Table of IKYSETUP variables you can optionally change
Variable name | Description | Referenced elsewhere | Default value or your company's information |
---|---|---|---|
backup_dsn | The data set that contains a backup copy of the PKI Services certificate and private key. | No | When you also set ca_domain:
When
you do not set ca_domain:
Note: The daemon refers
to the daemon variable in this table.
|
ca_domain | The unique name for the CA when you establish
multiple PKI Services CAs. If specified, the first eight characters must uniquely identify the CA. The characters of the CA_domain value are limited to the following character set: alphanumeric characters (a - z, A - Z, 0 - 9) and the hyphen (-). In addition, the first character must not be a number or hyphen. |
No | "" Guideline: Do not change the default (null) value until you perform advanced customization. (See Adding a new CA domain.) |
ca_expires | The date that the PKI Services CA certificate
expires. By default, IKYSETUP calculates the CA certificate expiration date based on the value of ca_exyears. For information about setting this variable, see Specifying when the CA certificate and web server certificates expire. |
No | 2030/01/01 The date format is yyyy/mm/dd. |
ca_exyears | The life span of the PKI Services CA certificate,
expressed in years. By default, IKYSETUP calculates the expiration date for the CA certificate by adding the number of years specified in ca_exyears to the date that IKYSETUP is run. For information about setting this variable, see Specifying when the CA certificate and web server certificates expire. |
No | 20 |
ca_ring | The name of the PKI Services SAF key ring. | pkiserv.conf |
When you also set ca_domain: CAring.ca_domain When you do not set ca_domain: CAring |
cacert_dsn | The data set that contains the PKI Services certificate to assist the backup process. | No | When you also set ca_domain:
When
you do not set ca_domain:
Note: daemon refers
to the daemon variable in this table.
|
caStore | The name of the PKI Services PKCS #11 token | No | When you also set ca_comain or daemon:
daemon.CATOKEN.ca_domain When you do not set ca_comain or daemon: CATOKEN |
daemon | The PKI Services daemon user
ID. If you also set ca_domain, you can choose to assign a unique user ID to the daemon for each CA domain. Example: For a ca_domain called BankA, you might choose user ID PKISRVDA. |
pkiserv.conf |
PKISRVD |
export_dsn | The data set that contains the web server's root CA certificate for copying to file system. | No | When you also set ca_domain:
When
you do not set ca_domain:
Note: daemon refers
to the daemon variable in this table.
|
log_dsn | The log data set name. | No | When you also set ca_domain:
When
you do not set ca_domain:
Notes:
|
pkigroup | The PKI Services administration
group. This is a RACF group containing
the list of user IDs that are authorized to use PKI Services administration
functions. If you also set ca_domain, you can choose to assign a unique group name to the administration group for each CA domain. Example: For a ca_domain called BankA, you might choose group name PKIGRPA. |
No | PKIGRP |
pkigroup1, pkigroup2 | PKI Services administrative groups for granular control of administrative functions. | No | PKIGRP1, PKIGRP2 |
ra_backup_dsn | The data set that contains a backup copy
of the PKI Services RA
certificate and private key. This name should be similar but not identical to the backup_dsn value. |
No | When you also set ca_domain:
When
you do not set ca_domain:
Note: The daemon refers
to the daemon variable in this table.
|
signing_ca_label | The label of the CA certificate that is the superior (signer) of the PKI Services CA. If specified, the value must match the label of an existing CERTAUTH certificate in RACF that has a private key. Use this value to create a CA hierarchy when you establish multiple PKI Services CAs. | No | "" |
surrog | The surrogate user ID for PKI Services. If you also set ca_domain, you can choose to assign a unique user ID as the surrogate user ID for each CA domain. Example: For a ca_domain called BankA, you might choose user ID PKISERVA. Note: This cannot be an existing user ID (because
IKYSETUP creates the user ID with the NOPASSWORD attribute).
|
Surrogate user ID in httpd*.conf | PKISERV |
vsamhlq | The high-level qualifier of the VSAM data
sets for PKI Services. Note: The RACF administrator gets this information
from the MVS programmer.
|
|
Same as the daemon variable earlier in this table. |
web_expires | The date that the web server certificate
expires. By default, IKYSETUP calculates the web server certificate expiration date based on the value of web_exyears. For information about setting this variable, see Specifying when the CA certificate and web server certificates expire. |
No | 2015/01/01 The date format is yyyy/mm/dd. |
web_exyears | The life span of the web server certificate,
expressed in years. By default, IKYSETUP calculates the expiration date for the web server certificate by adding the number of years specified in web_exyears to the date when IKYSETUP is run. For information about setting this variable, see Specifying when the CA certificate and web server certificates expire. |
No | 5 |
web_label | The label for the web server's certificate. | No | SSL Cert |
webserver | The web server's daemon user ID. | See web server documentation. | WEBSRV |