Task overview

This topic includes a task roadmap that you can use to add a new CA domain. The roadmap includes several subtasks, which are listed in Table 1. It is intended to direct you to add a new CA domain after you have completed all required tasks in Configuring your system for PKI Services. Before you begin this task, you have already implemented and tested the default setup for PKI Services and ensured that it operates properly as a single CA domain.

For each CA you add, you create a dedicated copy of the object store and issued certificate list (ICL), CA certificate, key ring, and LDAP namespace. You also create a dedicated copy of the PKI Services configuration file (pkiserv.conf), templates file (pkiserv.tmpl or pkitmpl.xml), and environment variables file (pkiserv.envars), each in its own directory. You update the following CA-specific information in these files:

pkiserv.conf - contains the CA-specific key ring name, VSAM data set names or DB2® subsystem and package name for the object store and ICL, and optionally CRLDistDirPath.
pkiserv.envars - contains a variable _PKISERV_CA_DOMAIN to specify CA domain and the variable _PKISERV_CONFIG_PATH sets the directory for each CA domain.
The template file that you are using:
- pkiserv.tmpl - contains the name of the end-user application section (default is CUSTOMER) that you rename to a CA-specific name, such as <APPLICATION NAME=EMPLOYEE>. It also contains the name of the administrative application section (default is PKISERV) that you can rename to a CA-specific name, such as <APPLICATION NAME=ADMEMPLOYEES>.
- pkitmpl.xml - defines the applications and certificate request templates that you use for this CA domain.

Start of change If you are implementing the web application using REXX CGI execs, see Subtask 2: Steps for reconfiguring your initial CA domain to allow it to coexist with other CA domains and Subtask 6: Steps for updating the web server configuration for more information about adding application domains. End of change

If you are implementing the web application using Java™Server pages (JSPs), you need to edit the web.xml file with the PKIServ.EAR. It helps to understand the URLs used for multiple CA domains and multiple application domains. The JSP code parses the URL to determine the CA domain and application name. The first directory after the root context of PKIServ_Web is the CA domain name if there is one and the second directory is either the application name or PKIServ (for the PKI Services administration web pages). When the JSPs are run without a named CA domain, the first directory after the root context of PKIServ_Web is the application name or PKIServ (for the PKI Services administration pages).