in the pkiserv.conf file, including section names, keys, and values, is case-sensitive.
  2. For boolean values, any of the following values are accepted for True: T, t, Y, y, or 1. Any of the following values are accepted for False: F, f, N, n, or 0

Procedure

Perform the following steps to update the pkiserv.conf configuration file:

  1. If necessary, update the ObjectStore section:
    1. If you want to use DB2 tables for the object store and issued certificate list (ICL) instead of VSAM files, uncomment the following line by removing the "# " at the beginning of the line:
      # DBType=DB2
      and leave the following line commented out:
      # DBType=VSAM
      If you want to use VSAM files, leave both lines commented out, or uncomment the following line:
      # DBType=VSAM
    2. If DBType is set to DB2 (see step 1.a), uncomment the following lines, and if necessary change the DB2 package name and subsystem name in the following lines to the names you chose in the DBPackage and DBSubsystem rows in Table 1:
      # DBPackage=MasterCA

# DBSubsystem=DSN9
    3. If DBType is set to VSAM, or commented out, or not present (see step 1.a), if necessary change the data set names in the following lines to the names you chose in the ObjectDSN, ObjectTidDSN, ObjectStatusDSN, ObjectRequestorDSN, ICLDSN, ICLStatusDSN, and ICLRequestorDSN rows in Table 1:
      ObjectDSN='pkisrvd.vsam.ost' 
ObjectTidDSN='pkisrvd.vsam.ost.path' 
ObjectStatusDSN='pkisrvd.vsam.ost.status' 
ObjectRequestorDSN='pkisrvd.vsam.ost.requestr 
ICLDSN='pkisrvd.vsam.icl' 
ICLStatusDSN='pkisrvd.vsam.icl.status' 
ICLRequestorDSN='pkisrvd.vsam.icl.requestr'

      If you are configuring PKI Services for the first time be aware that the high-level qualifier of the VSAM data set names must match the name of the RACF user ID assigned to the PKI Services daemon (by default, PKISRVD). If you change from the default to another user ID, you need to change the high-level qualifier in the pkiserv.conf configuration file as well. If the MVS programmer changes the data set names (see Step 2.d), you must make equivalent changes in pkiserv.conf.

    4. If necessary, change 1w in the following line to the value in the RemoveCompletedReqs row in Table 1:
      RemoveCompletedReqs=1w
    5. If necessary, change 4w in the following line to the value in the RemoveInactiveReqs row in Table 1:
      RemoveInactiveReqs=4w
    6. If necessary, uncomment the following line and, optionally, change 26w to the value in the RemoveExpiredCerts row in Table 1:
      RemoveExpiredCerts=26w
    7. If necessary, uncomment the following line and, optionally, change 520w to the value in the RemoveExpiredCertsAndKeys row in Table 1:
      RemoveExpiredCertsAndKeys=520w
    8. If necessary, update the SharedPLEX line:
      • If you intend to use a sysplex and you are configuring PKI Services for the first time, change F in the following line to T: 
        SharedPLEX=F
      • If you are not using a sysplex (regardless of whether you are configuring PKI Services for the first time), you do not need to do anything.

    _______________________________________________________________

  2. If necessary, update the CertPolicy section.
    1. If necessary, change 3m in the following line to the value in the CreateInterval row in Table 1:
      CreateInterval=3m
    2. If necessary, update the ExpireWarningTime line(s):
      • If you are sending e-mail notifications and you are configuring PKI Services for the first time, if necessary change the value 4w in the following line to the value in the ExpireWarningTime row of Table 1. 
        ExpireWarningTime=4w
      • If you are not using e-mail notifications and you are configuring PKI Services for the first time, remove the ExpireWarningTime=4w line from the pkiserv.conf file.
    3. If necessary, change 1d in the following line to the value in the TimeBetweenCRLs row in Table 1:
      TimeBetweenCRLs=1d
    4. If necessary, change 2d in the following line to the value in the CRLDuration row in Table 1:
      CRLDuration=2d
    5. If necessary, change F in the following line to the value in the PolicyRequired row in Table 1:
      PolicyRequired=F
      For more information on this parameter, see Using certificate policies.
    6. If necessary, change F in the following line to the value in the PolicyCritical row in Table 1:
      PolicyCritical=F
      For more information on this parameter, see Using certificate policies.
    7. If necessary, change 120d in the following line to the value in the MaxSuspendDuration row in Table 1:
      MaxSuspendDuration=120d
    8. If necessary, establish distribution point (DP) certificate revocation lists (CRLs) and a DP authority revocation list (ARL). Follow the procedure shown in Steps for customizing distribution point CRLs to determine the values for Table 1.
    9. If you wish to enable the OCSP responder, change OCSPType=none to OCSPType=basic.
    10. If you want to allow certificate management protocol (CMP) clients to send requests to PKI Services, change EnableCMP=F to EnableCMP=T. For information about support for CMP, see Using the certificate management protocol (CMP) with PKI Services.
    11. If you want to enable support for CRLs larger than 32KB, change F in the following row to T and set LargeCRLPostPath to the full path of the file system directory where PKI Services is to save CRLs for posting to LDAP. 
      EnableLargeCRLPosting=F
      For more information, see Enabling support for large CRLs.
    12. If you want certificate revocation lists (CRLs) to be created without the Issuing Distribution Point (IDP) extension, uncomment the following line by removing the "#" character and change T to F:
      #IDPExtCRL=T
    13. If you wish to enable Simple Certificate Enrollment Protocol (SCEP), change EnableSCEP=F to EnableSCEP=T. (See Enabling Simple Certificate Enrollment Protocol (SCEP).)
    14. If you want to enable granular authority control for administration functions, uncomment the following line by removing the "#" character and change F to T:
      #AdminGranularControl=F
      Before you enable granular authority control, the security administrator must set up profiles in the PKISERV class to control which functions each PKI administrator can perform. For more information, see Using the PKISERV class to control access to administrative functions.
    15. If you want to enable certificate path length constraint, uncomment the following line by removing the "#" character and change F to T:
      #EnablePathLenConstraint=F
      Then uncomment the following line by removing the "#" character and change 1 to the value that you want the pathLenConstraint field to be set to in the basic constraints extension of intermediate CA certificates created by the CA. The value that you specify must be in the range 0 - 16, and must be less than the value of pathLenConstraint in the PKI CA certificate if it is present.
      #PathLength=1

    _______________________________________________________________

  3. If you want a console message to be issued when CRL processing finishes, change the following line 
    CRLWTONotification=none
    to 
    CRLWTONotification=file
    _______________________________________________________________
  4. If necessary, update the General section:
    1. If necessary, change 10 in the following line to the value in the InitialThreadCount row in Table 1: 
      InitialThreadCount=10
    2. If necessary, change 10 in the following line to the value in the ExitTimeout row in Table 1: 
      ExitTimeout=30s
    3. If you choose, you can customize the time at which the daily maintenance task runs, the days on which it runs, and whether it also runs when the PKI Services daemon starts. This task is named daily_Timer, and performs functions such as:
      • Removing old and expired certificates
      • Removing inactive and completed certificate requests from the object store
      • Updating the low CRL distribution point based on expired certificates
      • Processing certificate expiration notification warning messages and automatic certificate renewal messages
      To specify that the daily maintenance task is to run at a time other than the default of midnight local time, remove the "#" from the following line and change 01:00 to the time that you want the task to run.
      #MaintRunTime=01:00
      To specify the days on which the daily maintenance task is to run, remove the "#" from the following line and change 0123456 to the list of digits representing the days on which you want the task to run. For example, specify 15 to run the task every Monday and Friday.
      #MaintRunDays=0123456
      To specify that the daily maintenance task is not to run when the PKI Services daemon starts, remove the "#" from the following line and change T to F.
      #RunMaintAtStart=T
    4. If necessary update the ReadyMessageForm, RejectMessageForm, ExpiringMessageForm, AdminNotifyForm, RenewCertForm, and RecoverForm lines:
      • If you are sending e-mail notifications and you are configuring PKI Services for the first time, if necessary, change the values of the path name in the following lines to the corresponding values in Table 1: 
        ReadyMessageForm=/etc/pkiserv/readymsg.form

RejectMessageForm=/etc/pkiserv/rejectmsg.form

ExpiringMessageForm=/etc/pkiserv/expiringmsg.form

AdminNotifyForm=/etc/pkiserv/pendingmsg.form

RenewCertForm=/etc/pkiserv/renewcertmsg.form
      • If you are allowing PKI Services to generate key pairs for certificates, if necessary change the value of the path name in the following lines to the corresponding value in Table 1: 
        ReadyMessageForm=/etc/pkiserv/readymsg.form

RecoverForm=/etc/pkiserv/recoverymsg.form
      • If you are not sending e-mail notifications and you are configuring PKI Services for the first time, comment out the following lines in the pkiserv.conf configuration file by putting a "#" character in the first position of each line that does not already have a "#" character in it, as shown here:
        # full pathname or data set name containing the 'your certificate request        
# has been rejected' message form. Defaults to no message issued                 
# RejectMessageForm=/etc/pkiserv/rejectmsg.form                                    

# full pathname or data set name containing the 'your certificate is about       
# to expire' message form. Defaults to no message issued                         
# ExpiringMessageForm=/etc/pkiserv/expiringmsg.form                                

# full pathname or data set name containing the ‘request(s) pending for          
# approval’ message form. Defaults to no notification sent                       
# AdminNotifyForm=/etc/pkiserv/pendingmsg.form                                     

# full pathname or data set name containing the renewed certificate.             
# Defaults to no certificate sent                                                
# RenewCertForm=/etc/pkiserv/renewcertmsg.form
      • If you are not sending e-mail notifications and you are not allowing PKI Services to generate keys for certificates, and you are configuring PKI Services for the first time, comment out the following lines in the pkiserv.conf configuration file, as shown here: 
        # full pathname or data set name containing the 'your certificate is ready'      
# message form. Defaults to no message issued                                    
# ReadyMessageForm=/etc/pkiserv/readymsg.form
      • If you are not allowing PKI Services to generate keys for certificates, and you are configuring PKI Services for the first time, comment out the following lines in the pkiserv.conf configuration file, as shown here: 
        # full pathname or data set name containing information on certificate(s)
# needed to be recovered.
# RecoverForm=/etc/pkiserv/recoverymsg.form
      • If you are allowing PKI Services to generate keys for certificates, and you are not configuring PKI Services for the first time, and you previously deleted the following lines in the pkiserv.conf configuration file, restore the following lines: 
        # full pathname or data set name containing the 'your certificate is ready'      
# message form. Defaults to no message issued                                    
ReadyMessageForm=/etc/pkiserv/readymsg.form

    _______________________________________________________________

  5. If necessary, update the SAF section:
    1. If necessary, change PKISRVD/CAring in the following line to the value in the KeyRing row in Table 1:
      KeyRing=PKISRVD/CAring
    2. If you specified EnableSCEP=T in Step 2.m, change Local PKI RA in the following line to the value in the ra_label row in Table 1:
      RALabel=Local PKI RA
    3. If you want PKI Services to be able to generate and store key pairs for certificate requests, and the ICSF programmer has set up the ICSF PKCS #11 token data set (TKDS), uncomment the following line and change PKISRVD.PKIToken to the value you chose in the TokenName row in Table 1:
      TokenName=PKISRVD.PKIToken

    _______________________________________________________________

  6. Restart PKI Services. Your changes do not take effect until you do this. For information about starting PKI Services see Starting and stopping PKI Services.

    _______________________________________________________________

Parent topic: Optionally updating the pkiserv.conf configuration file

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014