Variables whose values must change
Variable name | Description | Referenced elsewhere | Default value and your company's information |
---|---|---|---|
ca_dn | The CA's distinguished name. (For a definition
of distinguished name, see Table 1.) If you already have your CA certificate and private key set up in RACF®, set ca_dn="", set ca_label (in the following row) to the value of your CA's label, and update ca_expires (in Table 1) to reflect the expiration date of your CA certificate. If you do not already have your CA certificate and private key set up in RACF, cross out the default in the rightmost cell of this row and record the information for your company-specific information for distinguished name on the blank line. |
The suffix of the PKI Services CA's distinguished
name must match the LDAP suffix. (The LDAP suffix is in the LDAP server configuration file. See Table 1 for a definition of suffix.)
Note: However, do not specify a C('value') if it is
not present in your LDAP suffix.
|
When you also set ca_domain: OU('ca_domain Human Resources Certificate Authority') When you do not set ca_domain: OU('Human Resources Certificate Authority') O('Your Company') C('Your Country 2 Letter Abbreviation')
__________________________________ |
ca_label | The CA certificate label. If you already have your CA certificate and private key set up in RACF (and your CA certificate's label differs from the default), you need to set ca_label to your CA certificate's label. | No | When you also set ca_domain: ca_domain Local PKI CA When you do not set ca_domain: Local PKI CA (Replace the default if you already have your CA certificate and private key set up in RACF.) __________________________________ |
daemon_uid | The z/OS® UNIX user identifier (UID) associated with the PKI Services daemon user ID. | No | 554 __________________________________ |
pki_gid | The z/OS UNIX group identifier (GID) for the PKI Services administration group. | No | 655 __________________________________ |
pkigroup_mem. | Members
of the PKI administration group are responsible for administering PKI Services functions. Guideline: Assign PKI administration duties to only highly trusted individuals. pkigroup_mem. is a list in which pkigroup_mem.0 is the number of members in the list and the rest of the entries are their user IDs. You must change the pkigroup_mem.0 to at least 1, and change pkigroup_mem.1 through pkigroup_mem.n to the member user IDs. |
No | 0 (default for pkigroup_mem.0, the number of member user IDs) __________________________________ Note: You must change the default to at least 1.
(Record the member IDs:)
__________________________________ __________________________________ __________________________________ __________________________________ __________________________________ |
ra_dn | The RA's distinguished name for use with Simple Certificate Enrollment Protocol (SCEP). (For a
definition of distinguished name, see Table 1.) This name should be similar but not identical to your CA's distinguished name. If you do not want to have PKI Services operate with a separate RA certificate, set ra_dn="". |
No |
CN('Registration Authority') OU('Human Resources Certificate Authority') O('Your Company') C('Your Country 2 Letter Abbreviation')
__________________________________ |
ra_label | The certificate label of your RA certificate in RACF. | No | When you also set ca_domain:ca_domainLocal PKI RA When you do not set ca_domain: Local PKI RA __________________________________ |
surrog_uid | The UID associated with the surrogate user ID. | No | 555 __________________________________ |
web_dn | Your web server's distinguished name. (For
a definition of distinguished name, see Table 1.) Notes:
|
The value of the web server's common name (CN), which is your server's symbol IP address. For example, www.YourCompany.com must match your web server's fully qualified domain name. | CN('www.YourCompany.com') O('Your Company') L('Your City') SP('Your Full State or Province Name') C('Your Country 2 Letter Abbreviation')
__________________________________ |
web_ring | The name of the web server's SAF key ring. If your web server is configured for SSL and you are using a RACF key ring, set web_ring to the value of the RACF key ring. If your web server is configured for SSL and you are using gskkyman, set web_ring="" and see Using a gskkyman key database for additional directions. |
vhost443.conf Host file for SSL requests with server authenticationvhost1443.conf Host file for SSL requests with client authentication |
SSLring
__________________________________ |