You need to update the
pkiserv.conf configuration
file if you meet any of the following conditions:
- You are configuring PKI Services for the
first time
- You are adding support for:
- Running multiple instances of PKI Services in a sysplex.
- Running multiple CA domains on a single z/OS® image. (See Adding a new CA domain.)
- Sending e-mail notifications to users if the PKI Services administrator
rejects certificate requests or certificates are ready for retrieval
or expiring
- Customizing certificate revocation list (CRL) distribution point
processing. (See Customizing distribution point CRLs for details.)
- Automatic renewal of expiring certificates
- Sending e-mail notifications to administrators if any requests
are pending approval
- A timeout value for the PKI Services exit.
- Generation of key pairs (public and private key) for certificates
- Setting the time that the daily maintenance task runs, or the
days that it runs, or specifying that it is not to run when the PKI Services daemon starts
- The certificate management protocol (CMP)
- Using DB2® tables instead
of VSAM files for the object store and ICL.
- Creating CRLs without the Issuing Distribution Point extension.
- Constraining the CA path length.
- Granular control of administrative functions.
- WTO notification.
- You installed a new release of z/OS and
had configured PKI Services on
the earlier release. (For more information see Updating pkiserv.conf after installing a new release of z/OS.
You can also optionally update the file if you want to change
certain default values.
The pkiserv.conf configuration file for the PKI Services daemon consists
of sections of name-value pairs. Important: Everything
in the pkiserv.conf file, including section names,
keys, and values, is case-sensitive.
Each section of the
pkiserv.conf configuration
file has a title enclosed in square brackets. The configuration file
includes the following sections:
- [OIDs]
- The
OIDs section specifies the object identifiers for various nicknames PKI Services uses internally.
The OIDs are specified in the following form:
name=dotted-decimal
The
following excerpt is from the OIDs section:
[OIDs]
⋮
MyPolicy=1.2.3.4
- [ObjectStore]
- The
ObjectStore section specifies operational information for the
object store and issued certificate list (ICL).
The following
excerpt is from the ObjectStore section:
[ObjectStore]
ObjectDSN='pkisrvd.vsam.ost'
⋮
- [CertPolicy]
- The
CertPolicy section is for CA policy information.
The following
excerpt is from the CertPolicy section:
[CertPolicy]
SigAlg1=sha-256WithRSAEncryption
⋮
- [General]
- The
General section is for general information.
The following excerpt
is from the General section:
[General]
InitialThreadCount=10
⋮
- [SAF]
- The
SAF section is for information about the SAF (RACF®) key ring that is used for CA certificate
and private key storage.
The following excerpt is from the SAF
section:
[SAF]
KeyRing=PKISRVD/CAring
- [LDAP]
- The
LDAP section contains information about the LDAP server for posting
certificates and CRLs.
The following excerpt is from the LDAP section:
[LDAP]
NumServers=1
⋮
The UNIX programmer needs
to update the LDAP section of this file. Guideline: Do
not change it now but change it later when you perform Steps for tailoring the LDAP section of the configuration file.