Optionally updating the pkiserv.conf configuration file

You need to update the pkiserv.conf configuration file if you meet any of the following conditions:

You are configuring PKI Services for the first time
You are adding support for:
- Running multiple instances of PKI Services in a sysplex.
- Running multiple CA domains on a single z/OS® image. (See Adding a new CA domain.)
- Sending email notifications to users if the PKI Services administrator rejects certificate requests or certificates are ready for retrieval or expiring
- Customizing certificate revocation list (CRL) distribution point processing. (See Customizing distribution point CRLs for details.)
- Automatic renewal of expiring certificates
- Sending email notifications to administrators if any requests are pending approval
- A timeout value for the PKI Services exit.
- Generation of key pairs (public and private key) for certificates
- Setting the time that the daily maintenance task runs, or the days that it runs, or specifying that it is not to run when the PKI Services daemon starts
- The certificate management protocol (CMP)
- Using DB2® tables instead of VSAM files for the object store and ICL.
- Creating CRLs without the Issuing Distribution Point extension.
- Constraining the CA path length.
- Granular control of administrative functions.
- WTO notification.
You installed a new release of z/OS and had configured PKI Services on the earlier release. (For more information see Updating pkiserv.conf after installing a new release of z/OS.

You can also optionally update the file if you want to change certain default values.

The pkiserv.conf configuration file for the PKI Services daemon consists of sections of name-value pairs. Important: Everything in the pkiserv.conf file, including section names, keys, and values, is case-sensitive.

Each section of the pkiserv.conf configuration file has a title enclosed in square brackets. The configuration file includes the following sections:

[OIDs]

The OIDs section specifies the object identifiers for various nicknames PKI Services uses internally. The OIDs are specified in the following form:

name=dotted-decimal

The following excerpt is from the OIDs section:

[OIDs] 
⋮ 
MyPolicy=1.2.3.4

[ObjectStore]

The ObjectStore section specifies operational information for the object store and issued certificate list (ICL).

The following excerpt is from the ObjectStore section:

[ObjectStore] 
ObjectDSN='pkisrvd.vsam.ost' 
⋮

[CertPolicy]

The CertPolicy section is for CA policy information.

The following excerpt is from the CertPolicy section:

[CertPolicy] 
SigAlg1=sha-256WithRSAEncryption 
⋮

[General]

The General section is for general information.

The following excerpt is from the General section:

[General] 
InitialThreadCount=10 
⋮

[SAF]

The SAF section is for information about the SAF (RACF®) key ring that is used for CA certificate and private key storage.

The following excerpt is from the SAF section:

[SAF] 
KeyRing=PKISRVD/CAring

[LDAP]

The LDAP section contains information about the LDAP server for posting certificates and CRLs.

The following excerpt is from the LDAP section:

[LDAP] 
NumServers=1 
⋮

The UNIX programmer needs to update the LDAP section of this file. Guideline: Do not change it now but change it later when you perform Steps for tailoring the LDAP section of the configuration file.