Subtask 3: Steps for running the IKYSETUP exec
Before you begin
This procedure requires you to be familiar with the information in Running IKYSETUP to perform RACF administration. There are more details about the following steps there.Procedure
- Locate the IKYSETUP exec that you originally customized for your
initial CA domain and copy it to a data set member that you can edit.
_______________________________________________________________
- Edit the new copy of IKYSETUP and set the ca_domain variable
to the name of this new CA domain. Type the domain name preserving
the case of each character as you want it to appear in web page URLs.
_______________________________________________________________
- If you intend to have a dedicated set of administrators for each
CA domain, customize the following variables with your values for
this CA domain.
Variable name Use your value from … daemon_uid Table 1 pki_gid Table 1 pkigroup_mem Table 1 surrog_uid Table 1 daemon Table 1 surrog Table 1 pkigroup Table 1 (Use the truncated name of the administrative domain.) _______________________________________________________________
- (Optional) If you are creating multiple CAs as part
of a certificate hierarchy where a previous CA domain is to be superior
(as issuer or signer) of this CA domain, set signing_ca_label to
match the label of the certificate in RACF® that issues
the certificate for this CA domain.
Otherwise, skip to Step 5 and leave signing_ca_label="" (the default).
_______________________________________________________________
- Update any other values, such as ca_dn and ra_dn,
that you choose to differ from your initial settings or the defaults.
You need not change any values in this step unless you choose to set these values to something particular for your installation. (This is because when you specify a ca_domain value, the IKYSETUP exec automatically qualifies any value that PKI Services requires to be unique by adding the CA domain name.)
_______________________________________________________________
- Execute IKYSETUP by entering the following TSO command:
EX 'data-set-name(new-member-name)' 'RUN(NO)'
_______________________________________________________________
- Review the log data set to ensure that the commands created by
IKYSETUP match your expectations. (For more information about these
commands, see Actions IKYSETUP performs by issuing RACF commands.) Edit again as needed
and rerun.
_______________________________________________________________
- When you are satisfied with the commands and information in the
log data set, rerun the IKYSETUP exec by entering the following TSO
command:
EX 'data-set-name(new-member-name)' 'RUN(YES)'
_______________________________________________________________
- Check your IKYSETUP log and record the name of the SAF key ring
(your ca_ring value).
Name of the SAF key ring:
_______________________________________________________________
Continue to the next subtask. Guideline: Complete all subtasks for this new CA domain and ensure that it operates properly before adding another CA domain.