Sample IKYSETUP log data set
Here is an example of the data that appears when you run IKYSETUP.
Creating users and groups ...
ADDUSER PKISRVD name('PKI Srvs Daemon') nopassword omvs(uid(554) assize(256000000)
threads(512))
ADDUSER PKISERV nopassword omvs(uid(555)) name('PKI Srvs Surrogate')
ADDGROUP PKIGRP OMVS(GID(655))
SETROPTS EGN GENERIC(DATASET)
ADDSD 'PKISRVD.**' UACC(NONE)
PERMIT 'PKISRVD.**' ID(PKISRVD) ACCESS(ALTER)
Allowing administrators to access PKI VSAM databases ...
PERMIT 'PKISRVD.**' ID(PKIGRP) ACCESS(CONTROL)
SETROPTS GENERIC(DATASET) REFRESH
Creating the CA certificate ...
RACDCERT GENCERT CERTAUTH SUBJECTSDN(OU('Human Resources Certificate Authority')
O('Your Company') C('Your Country 2 Letter Abbreviation')) WITHLABEL('Local PKI CA')
NOTAFTER(DATE(2033/06/14)) SIZE(2048)
Backing up the CA certificate ...
RACDCERT CERTAUTH EXPORT(LABEL('Local PKI CA')) DSN('PKISRVD.KEY.BACKUP.P12BIN') FORMAT(PKCS12DER)
PASSWORD('******')
Marking CA certificate as HIGHTRUST ...
RACDCERT CERTAUTH ALTER(LABEL('Local PKI CA')) HIGHTRUST
Saving the CA certificate to a data set ...
RACDCERT CERTAUTH EXPORT(LABEL('Local PKI CA')) DSN('PKISRVD.CACERT.DERBIN') FORMAT(CERTDER)
Creating the RA certificate ...
RACDCERT ID(PKISRVD) GENCERT SUBJECTSDN(CN('Registration Authority')
OU('Human Resources Certificate Authority')
O('Your Company') C('Your Country 2 Letter Abbreviation'))
KEYUSAGE(HANDSHAKE) SIGNWITH(CERTAUTH LABEL('Local PKI CA'))
NOTAFTER(DATE(2033/06/14)) WITHLABEL('Local PKI RA')
Backing up RA certificate ...
RACDCERT ID(PKISRVD) EXPORT(LABEL('Local PKI RA')) DSN('PKISRVD.RAKEY.BACKUP.P12BIN')
FORMAT(PKCS12DER) PASSWORD('******')
Creating the PKI Services keyring ...
RACDCERT ADDRING(CAring) ID(PKISRVD)
RACDCERT ID(PKISRVD) CONNECT(CERTAUTH LABEL('Local PKI CA') RING(CAring) USAGE(PERSONAL) DEFAULT)
RACDCERT ID(PKISRVD) CONNECT(LABEL('Local PKI RA') RING(CAring) USAGE(PERSONAL))
Creating the Webserver SSL certificate and keyring ...
RACDCERT GENCERT ID(WEBSRV) SIGNWITH(CERTAUTH LABEL('Local PKI CA')) WITHLABEL('SSL Cert')
SUBJECTSDN(CN('www.YourCompany.com') O('Your Company') L('Your City')
SP('Your Full State or Province Name') C('Your Country 2 Letter Abbreviation'))
NOTAFTER(DATE(2018/06/14))
RACDCERT ADDRING(SSLring) ID(WEBSRV)
RACDCERT ID(WEBSRV) CONNECT(ID(WEBSRV) LABEL('SSL Cert') RING(SSLring) USAGE(PERSONAL) DEFAULT)
RACDCERT ID(WEBSRV) CONNECT(CERTAUTH LABEL('Local PKI CA') RING(SSLring))
Saving the webserver's root CA certificate to a data set for OPUT ...
RACDCERT CERTAUTH EXPORT(LABEL('Local PKI CA')) DSN('PKISRVD.WEBROOT.DERBIN') FORMAT(CERTDER)
Giving PKISRVD access to BPX.SERVER ...
RDEFINE FACILITY BPX.SERVER
PERMIT BPX.SERVER CLASS(FACILITY) ID(PKISRVD) ACCESS(READ)
Allowing the PKI Services daemon to act as a CA ...
RDEFINE FACILITY IRR.DIGTCERT.GENCERT
RDEFINE FACILITY IRR.DIGTCERT.LISTRING
PERMIT IRR.DIGTCERT.GENCERT CLASS(FACILITY) ID(PKISRVD) ACCESS(CONTROL)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(PKISRVD) ACCESS(READ)
Allowing the Webserver to access its keyring ...
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(WEBSRV) ACCESS(READ)
Allowing the Webserver to switch identity to PKISERV ...
SETROPTS CLASSACT(SURROGAT)
RDEFINE SURROGAT BPX.SRV.PKISERV
PERMIT BPX.SRV.PKISERV CLASS(SURROGAT) ID(WEBSRV) ACCESS(READ)
SETROPTS RACLIST(SURROGAT) REFRESH
Allowing the PKI Services daemon to use ICSF ...
SETROPTS GENERIC(CSFKEYS CSFSERV)
SETROPTS GENERIC(CSFKEYS CSFSERV) REFRESH
RDEFINE CSFKEYS IRR.DIGTCERT.CERTIFAUTH.* UACC(NONE)
PERMIT IRR.DIGTCERT.CERTIFAUTH.* CLASS(CSFKEYS) ID(PKISRVD) ACCESS(READ)
SETROPTS CLASSACT(CSFKEYS) RACLIST(CSFKEYS)
SETROPTS RACLIST(CSFKEYS) REFRESH
Creating the STARTED class profile for the daemon ...
RDEFINE STARTED PKISERVD.* STDATA(USER(PKISRVD))
SETROPTS CLASSACT(STARTED) RACLIST(STARTED)
SETROPTS RACLIST(STARTED) REFRESH
Allowing PKISERV to request certificate functions ...
SETR GENERIC(FACILITY)
RDEFINE FACILITY IRR.RPKISERV.**
PERMIT IRR.RPKISERV.** CLASS(FACILITY) ID(PKISERV) ACCESS(CONTROL)
Creating the profile to protect PKI Admin functions ...
RDEFINE FACILITY IRR.RPKISERV.PKIADMIN
PERMIT IRR.RPKISERV.PKIADMIN CLASS(FACILITY) ID(PKIGRP) ACCESS(UPDATE)
PERMIT IRR.RPKISERV.PKIADMIN CLASS(FACILITY) ID(PKISERV) ACCESS(NONE)
SETROPTS RACLIST(FACILITY) REFRESH
-------------------------------------------------
Information needed for PKI Services UNIX set up:
-------------------------------------------------
The daemon user ID is:
PKISRVD
The VSAM high level qualifier is:
PKISRVD
This is needed for the [ObjectStore] section in pkiserv.conf
The PKI Services' DER encoded certificate is in data set:
'PKISRVD.CACERT.DERBIN'
The webserver's DER encoded root
CA certificate is in data set:
'PKISRVD.WEBROOT.DERBIN'
This must be OPUT to /var/pkiserv/cacert.der with the BINARY option
The fully qualified PKI Services' SAF keyring is:
PKISRVD/CAring
This is needed for the [SAF] section in pkiserv.conf
The label of the PKI Services' RA certificate is:
Local PKI RA
This is needed for the [SAF] section in pkiserv.conf
The PKI Services CA DN is:
OU=Human Resources Certificate Authority,O=Your Company,C=Your Country 2 Letter Abbreviation
The suffix must match the LDAP suffix in slapd.conf
The PKI Services RA DN is:
CN=Registration Authority,OU=Human Resources Certificate Authority,O=Your Company,
C=Your Country 2 Letter Abbreviation
The suffix must match the LDAP suffix in slapd.conf
The recommended location for the pkiserv.conf and pkiserv.tmpl is:
/etc/pkiserv
Set the following environment variables in pkiserv.envars:
_PKISERV_CONFIG_PATH=/etc/pkiserv
Set the following environment variable in your httpd envvars files:
_PKISERV_CONFIG_PATH=/etc/pkiserv
The webserver's SAF keyring is:
SSLring
This is needed for the KeyFile directive in virtual host files
The Webserver's DN is:
CN=www.YourCompany.com,O=Your Company,L=Your City,ST=Your Full State or Province Name,
C=Your Country 2 Letter Abbreviation
The left most RDN must be the webserver's fully qualified domain name