Subtask 2: Steps for reconfiguring your initial CA domain to allow it to coexist with other CA domains

Perform the following steps to reconfigure your initial CA domain to allow it to coexist with other CA domains. (This is a one-time setup that will suffice no matter how many CA domains you add.)

If PKI Services is running, stop it by issuing the following MVS™ console command:
```
P PKISERVD
```
________________________________________________________________
Update the PKI Services environment variables in the pkiserv.envars file as follows.
1. (Optional) If your initial CA domain does not use its own pkiserv.envars file, copy the default pkiserv.envars file from the PKI Services install directory by issuing the following command from the UNIX command line:
```
cp -p /usr/lpp/pkiserv/samples/pkiserv.envars /etc/pkiserv
```
2. Edit the new copy of pkiserv.envars file by entering the following command:
```
oedit /etc/pkiserv/pkiserv.envars
```
3. Add a PKI Services environment variable identifying your initial CA domain name (see Table 1) in uppercase characters.
  Example:
```
_PKISERV_CA_DOMAIN=CUSTOMERS
```
_______________________________________________________________
Update the HTTP server's environment variables and configuration directives as follows.
1. Update the HTTP server's environment variables.
  1. Edit the httpd.envvars file by entering the following command:
```
oedit /etc/httpd.envvars
```
  2. Add an environment variable identifying the runtime directory of your initial CA domain. (Check Table 1.)
    Example:
```
_PKISERV_CONFIG_PATH_CUSTOMERS=/etc/pkiserv
```
  3. (Optional) If you intend to have a dedicated set of administrators for each CA domain, add an environment variable that specifies the runtime directory for the administrative domain. (Check Table 1.)
    Example:
```
_PKISERV_CONFIG_PATH_PKISERV=/etc/pkiserv
```
2. Update the HTTP configuration directives.
  1. Edit the httpd.conf file by entering the following command:
```
oedit /etc/httpd.conf
```
  2. (Optional) If your HTTP configuration file includes an InheritEnv directive, add the following directive for each new CA domain you add. Replace the CUSTOMERS value with the ca_domain value you specified in Table 1.
    This directive specifies that you want your CGI programs to inherit the PATH environment variable so that the PKI Services Web pages of each CA domain can retrieve any certificate through the Web page of any CA domain.
    Example:
```
InheritEnv _PKISERV_CONFIG_PATH_CUSTOMERS=/etc/pkiserv
```
_______________________________________________________________
Update the RACF® access controls for the R_PKIServ SAF callable service as follows. (Any change to environment variables in Step 3 requires a corresponding change to RACF access control.)
1. Determine the PKI Services surrogate user ID (default is PKISERV) and the PKI Services administrators group (default is PKIGRP). To do this, refer to the log file created when the IKYSETUP REXX exec was originally run for your initial CA domain.
2. Execute the following RACF commands from the TSO command line. Replace the highlighted values with your own, if different:
  Examples:
```
RDELETE FACILITY IRR.RPKISERV.**
RDEFINE FACILITY IRR.RPKISERV.*.CUSTOMER
PERMIT IRR.RPKISERV.*.CUSTOMER CLASS(FACILITY) ID(PKISERV) ACCESS(CONTROL)
RDELETE FACILITY IRR.RPKISERV.PKIADMIN
RDEFINE FACILITY IRR.RPKISERV.PKIADMIN.CUSTOMER
PERMIT IRR.RPKISERV.PKIADMIN.CUSTOMER CLASS(FACILITY) ID(PKIGRP) 
 	ACCESS(UPDATE)
PERMIT IRR.RPKISERV.PKIADMIN.CUSTOMER CLASS(FACILITY) ID(PKISERV) 
 	ACCESS(NONE)
SETROPTS RACLIST(FACILITY) REFRESH
```
  Restriction: If the name of your initial CA domain is longer than 8 characters, you must truncate it to exactly 8 characters when you define the resource name in the FACILITY class profiles. (In this example, the name CUSTOMERS was truncated to CUSTOMER in the second RDEFINE FACILITY command.)
_______________________________________________________________
(Optional) You have reconfigured your initial CA domain to allow it to coexist with other CA domains. If you want, you can test the reconfiguration now. To test it, follow these steps:
1. Restart PKI Services using the following MVS console command. Replace the highlighted values with your own, if different.
  Guideline: To simplify your environment, start this instance of PKI Services using a JOBNAME that matches the truncated name of the CA domain. (See your truncated value in Table 1.) If you use the truncated values as job names, it will be easier to distinguish multiple jobs that run PKI Services after you add other CA domains.
  Example:
```
S PKISERVD,JOBNAME=CUSTOMER,DIR='/etc/pkiserv/'
```
2. Restart the HTTP servers to enable your environment variable changes.
```
F IMWEBSRV,APPL=-restart 
```
3. Test that your PKI Services application is functioning properly. Go to your Web pages by entering the following URL from your browser:
```
http://webserver-fully-qualified-domain-name/PKIServ/public-cgi/camain.rexx
```
  The webserver-fully-qualified-domain-name is the common name (CN) portion of the Web server's distinguished name; see Table 1.
  
  You should be able to go through your Web pages to request, retrieve, and revoke a certificate of type "PKI browser certificate for authenticating to z/OS®". Ensure you can do this before adding an additional CA domain.
_______________________________________________________________

When you are done: You have successfully reconfigured your initial CA domain to allow it to coexist with other CA domains. You can now perform each of the remaining subtasks once for each new CA domain.

Continue to the next subtask. Guideline: Complete Subtasks 3 - 8 for your first new CA domain and ensure that it operates properly before adding another CA domain.