Subtask 2: Steps for reconfiguring your initial CA domain to allow it to coexist with other CA domains

Perform the following steps to reconfigure your initial CA domain to allow it to coexist with other CA domains. (This is a one-time setup that suffices no matter how many CA domains you add.)
  1. If PKI Services is running, stop it by issuing the following MVS™ console command:
    P PKISERVD

    ________________________________________________________________

  2. Update the PKI Services environment variables in the pkiserv.envars file as follows.
    1. (Optional) If your initial CA domain does not use its own pkiserv.envars file, copy the default pkiserv.envars file from the PKI Services install directory by issuing the following command from the UNIX command line:
      cp -p /usr/lpp/pkiserv/samples/pkiserv.envars /etc/pkiserv
    2. Edit the new copy of pkiserv.envars file by entering the following command:
      oedit /etc/pkiserv/pkiserv.envars
    3. Add a PKI Services environment variable identifying your initial CA domain name (see Table 1) in uppercase characters.
      Example:
      _PKISERV_CA_DOMAIN=CUSTOMERS

    _______________________________________________________________

  3. Update the HTTP server's environment variables and configuration directives as follows.
    1. Start of changeUpdate the HTTP server's environment variables. This setting is shown by adding it to the vhost80.conf (host file for non-SSL requests) by using the SetEnv HTTP directive. Similar changes must be made to the vhost443 (host file for SSL requests with server authentication) and vhost1443 (host file for SSL requests with client authentication) configuration files.
      1. Edit the vhost80.conf file by entering the following command:
        oedit /etc/websrv1/conf/vhost80.conf
      2. Add an environment variable identifying the runtime directory of your initial CA domain. (Check Table 1.)
        Example:
        SetEnv _PKISERV_CONFIG_PATH_CUSTOMERS "/etc/pkiserv"
      3. (Optional) If you intend to have a dedicated set of administrators for each CA domain, add an environment variable that specifies the runtime directory for the administrative domain. (Check Table 1.)
        Example:
        SetEnv _PKISERV_CONFIG_PATH_PKISERV "/etc/pkiserv"
      End of change

    _______________________________________________________________

  4. Update the RACF® access controls for the R_PKIServ SAF callable service as follows. (Any change to environment variables in Step 3 requires a corresponding change to RACF access control.)
    1. Determine the PKI Services surrogate user ID (default is PKISERV) and the PKI Services administrators group (default is PKIGRP). To do this, refer to the log file created when the IKYSETUP REXX exec was originally run for your initial CA domain.
    2. Execute the following RACF commands from the TSO command line. Replace the highlighted values with your own, if different:
      Examples:
      RDELETE FACILITY IRR.RPKISERV.**
RDEFINE FACILITY IRR.RPKISERV.*.CUSTOMER
PERMIT IRR.RPKISERV.*.CUSTOMER CLASS(FACILITY) ID(PKISERV) ACCESS(CONTROL)
RDELETE FACILITY IRR.RPKISERV.PKIADMIN
RDEFINE FACILITY IRR.RPKISERV.PKIADMIN.CUSTOMER
PERMIT IRR.RPKISERV.PKIADMIN.CUSTOMER CLASS(FACILITY) ID(PKIGRP) 
 	ACCESS(UPDATE)
PERMIT IRR.RPKISERV.PKIADMIN.CUSTOMER CLASS(FACILITY) ID(PKISERV) 
 	ACCESS(NONE)
SETROPTS RACLIST(FACILITY) REFRESH
      Restriction: If the name of your initial CA domain is longer than 8 characters, you must truncate it to exactly 8 characters when you define the resource name in the FACILITY class profiles. (In this example, the name CUSTOMERS was truncated to CUSTOMER in the second RDEFINE FACILITY command.)

    _______________________________________________________________

  5. (Optional) You have reconfigured your initial CA domain to allow it to coexist with other CA domains. If you want, you can test the reconfiguration now. To test it, follow these steps:
    1. Restart PKI Services using the following MVS console command. Replace the highlighted values with your own, if different.

      Guideline: To simplify your environment, start this instance of PKI Services using a JOBNAME that matches the truncated name of the CA domain. (See your truncated value in Table 1.) If you use the truncated values as job names, it is easier to distinguish multiple jobs that run PKI Services after you add other CA domains.

      Example:
      S PKISERVD,JOBNAME=CUSTOMER,DIR='/etc/pkiserv/'
    2. Restart the HTTP servers to enable your environment variable changes.
      F IMWEBSRV,APPL=-restart
    3. Test that your PKI Services application is functioning properly. Go to your web pages by entering the following URL from your browser: 
      http://webserver-fully-qualified-domain-name/PKIServ/public-cgi/camain.rexx

      The webserver-fully-qualified-domain-name is the common name (CN) portion of the web server's distinguished name; see Table 1.

      You should be able to go through your web pages to request, retrieve, and revoke a certificate of type "PKI browser certificate for authenticating to z/OS®". Ensure you can do this before adding an additional CA domain.

    _______________________________________________________________

When you are done: You have successfully reconfigured your initial CA domain to allow it to coexist with other CA domains. You can now perform each of the remaining subtasks once for each new CA domain.

Continue to the next subtask. Guideline: Complete Subtasks 3 - 8 for your first new CA domain and ensure that it operates properly before adding another CA domain.

Parent topic: Adding a new CA domain