Initial configuration

You create certificates used by the Security Verify Access servers during the initial configuration of the servers. The Security Verify Access servers use these certificates to securely communicate with other servers.

In a new Security Verify Access installation, the policy server is the first server that is configured. During the configuration, two certificates are created: the PDCA certificate and a personal certificate that is used by the policy server and signed by the PDCA certificate. Both of these certificates are in the ivmgrd.kdb key file. During the policy server configuration, the IBM Security Verify Access runtime key file pd.kdb is created. The PDCA certificate is inserted into it as a trusted certificate.

When new systems are added to the Security Verify Access domain, the IBM Security Verify Access runtime package is configured first. As part of this configuration, the system pd.kdb and pd.sth files are created. The PDCA certificate is included in the key files as a trusted certificate.

When new resource managers, such as WebSEAL, are configured, the svrsslcfg utility or an equivalent application programming interface (API) is run. This utility creates a key file (such as pdacld.kdb) and places a personal certificate for the server in it. The utility also inserts the PDCA certificate as a trusted certificate in the key file. These two certificates are obtained from the policy server. The certificates are transported to the client system over SSL with the IBM Security Verify Access runtime key file.

For more information about the configuration files and certificate-related stanza entries, such as the configured key file and the configured stash files, see Configuration file reference.