Perform the following steps to reconfigure your initial CA domain
to allow it to coexist with other CA domains. (This is a one-time
setup that will suffice no matter how many CA domains you add.)
- If PKI Services is running,
stop it by issuing the following MVS™ console
command:
P PKISERVD
________________________________________________________________
- Update the PKI Services environment
variables in the pkiserv.envars file as follows.
- (Optional) If your initial CA domain does not use its own pkiserv.envars file,
copy the default pkiserv.envars file from the PKI Services install
directory by issuing the following command from the UNIX command line:
cp -p /usr/lpp/pkiserv/samples/pkiserv.envars /etc/pkiserv
- Edit the new copy of pkiserv.envars file by entering
the following command:
oedit /etc/pkiserv/pkiserv.envars
- Add a PKI Services environment
variable identifying your initial CA domain name (see Table 1) in uppercase characters.
Example:_PKISERV_CA_DOMAIN=CUSTOMERS
_______________________________________________________________
- Update the HTTP server's environment variables and
configuration directives as follows.
- Update the HTTP server's environment variables.
- Edit the httpd.envvars file by entering the following
command:
oedit /etc/httpd.envvars
- Add an environment variable identifying the runtime directory
of your initial CA domain. (Check Table 1.)
Example:_PKISERV_CONFIG_PATH_CUSTOMERS=/etc/pkiserv
- (Optional) If you intend to have a dedicated set of administrators
for each CA domain, add an environment variable that specifies the
runtime directory for the administrative domain. (Check Table 1.)
Example:_PKISERV_CONFIG_PATH_PKISERV=/etc/pkiserv
- Update the HTTP configuration directives.
- Edit the httpd.conf file by entering the following
command:
oedit /etc/httpd.conf
- (Optional) If your HTTP configuration file includes an InheritEnv directive,
add the following directive for each new CA domain you add. Replace
the CUSTOMERS value with the ca_domain value
you specified in Table 1.
This
directive specifies that you want your CGI programs to inherit the
PATH environment variable so that the PKI Services Web pages of each
CA domain can retrieve any certificate through the Web page of any
CA domain.
Example:InheritEnv _PKISERV_CONFIG_PATH_CUSTOMERS=/etc/pkiserv
_______________________________________________________________
- Update the RACF® access
controls for the R_PKIServ SAF callable service as
follows. (Any change to environment variables in Step 3 requires a corresponding change to RACF access control.)
- Determine the PKI Services surrogate
user ID (default is PKISERV) and the PKI Services administrators
group (default is PKIGRP). To do this, refer to the log file created
when the IKYSETUP REXX exec
was originally run for your initial CA domain.
- Execute the following RACF commands
from the TSO command line. Replace the highlighted values with your
own, if different:
Examples:RDELETE FACILITY IRR.RPKISERV.**
RDEFINE FACILITY IRR.RPKISERV.*.CUSTOMER
PERMIT IRR.RPKISERV.*.CUSTOMER CLASS(FACILITY) ID(PKISERV) ACCESS(CONTROL)
RDELETE FACILITY IRR.RPKISERV.PKIADMIN
RDEFINE FACILITY IRR.RPKISERV.PKIADMIN.CUSTOMER
PERMIT IRR.RPKISERV.PKIADMIN.CUSTOMER CLASS(FACILITY) ID(PKIGRP)
ACCESS(UPDATE)
PERMIT IRR.RPKISERV.PKIADMIN.CUSTOMER CLASS(FACILITY) ID(PKISERV)
ACCESS(NONE)
SETROPTS RACLIST(FACILITY) REFRESH
Restriction: If
the name of your initial CA domain is longer than 8 characters, you
must truncate it to exactly 8 characters when you define the resource
name in the FACILITY class profiles. (In this example, the name
CUSTOMERS was
truncated to
CUSTOMER in the second RDEFINE FACILITY
command.)
_______________________________________________________________
- (Optional) You have reconfigured your initial CA domain to allow
it to coexist with other CA domains. If you want, you can test the
reconfiguration now. To test it, follow these steps:
- Restart PKI Services using
the following MVS console command.
Replace the highlighted values with your own, if different.
Guideline: To
simplify your environment, start this instance of PKI Services using
a JOBNAME that matches the truncated name of the CA domain. (See your
truncated value in Table 1.)
If you use the truncated values as job names, it will be easier to
distinguish multiple jobs that run PKI Services after
you add other CA domains.
Example:S PKISERVD,JOBNAME=CUSTOMER,DIR='/etc/pkiserv/'
- Restart the HTTP servers to enable your environment variable changes.
F IMWEBSRV,APPL=-restart
- Test that your PKI Services application
is functioning properly. Go to your Web pages by entering the following
URL from your browser:
http://webserver-fully-qualified-domain-name/PKIServ/public-cgi/camain.rexx
The webserver-fully-qualified-domain-name is
the common name (CN) portion of the Web server's distinguished name;
see Table 1.
You
should be able to go through your Web pages to request, retrieve,
and revoke a certificate of type "PKI browser certificate for authenticating
to z/OS®". Ensure you can
do this before adding an additional CA domain.
_______________________________________________________________
When you are done: You
have successfully reconfigured your initial CA domain to allow it
to coexist with other CA domains. You can now perform each of the
remaining subtasks once for each new CA domain.
Continue to the next subtask. Guideline: Complete Subtasks 3 - 8 for
your first new CA domain and ensure that it operates properly
before adding another CA domain.