Updating the web server configuration if you use REXX CGI execs
Before you begin
This procedure requires
you to be familiar with the information in the following topics, where
you find additional details:
Procedure
Perform the following steps to
customize the IBM® HTTP Server configuration
files for this new CA domain.
- Add this new CA domain (check Table 1 for domain name and directory)
following the instructions in Steps for adding application domains to the web server configuration files.
If you have a CRLDistDirPath configured in your pkiserv.conf file for HTTP protocol URI format CRL distribution
points, uncomment the AliasMatch HTTP server directive statement in
the vhost80.conf (host file for non-SSL requests)
configuration file to map the virtual path name in the URI to the CRLDistDirPath value.
#AliasMatch /Employees/cacerts/(.*) /var/pkiserv/employees/$1
- (Optional) If you intend to have a dedicated set of administrators for each CA domain, repeat Step 1 for the administrative domain. (Check Table 1 for domain name and directory.) Otherwise, skip to Step 3.
- Update the environment variables for
the HTTP Server. The following changes must be made to the vhost80.conf (host file for non-SSL requests), vhost443.conf (host file for SSL requests with server
authentication), and vhost1443.conf (host file
for SSL requests with client authentication) configuration files.
The setting is shown by using the SetEnv HTTP directive
in the vhost80.conf file. Edit the vhost80.conf file by entering the following command from
the UNIX command line:
oedit /etc/websrv1/conf/vhost80.conf
Uncomment the SetEnv HTTP directive statement.#SetEnv _PKISERV_CONFIG_PATH_EMPLOYEES "/etc/pkiserv/employees"
- Add the environment variable identifying the runtime directory
of this CA domain. (Check Table 1.)
_PKISERV_CONFIG_PATH_EMPLOYEES=/etc/pkiserv/employees
- (Optional) If you intend to have a dedicated set of administrators
for each CA domain, add the environment variable identifying the pkiserv.tmpl directory of this administrative CA domain.
_PKISERV_CONFIG_PATH_ADMEMPLOYEES=/etc/pkiserv/employees
Uncomment SetEnv HTTP directive statement.#SetEnv _PKISERV_CONFIG_PATH_ADMEMPLOYEES "/etc/pkiserv/employees"
- Update the HTTP server virtual host configuration
files to support the new CA Domain. Uncomment the following statements
in each of the virtual host configuration files.vhost80.conf
• #RewriteRule ^/(AdmEmployees|Employees)/ssl-cgi/(.*) https://<server-domain-name>/$1/ssl-cgi-bin/$2 [R,NE] • #RewriteRule ^/(AdmEmployees|Employees)/clientauth-cgi/(.*) https://<server-domain-name>:1443/$1/clientauth-cgi-bin/$2 [R,NE] • #ScriptAliasMatch /(AdmEmployees|Employees)/public-cgi/(.*) <application-root>/PKIServ/public-cgi/$2 • #AliasMatch /Employees/cacerts/(.*) /var/pkiserv/$1
vhost443.conf• #RewriteRule ^/(AdmEmployees|Employees)/public-cgi/(.*) http://<server-domain-name>/$1/public-cgi/$2 [R,NE,L] • #RewriteRule ^/(AdmEmployees|Employees)/ssl-cgi/(.*) https://<server-domain-name>/$1/ssl-cgi-bin/$2 [R,NE] • #RewriteRule ^/(AdmEmployees|Employees)/clientauth-cgi/(.*) https://<server-domain-name>:1443/$1/clientauth-cgi-bin/$2 [R,NE,L] • #ScriptAliasMatch ^/(AdmEmployees|Employees)/(public-cgi|ssl-cgi-bin)/(.*) "<application-root>/PKIServ/$2/$3" • #<LocationMatch "^/(AdmEmployees|Employees)/ssl-cgi-bin(/(auth|surrogateauth))?/cagetcert.rexx"> # Charsetoptions TranslateAllMimeTypes #</LocationMatch>
vhost1443.conf• #RewriteRule ^/(AdmEmployees|Employees)/public-cgi/(.*) http://<server-domain-name>/$1/public-cgi/$2 [R,NE,L] • #RewriteRule ^/(AdmEmployees|Employees)/ssl-cgi/(.*) https://<server-domain-name>/$1/ssl-cgi-bin/$2 [R,NE,L] • #ScriptAliasMatch ^/(AdmEmployees|Employees)/(clientauth-cgi|clientauth-cgi-bin)/(.*) "<application-root>/PKIServ/clientauth-cgi-bin/$3" • #<LocationMatch "^/(AdmEmployees|Employees)/clientauth-cgi-bin/auth/pkicmp"> #CharsetOptions NoTranslateRequestBodies #</LocationMatch>
Continue to the next subtask. Complete all subtasks for this new CA domain and ensure that it operates properly before adding another CA domain.