Running IKYSETUP to perform RACF administration

You need to perform this task if you are configuring PKI Services for the first time or adding a new CA domain.

PKI Services provides SYS1.SAMPLIB(IKYSETUP), a REXX exec, to perform RACF® administration tasks for setting up PKI Services. The RACF administrator updates and runs this REXX exec, which issues RACF commands to perform the following tasks:
  • Adding groups and user IDs
    • Setting up the PKI Services administration group
    • Creating the PKI Services daemon user ID
    • Giving appropriate access to the RACF group
    • Creating the surrogate user ID and giving the surrogate user ID authority to generate certificates

      A surrogate user ID is the identity that is assigned to client processes when they are requesting certificate services. A surrogate user ID is required for external clients. Guideline: For simplicity, use surrogate user IDs for internal clients also, rather than allowing them to access PKI Services under their own identities.

    • Associating the PKI Services daemon user ID with the PKI Services started procedure.
  • Setting up access control to protect end-user and administrative functions of PKI Services:
    • Authorizing the PKI Services daemon user ID for CA functions
    • Authorizing the PKI Services daemon user ID to access the Resource Recovery Services access facility (RRSAF), if you use DB2® as the repository for the object store and ICL
    • Giving administrators access to VSAM data sets, if you use VSAM as the repository for the object store and ICL
    • Optionally authorizing PKI Services for ICSF resources.
    • Optionally defining granular administrative controls
  • Creating certificate authority (CA), registration authority (RA), and SSL certificates:
    • Creating a CA certificate and private key
    • Backing them up to a password-protected MVS™ data set
    • Optionally migrating the private key to ICSF
    • Optionally creating an RA certificate and private key for Simple Certificate Enrollment Protocol (SCEP)
    • Creating a SAF key ring and associating it with the certificate
    • Exporting the CA certificate to an MVS data set and file system file
    • Generating a server certificate signed by the new CA
    • Creating a key ring for the web server
    • Associating the web server and any trusted CA certificates to the key ring.
  • Setting up the IBM® HTTP Server for surrogate operation.
  • Allowing PKI Services to generate key pairs for certificate requests
Parent topic: Configuring your system for PKI Services