Running IKYSETUP to perform RACF administration
You need to perform this task if you are configuring PKI Services for the first time or adding a new CA domain.
PKI Services provides
SYS1.SAMPLIB(IKYSETUP), a REXX exec, to perform RACF® administration tasks for setting
up PKI Services.
The RACF administrator updates
and runs this REXX exec,
which issues RACF commands
to perform the following tasks:
- Adding groups and user IDs
- Setting up the PKI Services administration group
- Creating the PKI Services daemon user ID
- Giving appropriate access to the RACF group
- Creating the
surrogate user ID and giving the surrogate user ID authority to generate
certificates
A surrogate user ID is the identity that is assigned to client processes when they are requesting certificate services. A surrogate user ID is required for external clients. Guideline: For simplicity, use surrogate user IDs for internal clients also, rather than allowing them to access PKI Services under their own identities.
- Associating the PKI Services daemon user ID with the PKI Services started procedure.
- Setting up access control to protect end-user and administrative
functions of PKI Services:
- Authorizing the PKI Services daemon user ID for CA functions
- Authorizing the PKI Services daemon user ID to access the Resource Recovery Services access facility (RRSAF), if you use DB2® as the repository for the object store and ICL
- Giving administrators access to VSAM data sets, if you use VSAM as the repository for the object store and ICL
- Optionally authorizing PKI Services for ICSF resources.
- Optionally defining granular administrative controls
- Creating certificate authority (CA), registration authority (RA),
and SSL certificates:
- Creating a CA certificate and private key
- Backing them up to a password-protected MVS™ data set
- Optionally migrating the private key to ICSF
- Optionally creating an RA certificate and private key for Simple Certificate Enrollment Protocol (SCEP)
- Creating a SAF key ring and associating it with the certificate
- Exporting the CA certificate to an MVS data set and file system file
- Generating a server certificate signed by the new CA
- Creating a key ring for the web server
- Associating the web server and any trusted CA certificates to the key ring.
- Setting up the IBM® HTTP Server for surrogate operation.
- Allowing PKI Services to generate key pairs for certificate requests