Variables whose values must change

Fill in the blank lines in the rightmost column with your company's information (and cross out the defaults in these cells).

Table 1. IKYSETUP variables whose values must change
Variable name	Description	Referenced elsewhere	Default value and your company's information
`ca_dn`	The CA's distinguished name. (For a definition of distinguished name, see Table 1.) If you already have your CA certificate and private key set up in RACF®, set `ca_dn=`"", set `ca_label` (in the following row) to the value of your CA's label, and update `ca_expires` (in Table 1) to reflect the expiration date of your CA certificate. If you do not already have your CA certificate and private key set up in RACF, cross out the default in the rightmost cell of this row and record the information for your company-specific information for distinguished name on the blank line.	The suffix of the PKI Services CA's distinguished name must match the LDAP suffix. (The LDAP suffix is in the LDAP server configuration file. See Table 1 for a definition of suffix.) Note: However, do not specify a C('`value`') if it is not present in your LDAP suffix.	When you also set `ca_domain`: OU('`ca_domain` Human Resources Certificate Authority') When you do not set `ca_domain`: OU('Human Resources Certificate Authority') O('Your Company') C('Your Country 2 Letter Abbreviation') __________________________________
`ca_label`	The CA certificate label. If you already have your CA certificate and private key set up in RACF (and your CA certificate's label differs from the default), you need to set `ca_label` to your CA certificate's label.	No	When you also set `ca_domain`: *ca_domain* Local PKI CA When you do not set `ca_domain`: Local PKI CA (Replace the default if you already have your CA certificate and private key set up in RACF.) __________________________________
`daemon_uid`	The z/OS® UNIX user identifier (UID) associated with the PKI Services daemon user ID.	No	554 __________________________________
`pki_gid`	The z/OS UNIX group identifier (GID) for the PKI Services administration group.	No	655 __________________________________
`pkigroup_mem.`	Members of the PKI administration group are responsible for administering PKI Services functions. Guideline: Assign PKI administration duties to only highly trusted individuals. `pkigroup_mem.` is a list in which `pkigroup_mem.0` is the number of members in the list and the rest of the entries are their user IDs. You must change the `pkigroup_mem.0` to at least 1, and change `pkigroup_mem.1` through `pkigroup_mem.n` to the member user IDs.	No	0 (default for `pkigroup_mem.0`, the number of member user IDs) __________________________________ Note: You must change the default to at least `1`. (Record the member IDs:) __________________________________ __________________________________ __________________________________ __________________________________ __________________________________
`ra_dn`	The RA's distinguished name for use with Simple Certificate Enrollment Protocol (SCEP). (For a definition of distinguished name, see Table 1.) This name should be similar but not identical to your CA's distinguished name. If you do not want to have PKI Services operate with a separate RA certificate, set `ra_dn=`"".	No	CN('Registration Authority') OU('Human Resources Certificate Authority') O('Your Company') C('Your Country 2 Letter Abbreviation') __________________________________
`ra_label`	The certificate label of your RA certificate in RACF.	No	When you also set ca_domain:`ca_domain`Local PKI RA When you do not set ca_domain: Local PKI RA __________________________________
`surrog_uid`	The UID associated with the surrogate user ID.	No	555 __________________________________
`web_dn`	Your web server's distinguished name. (For a definition of distinguished name, see Table 1.) Notes: The RACF administrator copies the fully qualified domain name from an earlier table: Table 1. If you already have your web server configured for SSL: Set `web_dn=`"" Update the `web_ring` row (You need to connect your PKI Services CA certificate to your key ring. See the `web_ring` row for directions.)	The value of the web server's common name (CN), which is your server's symbol IP address. For example, www.`YourCompany`.com must match your web server's fully qualified domain name.	CN('www.YourCompany.com') O('Your Company') L('Your City') SP('Your Full State or Province Name') C('Your Country 2 Letter Abbreviation') __________________________________
`web_ring`	The name of the web server's SAF key ring. If your web server is configured for SSL and you are using a RACF key ring, set `web_ring` to the value of the RACF key ring. If your web server is configured for SSL and you are using gskkyman, set `web_ring=""` and see Using a gskkyman key database for additional directions.	`vhost443.conf` Host file for SSL requests with server authentication `vhost1443.conf` Host file for SSL requests with client authentication	SSLring __________________________________