Steps for starting the PKI Services daemon

You need to start the PKI Services daemon if:
  • You are configuring PKI Services for the first time.
  • You want to enable Simple Certificate Enrollment Protocol (SCEP).
  • You renewed your CA or RA certificate.
  • You want to use Parallel Sysplex® support and need to run another instance of the PKI Services on a different image in the sysplex.
  • You stopped PKI Services and need to restart it.
  • You created a new (additional) CA domain and want to start it.
  • The PKI Services CA certificate private key is managed by ICSF and ICSF became unavailable. After you fix the problem with ICSF, you need to stop and restart PKI Services.
  • You use DB2® tables for the object store and ICL, and you need to stop DB2. You must stop PKI Services first. After DB2 restarts, restart PKI Services.

Before you begin

  • Your HTTP server should be SSL-enabled (see Updating IBM HTTP Server - Powered by Apache configuration and starting the server) and the uncustomized PKISERV application should be ready for use.
  • If you are starting PKI Services for the first time, you need to know the runtime directory, called runtime-dir in the command examples. The default is /etc/pkiserv/. The MVS™ programmer was asked to record any changes to the default; see Table 1.
  • If you are starting PKI Services for a new CA domain, you need to know the job name that contains the instance of the daemon you need to start. Do not use these steps. Instead, see Adding a new CA domain for steps to add a new domain and start the new daemon.

Procedure

Perform the following steps to start the PKI Services daemon and view your web pages:
  1. If you have not done so already, start the web server and the LDAP server.

    _______________________________________________________________

  2. If you want to test the configuration to this point before customizing PKI Services (preferred), you need to temporarily prevent PKI Services from posting issued certificates to LDAP because posting to LDAP is not successful. Have the UNIX programmer perform the following steps to prevent PKI Services from posting issued certificates to LDAP:
    1. Edit the PKI Services configuration file (by default, this is: /etc/pkiserv/pkiserv.conf).

      ___________________________________________________________

    2. Set NumServers=0 in the LDAP section of the file.

      ___________________________________________________________

    3. Exit to save your changes.
    Note: After testing the configuration, you need to stop PKI Services and undo the change in this step (see Step 5) and then restart PKI Services.

    _______________________________________________________________

  3. Start the PKI Services daemon from the MVS console by entering the following command:
    S PKISERVD
    Notes:
    1. You must start the PKI Services daemon only from a started procedure. PKI Services rejects all other methods of starting the daemon (including INETD, /etc/rc, UNIX shell, or submitted JCL job).
    2. Depending on the amount of customization you did, there are various versions of the preceding command to start the PKI Services daemon. For example, if you changed the pkiserv.envars file (see Step 7), you need to specify its new location as a parameter in the START command:
      S PKISERVD,DIR='runtime-dir'

      (Single quotation marks are required to maintain the character case of the values being assigned to the substitution parameters.)

      The command in the following example specifies the runtime directory and the file name of the environment variables file:

      Example:
      S PKISERVD,DIR='/etc/pkiserv',FN='pkiserv.envars'

      The default time zone is EST5EDT. If you need to change this, you can supply the new value as a parameter, as in the following examples:

      Examples:
      S PKISERVD,TZ=PST8PDT
S PKISERVD,JOBNAME=jobname,DIR='/etc/pkiserv',FN='pkiserv.envars',TZ=PST8PDT

    _______________________________________________________________

  4. Go to your web pages by entering the following URL from your browser: 
    http://webserver-fully-qualified-domain-name/PKIServ/public-cgi/camain.rexx

    The webserver-fully-qualified-domain-name is the common name (CN) portion of the web server's distinguished name; see Table 1.

    You should be able to go through your web pages to request, retrieve, and revoke a certificate of type "PKI browser certificate for authenticating to z/OS®". Ensure you can do this before trying to customize the application.

    _______________________________________________________________

  5. If you elected to test the configuration, you need to stop PKI Services (see Stopping the PKI Services daemon), undo the change in Step 2, and then restart PKI Services. To undo the change in Step 2:
    1. Edit the PKI Services configuration file (by default /etc/pkiserv/pkiserv.conf).
    2. Set NumServers=n in the LDAP section of the file, where n is the same number of LDAP servers indicated in Table 1.
    3. Exit to save your changes.

    _______________________________________________________________

Parent topic: Starting and stopping PKI Services