Optionally updating the pkiserv.conf configuration file
You need to update the pkiserv.conf configuration
file if you meet any of the following conditions:
- You are configuring PKI Services for the first time
- You are adding support for:
- Running multiple instances of PKI Services in a sysplex.
- Running multiple CA domains on a single z/OS® image. (See Adding a new CA domain.)
- Sending email notifications to users if the PKI Services administrator rejects certificate requests or certificates are ready for retrieval or expiring
- Customizing certificate revocation list (CRL) distribution point processing. (See Customizing distribution point CRLs for details.)
- Automatic renewal of expiring certificates
- Sending email notifications to administrators if any requests are pending approval
- A timeout value for the PKI Services exit.
- Generation of key pairs (public and private key) for certificates
- Setting the time that the daily maintenance task runs, or the days that it runs, or specifying that it is not to run when the PKI Services daemon starts
- The certificate management protocol (CMP)
- Using DB2® tables instead of VSAM files for the object store and ICL.
- Creating CRLs without the Issuing Distribution Point extension.
- Constraining the CA path length.
- Granular control of administrative functions.
- WTO notification.
- You installed a new release of z/OS and had configured PKI Services on the earlier release. (For more information see Updating pkiserv.conf after installing a new release of z/OS.
The pkiserv.conf configuration file for the PKI Services daemon consists of sections of name-value pairs. Important: Everything in the pkiserv.conf file, including section names, keys, and values, is case-sensitive.
Each section of the pkiserv.conf configuration
file has a title enclosed in square brackets. The configuration file
includes the following sections:
- [OIDs]
- The
OIDs section specifies the object identifiers for various nicknames PKI Services uses internally.
The OIDs are specified in the following form:
name=dotted-decimal
The following excerpt is from the OIDs section:
[OIDs] ⋮ MyPolicy=1.2.3.4
- [ObjectStore]
- The
ObjectStore section specifies operational information for the
object store and issued certificate list (ICL).
The following excerpt is from the ObjectStore section:
[ObjectStore] ObjectDSN='pkisrvd.vsam.ost' ⋮
- [CertPolicy]
- The
CertPolicy section is for CA policy information.
The following excerpt is from the CertPolicy section:
[CertPolicy] SigAlg1=sha-256WithRSAEncryption ⋮
- [General]
- The
General section is for general information.
The following excerpt is from the General section:
[General] InitialThreadCount=10 ⋮
- [SAF]
- The
SAF section is for information about the SAF (RACF®) key ring that is used for CA certificate
and private key storage.
The following excerpt is from the SAF section:
[SAF] KeyRing=PKISRVD/CAring
- [LDAP]
- The
LDAP section contains information about the LDAP server for posting
certificates and CRLs.
The following excerpt is from the LDAP section:
[LDAP] NumServers=1 ⋮
The UNIX programmer needs to update the LDAP section of this file. Guideline: Do not change it now but change it later when you perform Steps for tailoring the LDAP section of the configuration file.