You need to perform this task if you are configuring PKI Services for the
first time or adding a new CA domain.
PKI Services provides
SYS1.SAMPLIB(IKYSETUP), a
REXX exec, to perform RACF® administration tasks for setting
up
PKI Services.
The RACF administrator updates
and runs this
REXX exec,
which issues RACF commands
to perform the following tasks:
- Adding groups and user IDs
- Setting up the PKI Services administration
group
- Creating
the PKI Services daemon
user ID
- Giving appropriate
access to the RACF group
- Creating the
surrogate user ID and giving the surrogate user ID authority to generate
certificates
A surrogate user ID is the identity assigned to client
processes when they are requesting certificate services. A surrogate
user ID is required for external clients. Guideline: For simplicity,
use surrogate user IDs for internal clients as well, rather than allowing
them to access PKI Services under
their own identities.
- Associating the PKI Services daemon user
ID with the PKI Services started
procedure.
- Setting up access control to protect end-user and administrative
functions of PKI Services:
- Authorizing the PKI Services daemon user
ID for CA functions
- Authorizing the PKI Services daemon user ID to access the Resource
Recovery Services access facility (RRSAF), if you use DB2® as the repository for the object store and
ICL
- Giving administrators access to VSAM data sets, if you use VSAM
as the repository for the object store and ICL
- Optionally authorizing PKI Services for ICSF
resources.
- Optionally defining granular administrative controls
- Creating certificate authority (CA), registration authority (RA),
and SSL certificates:
- Creating
a CA certificate and private key
- Backing them up to a password-protected MVS™ data set
- Optionally migrating the private key to ICSF
- Optionally creating an RA certificate and private key for Simple Certificate Enrollment Protocol (SCEP)
- Creating a SAF key ring and associating it with the certificate
- Exporting the CA certificate to an MVS data
set and file system file
- Generating a server certificate signed by the new CA
- Creating a key ring for the Web server
- Associating the Web server and any trusted CA certificates to
the key ring.
- Setting up the IBM HTTP Server for
surrogate operation.
- Allowing PKI Services to generate key pairs for certificate requests