Subtask 2: Steps for reconfiguring your initial CA domain to allow it to coexist with other CA domains
- If PKI Services is running,
stop it by issuing the following MVS™ console command:
P PKISERVD
________________________________________________________________
- Update the PKI Services environment
variables in the pkiserv.envars file as follows.
- (Optional) If your initial CA domain does not use its own pkiserv.envars file, copy the default pkiserv.envars file from the PKI Services install directory by issuing the following command from
the UNIX command line:
cp -p /usr/lpp/pkiserv/samples/pkiserv.envars /etc/pkiserv
- Edit the new copy of pkiserv.envars file by entering
the following command:
oedit /etc/pkiserv/pkiserv.envars
- Add a PKI Services environment variable identifying your initial CA domain
name (see Table 1) in uppercase
characters.Example:
_PKISERV_CA_DOMAIN=CUSTOMERS
_______________________________________________________________
- (Optional) If your initial CA domain does not use its own pkiserv.envars file, copy the default pkiserv.envars file from the PKI Services install directory by issuing the following command from
the UNIX command line:
- Update the HTTP server's environment variables and
configuration directives as follows.
- Update the HTTP server's environment variables.
This setting is shown by adding it to the vhost80.conf (host file for non-SSL requests) by using the SetEnv HTTP directive.
Similar changes must be made to the vhost443 (host
file for SSL requests with server authentication) and vhost1443 (host file for SSL requests with client authentication) configuration
files.
- Edit the vhost80.conf file by entering the following
command:
oedit /etc/websrv1/conf/vhost80.conf
- Add an environment variable identifying the runtime directory
of your initial CA domain. (Check Table 1.)Example:
SetEnv _PKISERV_CONFIG_PATH_CUSTOMERS "/etc/pkiserv"
- (Optional) If you intend to have a dedicated set of administrators
for each CA domain, add an environment variable that specifies the
runtime directory for the administrative domain. (Check Table 1.)Example:
SetEnv _PKISERV_CONFIG_PATH_PKISERV "/etc/pkiserv"
- Edit the vhost80.conf file by entering the following
command:
_______________________________________________________________
- Update the HTTP server's environment variables.
This setting is shown by adding it to the vhost80.conf (host file for non-SSL requests) by using the SetEnv HTTP directive.
Similar changes must be made to the vhost443 (host
file for SSL requests with server authentication) and vhost1443 (host file for SSL requests with client authentication) configuration
files.
- Update the RACF® access
controls for the R_PKIServ SAF callable service as
follows. (Any change to environment variables in Step 3 requires a corresponding change to RACF access control.)
- Determine the PKI Services surrogate user ID (default is PKISERV) and the PKI Services administrators group (default is PKIGRP). To do this, refer to the log file created when the IKYSETUP REXX exec was originally run for your initial CA domain.
- Execute the following RACF commands from the TSO command line. Replace the highlighted values
with your own, if different:Examples:
Restriction: If the name of your initial CA domain is longer than 8 characters, you must truncate it to exactly 8 characters when you define the resource name in the FACILITY class profiles. (In this example, the name CUSTOMERS was truncated to CUSTOMER in the second RDEFINE FACILITY command.)RDELETE FACILITY IRR.RPKISERV.** RDEFINE FACILITY IRR.RPKISERV.*.CUSTOMER PERMIT IRR.RPKISERV.*.CUSTOMER CLASS(FACILITY) ID(PKISERV) ACCESS(CONTROL) RDELETE FACILITY IRR.RPKISERV.PKIADMIN RDEFINE FACILITY IRR.RPKISERV.PKIADMIN.CUSTOMER PERMIT IRR.RPKISERV.PKIADMIN.CUSTOMER CLASS(FACILITY) ID(PKIGRP) ACCESS(UPDATE) PERMIT IRR.RPKISERV.PKIADMIN.CUSTOMER CLASS(FACILITY) ID(PKISERV) ACCESS(NONE) SETROPTS RACLIST(FACILITY) REFRESH
_______________________________________________________________
- (Optional) You have reconfigured your initial CA domain to allow
it to coexist with other CA domains. If you want, you can test the
reconfiguration now. To test it, follow these steps:
- Restart PKI Services using the following MVS console command. Replace the highlighted values with your own, if
different.
Guideline: To simplify your environment, start this instance of PKI Services using a JOBNAME that matches the truncated name of the CA domain. (See your truncated value in Table 1.) If you use the truncated values as job names, it is easier to distinguish multiple jobs that run PKI Services after you add other CA domains.
Example:S PKISERVD,JOBNAME=CUSTOMER,DIR='/etc/pkiserv/'
- Restart the HTTP servers to enable your environment variable changes.
F IMWEBSRV,APPL=-restart
- Test that your PKI Services application
is functioning properly. Go to your web pages by entering the following
URL from your browser:
http://webserver-fully-qualified-domain-name/PKIServ/public-cgi/camain.rexx
The webserver-fully-qualified-domain-name is the common name (CN) portion of the web server's distinguished name; see Table 1.
You should be able to go through your web pages to request, retrieve, and revoke a certificate of type "PKI browser certificate for authenticating to z/OS®". Ensure you can do this before adding an additional CA domain.
_______________________________________________________________
- Restart PKI Services using the following MVS console command. Replace the highlighted values with your own, if
different.
Continue to the next subtask. Guideline: Complete Subtasks 3 - 8 for your first new CA domain and ensure that it operates properly before adding another CA domain.