OIDs section |
|
|
|
MyPolicy |
A registered Object ID identifying your organization's
usage policy, for example:1.2.3.4
|
If you are creating your own certificate policy,
see Using certificate policies for information on creating certificate
policies. Otherwise, do not change this information. |
1.2.3.4 If you
need to use the CertificatePolicies extension, replace 1.2.3.4 with
the value of your Object ID:
|
ObjectStore section |
|
|
|
DBType |
Repository for the object store and issued certificate
list (ICL). Valid values are:
The default value is VSAM. If DBType is VSAM,
specify values for the parameters ObjectDSN, ObjectTidDSN, ObjectStatusDSN, ObjectRequestorDSN, ICLDSN, ICLStatusDSN,
and ICLRequestorDSN. If DBType is DB2,
these parameters are ignored.
If DBType is DB2,
specify values for the parameters DBPackage and DBSubsystem.
If DBType is VSAM, these parameters
are ignored.
|
UNIX programmer
decides this value. |
VSAM |
DBPackage |
Name of the DB2® package
this instance of PKI Services uses for the object store and ICL in
the DB2 subsystem specified
by the DBSubsystem parameter. If DBType is VSAM,
this parameter is ignored. |
DB2 programmer
decides this value. |
MasterCA |
DBSubsystem |
Name of the DB2 subsystem or group attachment used by this instance of PKI Services.
If DBType is VSAM, this parameter
is ignored. |
DB2 programmer
decides this value. |
DSN9 |
ObjectDSN |
VSAM data set name for the object store base
cluster. This is the request database. Each
VSAM request record consists of a fixed header followed by a variable-length
section. If DBType is DB2, this
parameter is ignored.
Guideline: If you are adding a
new CA domain, insert the ca_domain value from Table 1 as
the second qualifier in the data set name. Example: 'pkisrvd.employee.vsam.ost'
|
For the high-level qualifier before the period,
see the vsamhlq variable in Table 1.
The name of the file (after the period) can change; the MVS™ programmer who creates the VSAM data sets
usually decides these names. |
'pkisrvd.vsam.ost' Note
that this begins with the VSAM high-level qualifier.
|
ObjectTidDSN |
VSAM data set name for the object store transaction
ID (TID) alternate index. If DBType is DB2,
this parameter is ignored.
Guideline: If you are adding
a new CA domain, insert the ca_domain value from Table 1 as
the second qualifier in the data set name. Example: 'pkisrvd.employee.vsam.ost.path'
|
For the high-level qualifier before the period,
see the vsamhlq variable in Table 1.
The name of the file (after the period) can change; the MVS programmer who creates the VSAM data sets
usually decides these names. |
'pkisrvd.vsam.ost.path' Note
that this begins with the VSAM high-level qualifier.
|
ObjectStatusDSN |
VSAM data set name for the object store status
alternate index. If DBType is DB2,
this parameter is ignored.
Guideline: If you are adding
a new CA domain, insert the ca_domain value from Table 1 as
the second qualifier in the data set name. Example: 'pkisrvd.employee.vsam.ost.status'
|
For the high-level qualifier before the period,
see the vsamhlq variable in Table 1.
The name of the file (after the period) can change; the MVS programmer who creates the VSAM data sets
usually decides these names. |
'pkisrvd.vsam.ost.status' Note
that this begins with the VSAM high-level qualifier.
|
ObjectRequestorDSN |
VSAM data set name for the object store requestor
alternate index. If DBType is DB2,
this parameter is ignored.
Guideline: If you are adding
a new CA domain, insert the ca_domain value from Table 1 as
the second qualifier in the data set name. Example: 'pkisrvd.employee.vsam.ost.requestr'
|
For the high-level qualifier before the period,
see the vsamhlq variable in Table 1.
The name of the file (after the period) can change; the MVS programmer who creates the VSAM data sets
usually decides these names. |
'pkisrvd.vsam.ost.requestr' Note
that this begins with the VSAM high-level qualifier.
|
ICLDSN |
VSAM data set name for the ICL base cluster. This
data set contains the certificates that have been issued. Each VSAM
ICL record consists of a fixed header followed by a variable-length
section containing the BER-encoded certificates.
If DBType is DB2,
this parameter is ignored.
Guideline: If you are adding
a new CA domain, insert the ca_domain value from Table 1 as
the second qualifier in the data set name. Example: 'pkisrvd.employee.vsam.icl'
|
For the high-level qualifier before the period,
see the vsamhlq variable in Table 1.
The name of the file (after the period) can change; the MVS programmer who creates the VSAM data sets
usually decides these names. |
'pkisrvd.vsam.icl' Note
that this begins with the VSAM high-level qualifier.
|
ICLStatusDSN |
VSAM data set name for ICL status alternate
index. If DBType is DB2,
this parameter is ignored.
Guideline: If you are adding
a new CA domain, insert the ca_domain value from Table 1 as
the second qualifier in the data set name. Example: 'pkisrvd.employee.vsam.icl.status'
|
For the high-level qualifier before the period,
see the vsamhlq variable in Table 1.
The name of the file (after the period) can change; the MVS programmer who creates the VSAM data sets
usually decides these names. |
'pkisrvd.vsam.icl.status' Note
that this begins with the VSAM high-level qualifier.
|
ICLRequestorDSN |
VSAM data set name for ICL requestor alternate
index. If DBType is DB2,
this parameter is ignored.
Guideline: If you are adding
a new CA domain, insert the ca_domain value from Table 1 as
the second qualifier in the data set name. Example: 'pkisrvd.employee.vsam.icl.requestr'
|
For the high-level qualifier before the period,
see the vsamhlq variable in Table 1.
The name of the file (after the period) can change; the MVS programmer who creates the VSAM data sets
usually decides these names. |
'pkisrvd.vsam.icl.requestr' Note
that this begins with the VSAM high-level qualifier.
|
RemoveCompletedReqs |
Time period that completed certificate requests
remain in the object store before automatic deletion.This is
a number followed by d (days) or w (weeks).
If not specified, the default is 1w (one week). The
value 0d disables the deletion of completed requests
(not suggested). |
UNIX programmer
decides this value. |
1w |
RemoveInactiveReqs |
Time period that incomplete, inactive certificate
requests remain in the object store before automatic deletion. This is
a number followed by d (days) or w (weeks).
If not specified, the default is 4w (four weeks).
The value 0d disables the deletion of inactive requests
(not suggested). |
UNIX programmer
decides this value. |
4w |
RemoveExpiredCertsAndKeys |
Time period that keys and expired certificates
with keys generated by PKI Services remain in the ICL and TKDS before
automatic deletion. This is a number
followed by d (days) or w (weeks).
If you do not specify this parameter, or you set the value to 0d,
expired certificates will not be removed. |
UNIX programmer
decides this value. |
520w |
RemoveExpiredCerts |
Time period that expired certificates with keys
that were not generated by PKI Services remain in the ICL before automatic
deletion. This is a number
followed by d (days) or w (weeks).
If you do not specify this parameter, or you set the value to 0d,
expired certificates will not be removed. |
UNIX programmer
decides this value. |
0d |
SharedPLEX |
Indicates whether you intend to share a single
copy of the PKI Services object
store and the issued certificate list (ICL) among multiple images
in a sysplex. This is T (True) or F (False). Note: This
keyword has the same meaning as the SharedVSAM keyword
in releases prior to z/OS® V1R13.
If the SharedVSAM parameter is present from an earlier release, it
will continue to work. If both SharedVSAM and SharedPLEX are present,
SharedPLEX takes precedence.
|
UNIX programmer
decides this value. |
F |
CertPolicy section |
|
|
|
AdminGranularControl |
Enables granular authority control
for administrative functions based on CA domain name, certificate
template name, and the administrative function being performed. If
enabled, appropriate RACF® protection
profiles must be set up. If T (True), granular authority
control is enabled. If F (False), granular authority
is disabled. F is the default. |
UNIX programmer
decides this value. |
F |
AdminNotifyNewn |
The email address to which notification should
be sent immediately when a request is created and requires approval.
The notification is only sent once. There can be multiple entries,
where n is 1 for the first entry and increases
sequentially for additional entries. The mailing address is in the
form <userid>@<system>. |
UNIX programmer
decides this value. Do not change this information until you set
up administrator notification of requests pending approval.
|
abigail@mycompany.com |
AdminNotifyRemindern |
The email address to which reminder notifications
of requests pending approval should be sent when the daily maintenance
task runs. There can be multiple entries, where n is 1 for
the first entry and increases sequentially for additional entries.
The mailing address is in the form <userid>@<system>. |
UNIX programmer
decides this value. Do not change this information until you set
up administrator notification of requests pending approval.
|
abigail@mycompany.com |
ARLDist |
Indicates whether an authority revocation list
(ARL) distribution point will be created. F (the
default) indicates no ARL distribution point will be created. T indicates
that an ARL distribution point will be created if CRLDistSize is
greater than zero. |
UNIX programmer
decides this value. Do not change this information until you perform
advanced customization. See Creating a distribution point ARL for more
information.
|
F |
CertValidityConstraint |
Specifies whether the validity period of a certificate
should be constrained within the CA's certificate life time. If T (True),
requests with a validity period that exceeds the CA's validity period
fail. If F (False), requests are not constrained
to the CA's validity period. F is the default. |
UNIX programmer
decides this value. |
F |
CPSn |
The Uniform
Resource Identifier (URI) for the Certification Practice Statement
(CPS) that is associated with PolicyNamen.
The value is in the form: http://www.mycompany
.com/cps.html
|
Do not change this information until you perform
advanced customization. See Using certificate policies for more
information. |
http://www.mycompany.com/ cps.html If
you changed PolicyRequired=F to PolicyRequired=T,
you need to replace the sample value with a valid URI to your published
Certificate Practice Statement.
|
CreateInterval |
How often the certificate creation thread scans
the database for approved requests. This is a number
followed by w (weeks), d (days), h (hours), m (minutes),
or s (seconds). |
UNIX programmer
decides this value. |
3m |
CRLDistDirPath |
The full path for the file system directory
where PKI Services is to save each DP CRL, as specified by the HTTP
URI in the CRLDistributionPoints extension.
This value is ignored if you do not create a CRLDistributionPoints extension or if the
URI protocol is ldap. This value can be specified
with or without the trailing slash. The default value is /var/pkiserv/.
|
UNIX programmer
decides this value. Do not change this information until you perform
advanced customization. See Customizing distribution point CRLs for more
information.
|
/var/pkiserv/ |
CRLDistName |
Constant portion of the (leaf-node) relative
distinguished name for a distribution point (DP) CRL, if DP CRL processing
is being performed. The
default value is CRL.
|
UNIX programmer
decides this value. Do not change this information until you perform
advanced customization. See Customizing distribution point CRLs for more
information.
|
CRL |
CRLDistSize |
An integer value that represents the maximum
number of certificates that can appear on one DP CRL. If
you do not specify this parameter, or you set the value to 0,
DP CRLs will not be created.
|
UNIX programmer
decides this value. Do not change this information until you perform
advanced customization. See Customizing distribution point CRLs for more
information.
|
500 |
CRLDistURIn |
Optional: Specifies a URI format name
for the DP CRL. You can specify multiple names using parameters CRLDistURI1, CRLDistURI2,
and so forth. This value is ignored if you do not create DP CRLs by
specifying CRLDistSize with a value greater than
zero. Specify this only if you want a URI-format name, in addition
to the distinguished name format, built in the CRLDistributionPoints extension. |
UNIX programmer
decides this value. Do not change this information until you perform
advanced customization. See Customizing distribution point CRLs for more
information.
|
— |
CRLDuration |
The amount of time that a certificate revocation
list is valid. This is a number
followed by w (weeks), d (days), h (hours), m (minutes),
or s (seconds). |
UNIX programmer
decides this value. |
2d |
CRLIDPExt |
Specifies whether certificate revocation lists
(CRLs) should be created with a critical Issuing Distribution Point
(IDP) extension. If T (True), CRLs are created with
a critical IDP extension. If F (False), CRLs are
created without the IDP extension. The default is T. |
UNIX programmer
decides this value. |
T |
CRLWTONotification |
Specifies whether a console message is issued
when CRL processing ends. If set to none, no console
message is issued. If set to file, a console message
is issued after the CRL is available in the file system. This keyword
is ignored if either of the following conditions is true:- HTTP protocol is not specified for CRL distribution.
- Large CRL posting is not enabled.
|
UNIX programmer
decides this value. |
none |
EnableCMP |
Specifies whether support for certificate management
protocol (CMP) messages is enabled. If T (True),
CMP messages that are supported are accepted. If F (False),
all CMP messages are rejected. F is the default. |
UNIX programmer
decides this value. |
F |
EnableLargeCRLPosting |
Specifies whether large CRL posting is enabled.
If T, CRLs are saved in a z/OS UNIX directory
before the LDAP posting thread processes them. If F,
CRLs are saved in the object store (either VSAM data set or DB2 table, depending on which you
are using), and are subject to a size limit of approximately 32KB.
The default is F. |
UNIX programmer
decides this value. Do not change this information until you perform
advanced customization. See Enabling support for large CRLs for
more information.
|
F |
EnablePathLenConstraint |
Specifies whether certificate path length constraints are enforced by the CA. The value is T (True)
or F (False). If T, the CA certificate
is examined at initialization to verify that it meets path length
constraint requirements. If so, the pathLenConstraint field is set
in the basic constraints extension of the intermediate CA certificates
created by this CA. If not specified, or F, certificate
path length constraint is not enforced in the CA certificate used
by the CA, and intermediate CA certificates created by this CA do
not include a pathLenConstraint field in the basic constraints extension. |
UNIX programmer
decides this value. |
F |
EnableSCEP |
Specifies whether Simple Certificate Enrollment Protocol (SCEP) is allowed. This is T (True)
or F (False). |
UNIX programmer
decides this value. Do not change this information until you perform
advanced customization. See Enabling Simple Certificate Enrollment Protocol (SCEP) for more
information.
|
F |
ExpireWarningTime |
Note: You need a value for this parameter only
if you are sending e-mail notifications to users when certificates
are expiring, or automatically renewing certificates when they are
expiring and sending them to the owners.
This
parameter indicates how soon before certificate expiration to send
a warning message or a renewed certificate (that is, the number of
days or weeks before the day and time the certificate expires).
If
automatic certificate renewal is active, this parameter indicates
how soon before certificate expiration to renew the certificate and
send it to the owner.
This name-value pair is optional. Its
absence indicates no expiration checking is performed and no automatic
certificate renewal occurs. Also, if the name-value pair is present
but has an incorrect value or if PKI Services is configured
to operate without LDAP, no expiration checking or automatic certificate
renewal is done.
|
UNIX programmer
decides this value. |
4w |
LargeCRLPostPath |
The full path for the file system directory
where PKI Services is to save each CRL for posting to LDAP, if support
for large CRLs is enabled. This value can be specified with or without
the trailing slash, and can be the same as the value of CRLDistDirPath.
The default value is /var/pkiserv/. |
UNIX programmer
decides this value. Do not change this information until you perform
advanced customization. See Enabling support for large CRLs for
more information.
|
/var/pkiserv/crls |
MaxSuspendDuration |
The length of the certificate suspension grace
period in weeks or days. This is a number followed by w (weeks)
or d (days). Certificates that remain suspended for
longer than this period are automatically revoked. If you do not specify
this parameter, or you set it to 0d, the grace period
is unlimited. |
UNIX programmer
decides this value. |
120d |
OCSPType |
The type of OCSP responder support desired:
If you do not specify this parameter, or you set the value to none,
the responder is not enabled. |
Change to basic if you want
to enable the responder. |
none |
PathLength |
Specifies the certificate path length constraint
value to be included in the basic constraints extension of intermediate
CA certificates created by the CA. Valid values are 0 - 16. The value
specified must be less than the pathLenConstraint value in the PKI
CA certificate, if it is present. This keyword is ignored if the EnablePathLenConstraint
keyword is not set to T. |
UNIX programmer
decides this value. |
1 |
PolicyCritical |
Indicates whether the CertificatePolicies extension
should be marked critical. The value is T (True)
or F (False). |
UNIX programmer
decides this value. Do not change this information until you perform
advanced customization. See Using certificate policies for more
information.
|
F |
PolicyRequired |
Indicates
whether the CertificatePolicies extension should be included in all certificates that are created. The value is T (True)
or F (False). T indicates that the
CertificatePolicies extension is added to all certificates, and includes
all PolicyNamen entries specified
in the configuration file. Any policies specified in the CertPolicies input
parameter or listed in the CONSTANT subsection in the template file
are ignored. F indicates that the CertificatePolicies
extension is added to a certificate only when a certificate policy
is specified in the CertPolicies input parameter or in the CONSTANT
section of the template when a certificate is requested. |
UNIX programmer
decides this value. Do not change this information until you perform
advanced customization. See Using certificate policies for more
information.
|
F |
PolicyNamen |
A list of CertificatePolicies extensions
that are added to all created certificates when PolicyRequired=T.
The policy name is the symbolic name for a certificate policy OID
and must match the name of a policy that is listed in the OIDs section. |
Do not change this information until you perform
advanced customization. See Using certificate policies for more
information. |
MyPolicy If you changed PolicyRequired=F to PolicyRequired=T,
replace the name MyPolicy with the same policy
name used in the OIDs section.
|
PolicynOrg |
The name of the organization that
has prepared the User Notice Reference information associated with PolicyNamen.
For example: International Business Machines, Inc. |
Do not change this information until you perform
advanced customization. See Using certificate policies for more
information. |
My Company, Inc. If
you changed PolicyRequired=F to PolicyRequired=T,
you need to specify your own value for this.
|
PolicynNoticem |
Specifies
the number of a textual statement, prepared by PolicynOrg for
the User Notice Reference associated with PolicyNamen.
More than one textual statement can apply. |
Do not change this information until you perform
advanced customization. See Using certificate policies for more
information. |
1 If you changed PolicyRequired=F to PolicyRequired=T,
you need to specify your own value for this parameter.
|
SigAlg1 |
The nickname assigned to the Object ID for the
signature algorithm in the OIDs section. The supported algorithms
and their nicknames are listed in Table 1.
Guideline: The
MD2 and MD5 hashes have been found to be vulnerable to attack. Avoid
specifying md-5WithRSAEncryption and md-2WithRSAEncryption if
possible.
|
The supported algorithms and their nicknames
are listed in Table 1. Do
not change this information until you perform advanced customization.
See Updating the signature algorithm for more information.
|
sha-256WithRSAEncryption |
TimeBetweenCRLs |
How often a certificate revocation list (CRL)
should be created.
This is a number
followed by w (weeks), d (days), h (hours), m (minutes),
or s (seconds).Tip: If you want PKI Services to create
a CRL immediately, instead of waiting for the TimeBetweenCRLs interval
to pass, use the createcrls utility. For more information,
see Using the createcrls utility.
|
UNIX programmer
decides this value. |
1d |
UserNoticeTextn |
The User Notice
Explicit Text information associated with PolicyNamenFor
example: Certificate for IBM internal use only. For
the CA to conform with current standards, this textual statement must
not exceed 200 characters. |
Do not change this information until you perform
advanced customization. See Using certificate policies for more
information. |
statement If you changed
PolicyRequired=F to PolicyRequired=T, you need to replace the variable statement with
your own value.
|
General section |
|
|
|
ExitTimeout |
Length
of time that PKI Services waits
for the autorenew preprocessing and postprocessing exit to
return. If not specified, PKI Services waits for
at most 30 seconds. PKI Services cancels the
exit program if it runs longer than the specified time. The maximum
value allowed is 1 hour. Any time specified greater will be run for
the maximum amount of time. |
UNIX programmer
decides this value. |
10s |
InitialThreadCount |
Number
of threads (at least 2 and no more than 100) the PKI Services daemon should
create at program initialization. |
UNIX programmer
decides this value. |
10 |
MaintRunDays |
The days on which the daily maintenance task
is to run. This is a list of digits between 0 and 6, representing
the days of the week, with 0 representing Sunday, and 6 representing
Saturday. The digits listed represent the days on which the task is
to run. No spaces or other characters can be specified, and digits
cannot be repeated. The digits can be specified in any order. If not
specified, the task runs every day. |
UNIX programmer
decides this value. |
0123456 |
MaintRunTime |
The time (local time) at which the daily maintenance
task is to run, in the format hh:mm, where hh represents
the hour (00 to 23) and mm represents the minutes
(00 to 59). 00:00 represents midnight. If not specified,
the task runs once per day at midnight local time. |
UNIX programmer
decides this value. |
01:00 |
RunMaintAtStart |
Indicates whether the daily maintenance task
should run during PKI Services startup,
in addition to the time and days specified by the MaintRunTime and MaintRunDays parameters.
The value T (True) indicates that the task should
run during PKI Services startup.
The value F (False) indicates that the task should
not run during PKI Services startup.
If not specified, the daily maintenance task runs during PKI Services startup. |
UNIX programmer
decides this value. |
T |
ReadyMessageForm |
The full path name or data set name containing
the 'Your certificate is ready' message form. - If you are not setting up PKI Services to generate
keys for certificates, this name-value pair is optional. If you do
not specify this name-value pair, no message is sent.
- If you are setting up PKI Services to generate
keys for certificates, this name-value pair is required. If you do
not specify this name-value pair, requests to have PKI Services generate
keys for certificates fail.
Guideline: If you are adding
a new CA domain, use the ca_domain value from Table 1 as
the second qualifier in the path name. Example: /etc/pkiserv/employees/readymsg.form
|
UNIX programmer
decides this value. |
/etc/pkiserv/readymsg.form |
RejectMessageForm |
The full path name or data set name containing
the 'Your certificate request has been rejected' message form. By
default, no message is issued. Using this name-value pair is optional. Guideline: If you are adding
a new CA domain, use the ca_domain value from Table 1 as
the second qualifier in the path name. Example: /etc/pkiserv/employees/rejectmsg.form
|
UNIX programmer
decides this value. |
/etc/pkiserv/rejectmsg.form |
ExpiringMessageForm |
The full path name or data set name containing
the 'Your certificate is about to expire' message form. By default,
no message is issued. If your team has specified a value for ExpireWarningTime
(see the ExpireWarningTime row in this table), then
ExpiringMessageForm is required. Otherwise an error is logged and
no expiring message processing is performed. Guideline: If
you are adding a new CA domain, use the ca_domain value
from Table 1 as
the second qualifier in the path name. Example: /etc/pkiserv/employees/expiringmsg.form
|
UNIX programmer
decides this value. |
/etc/pkiserv/expiringmsg.form |
AdminNotifyForm |
The full path name or data set name containing
the ‘request(s) pending for approval’ message form. Defaults to no
notification sent. Guideline: If
you are adding a new CA domain, use the ca_domain value
from Table 1 as
the second qualifier in the path name. Example: /etc/pkiserv/employees/pendingmsg.form
|
UNIX programmer
decides this value. |
AdminNotifyForm=/etc/pkiserv/pendingmsg.form |
RenewCertForm |
The full path name or data set name containing
the 'renewed certificate'. Defaults to no certificate sent. Guideline: If
you are adding a new CA domain, use the ca_domain value
from Table 1 as
the second qualifier in the path name. Example: /etc/pkiserv/employees/renewcertmsg.form
|
UNIX programmer
decides this value. |
RenewCertForm=/etc/pkiserv/renewcertmsg.form |
RecoverForm |
The full path name or data set name containing
the 'list of certificates that satisfy your search criteria for recovery'
message form. Use this name-value pair if you are setting up PKI Services to generate
keys for certificate requests, and want users to be able to recover
those certificates. Guideline: If
you are adding a new CA domain, use the ca_domain value
from Table 1 as
the second qualifier in the path name. Example: /etc/pkiserv/employees/recoverymsg.form
|
UNIX programmer
decides this value. |
RecoverForm=/etc/pkiserv/recoverymsg.form |
SAF section |
|
|
|
KeyRing |
The fully qualified name of the SAF key ring
for PKI Services to
use. (This must consist of an uppercase user ID and a case-sensitive
ring name separated by a slash (⁄.) |
See the ca_ring and daemon values
in Table 1. |
PKISRVD⁄CAring |
RA_label |
The label of your PKI Services registration
authority (RA) certificate. |
See the ra_label value in Table 1. |
Local PKI RA |
SecureKey |
Indicates whether keys generated by PKI Services
are secure keys or clear keys. The value can be T (True)
or F (False). T indicates that secure
keys are generated in the TKDS. F or the absence
of this keyword indicates that clear keys or secure keys are generated
in the TKDS according to the installation configuration policy. SecureKey is
ignored if TokenName is not specified. |
UNIX programmer
decides this value. |
F |
TokenName |
The name of a token in the ICSF PKCS #11 token
data set (TKDS) that PKI Services uses to store key pairs that it
generates for certificates. If this keyword is not specified, PKI Services cannot generate
key pairs for certificates. If this keyword is specified, the TKDS
must be set up before PKI Services starts. For information on setting
up the TKDS, see z/OS Cryptographic Services ICSF Writing PKCS #11 Applications. |
UNIX programmer
decides this value. It must meet the requirements for a token name:- Up to 32 characters in length
- Permitted characters are:
- Alphanumeric
- National: @ X'5B', # X'7B', or $ X'7C'
- Period . X'4B'
- The first character must be alphabetic or national
- Lowercase letters can be used, but are folded to uppercase
- The IBM1047 code page is assumed
|
PKISRVD.PKIToken |
LDAP section |
|
|
|
|
For information about the LDAP section,
see Table 1. |
|
|