Subtask 3: Steps for running the IKYSETUP exec

Before you begin

This procedure requires you to be familiar with the information in Running IKYSETUP to perform RACF administration. There are more details about the following steps there.

Procedure

Perform the following steps to customize a unique execution of the IKYSETUP REXX exec for this new CA domain.
  1. Locate the IKYSETUP exec that you originally customized for your initial CA domain and copy it to a data set member that you can edit.

    _______________________________________________________________

  2. Edit the new copy of IKYSETUP and set the ca_domain variable to the name of this new CA domain. Type the domain name preserving the case of each character as you want it to appear in web page URLs.

    _______________________________________________________________

  3. If you intend to have a dedicated set of administrators for each CA domain, customize the following variables with your values for this CA domain.
    Variable name Use your value from …
    daemon_uid Table 1
    pki_gid Table 1
    pkigroup_mem Table 1
    surrog_uid Table 1
    daemon Table 1
    surrog Table 1
    pkigroup Table 1 (Use the truncated name of the administrative domain.)

    _______________________________________________________________

  4. (Optional) If you are creating multiple CAs as part of a certificate hierarchy where a previous CA domain is to be superior (as issuer or signer) of this CA domain, set signing_ca_label to match the label of the certificate in RACF® that issues the certificate for this CA domain.

    Otherwise, skip to Step 5 and leave signing_ca_label="" (the default).

    _______________________________________________________________

  5. Update any other values, such as ca_dn and ra_dn, that you choose to differ from your initial settings or the defaults.

    You need not change any values in this step unless you choose to set these values to something particular for your installation. (This is because when you specify a ca_domain value, the IKYSETUP exec automatically qualifies any value that PKI Services requires to be unique by adding the CA domain name.)

    _______________________________________________________________

  6. Execute IKYSETUP by entering the following TSO command:
    EX 'data-set-name(new-member-name)' 'RUN(NO)'

    _______________________________________________________________

  7. Review the log data set to ensure that the commands created by IKYSETUP match your expectations. (For more information about these commands, see Actions IKYSETUP performs by issuing RACF commands.) Edit again as needed and rerun.

    _______________________________________________________________

  8. When you are satisfied with the commands and information in the log data set, rerun the IKYSETUP exec by entering the following TSO command:
    EX 'data-set-name(new-member-name)' 'RUN(YES)'

    _______________________________________________________________

  9. Check your IKYSETUP log and record the name of the SAF key ring (your ca_ring value).
    Name of the SAF key ring:

    _______________________________________________________________

When you are done: You have customized and run the IKYSETUP exec for this CA domain. Record your progress in Table 1.

Continue to the next subtask. Guideline: Complete all subtasks for this new CA domain and ensure that it operates properly before adding another CA domain.

Parent topic: Adding a new CA domain