LDAP directory server requirements
PKI Services typically
requires access to an LDAP directory server to store issued certificates
and certificate revocation lists. The z/OS® LDAP server provided
by IBM® Tivoli® Directory Server for z/OS is
preferred but not required. You can use a non-z/OS LDAP server
if it can support the objectclasses and attributes PKI Services uses. These
are listed in the following table:
| End-entity or branch node? | Visible RDN attribute | Objectclasses used | Additional attributes set (other than visible RDN attribute) |
|---|---|---|---|
| Creating a branch node | C= | country | — |
| Creating a branch node | L= | locality | — |
| Creating a branch node | O= | organization | — |
| Creating a branch node | OU= | organizationalUnit | — |
| Creating a branch node | DC= | domain | none |
| Creating a branch node | Any supported |
organizationalUnit, and extensibleObject | ou (the ou value from CreateOUValue in the LDAP section of pkiserv.conf file) |
| Creating a user end-entity | unstructuredName |
account, pkiUser, cEPDevice, and extensibleObject | userCertificate, and uid (hardcoded to NoUid) |
| Creating a user end-entity | serialNumber | account, pkiUser, pKCS10Device, and extensibleObject | userCertificate, and uid (hardcoded to NoUid) |
| Creating a user end-entity | DC | domain pkiUser, , and extensibleObject | userCertificate |
| Creating a user end-entity | dnQualifier | account, pkiUser, uniquelyQualifiedObject, and extensibleObject | userCertificate, and uid (hardcoded to NoUid) |
| Creating a user end-entity | UID | account, pkiUser, and extensibleObject | userCertificate |
| Creating a user end-entity | Any supported value other than unstructuredName, unstructAddress, serialNumber, DC, dnQualifier and UID | account, pkiUser, and extensibleObject | userCertificate, and uid (hardcoded to NoUid) |
| Creating a CA end-entity | O= | organization, and pkiCA | cACertificate, certificaterevocationlist, and authorityrevocationlist |
| Creating a CA end-entity | OU= | organizationalUnit, and pkiCA | cACertificate, certificaterevocationlist, and authorityrevocationlist |
| Creating a CA end-entity | DC | domain, pkiCA and extensibleObject | cACertificate, certificaterevocationlist, and authorityrevocationlist |
| Creating a CA end-entity | dnQualifier | account, uniquelyQualifiedObject, pkiCA, and extensibleObject | cACertificate, certificaterevocationlist, authorityrevocationlist, and uid (hardcoded to NoUid) |
| Creating a CA end-entity | UID | account, pkiCA, and extensibleObject | cACertificate, certificaterevocationlist, and authorityrevocationlist |
| Creating a CA end-entity | Any supported value other than O, OU, DC, dnQualifier and UID | account, pkiCA, and extensibleObject | cACertificate, certificaterevocationlist, authorityrevocationlist and uid (hardcoded to NoUid) |
User end-entity that |
unstructuredName |
pkiUser, cEPDevice | userCertificate |
User end-entity that |
serialNumber | pkiUser, pKCS10Device | userCertificate |
User end-entity that |
Any supported |
pkiUser | userCertificate |
CA end-entity that |
Any supported |
pkiCA | cACertificate, certificaterevocationlist, and authorityrevocationlist |
Creating a distribution |
CN= | commonName and cRLDistributionPoint | certificateRevocationList |
Distribution point CRL |
Any supported |
cRLDistributionPoint | certificateRevocationList |
The R_PKIServ SAF callable service supports specifying
the subject's DN through named fields in the CertPlist. The CGIs invoke
the R_PKIServ SAF callable service. For more information,
see z/OS Security Server RACF Callable Services. PKI Services supports
the subject's DN fields, plus some additional ones: postal code, street,
and mail. They
are mapped to LDAP attributes as Table 2 indicates.
1 The use of the field name Email is deprecated;
use Mail instead. 2 When a certificate is created and posted
to LDAP, the NotifyEmail value, if specified, is posted as the MAIL
attribute. (This replaces any MAIL attribute for the directory entry
and for certificate renewals replaces the original NotifyEmail value).
| Named field | Visible RDN attribute | OID |
|---|---|---|
| CommonName | CN | 2.5.4.3 |
| Title | TITLE | 2.5.4.12 |
| OrgUnit | OU | 2.5.4.11 |
| Org | O | 2.5.4.10 |
| Locality | L | 2.5.4.7 |
| StateProv | ST | 2.5.4.8 |
| Country | C | 2.5.4.6 |
| PostalCode | POSTALCODE | 2.5.4.17 |
| Street | STREET | 2.5.4.9 |
| Email1 | 0.9.2342.19200300.100.1.3 | |
| MAIL2 | 0.9.2342.19200300.100.1.3 | |
| EmailAddr | 1.2.840.113549.1.9.1 | |
| UnstructName | UNSTRUCTUREDNAME | 1.2.840.113549.1.9.2 |
| UnstructAddr | UNSTRUCTUREDADDRESS | 1.2.840.113549.1.9.8 |
| SerialNumber | SERIALNUMBER | 2.5.4.5 |
| DNQualifier | DNQUALIFIER | 2.5.4.46 |
| DomainName | DC | 0.9.2342.19200300.100.1.25 |
| Uid | UID | 0.9.2342.19200300.100.1.1 |
| BusinessCat | BUSINESSCATEGORY | 2.5.4.15 |
| JurLocality | JURISDICTIONLOCALITY | 1.3.6.1.4.1.311.60.2.1.1 |
| JurStateProv | JURISDICTIONSTATEPROV | 1.3.6.1.4.1.311.60.2.1.2 |
| JurCountry | JURISTDICTIONCOUNTRY | 1.3.6.1.4.1.311.60.2.1.3 |