Chapter 1. Welcome to PKI Services on z/OS

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Welcome to PKI Services on z/OS

In this chapter, you are introduced to this IBM Redbooks publication and provided with suggestions for prerequisite reading. An overview of the scenario that was used to create a controlled environment also is shown.

The IBM HTTP Server - Powered by Apache is referred to as HTTP server throughout this document.

This chapter includes the following topics:

•1.1, “Introduction” on page 2

•1.2, “Scenario build” on page 3

1.1 Introduction

This IBM Redbooks publication describes how to quickly set up z/OS PKI Services and have the servers running so that you can try the certificate creation, management, and administration functions. We recommend that you use the set up in your test system first. You must configure more options in the production system.

The steps that were used to set up a scenario in our controlled environment are described. Examples of the use of the PKI Services on z/OS also are provided.

1.1.1 Pre-requisite reading

If you are new to digital certificates, it is suggested that you read the IBM Redbooks publication that is shown in Figure 1-1, which is available at this website:

http://www.redbooks.ibm.com/abstracts/sg248336.html

Figure 1-1 Prerequisite reading

For more information about PKI Services on z/OS, see the following publications:

•Cryptographic Series PKI Services Guide and Reference, SA23-2286

•IBM HTTP Server - powered by Apache, SC27-8417

•IBM Tivoli® Directory Server Administration and Use for z/OS, SC23-6788

1.1.2 Basic scenario components

The implementation that we set up is shown in Figure 1-2.

Figure 1-2 Three instances of PKI Services

ROOTCA is an instance with a self-signed certificate. It issues the server certificate for the HTTP server. After the ROOTCA instance is set up with the HTTP server, it is used to issue CA certificates for SUBCA1 and SUBCA2.

ROOTCA can be put offline after it issues the intermediate CAs. All of the certificates are then issued by SUBCA1 or SUBCA2, according to your needs. For example, you can assign SUBCA1 to issue certificates for internal use and SUBCA2 to issue certificates for your business partners.

1.2 Scenario build

The environment is built by producing the following entities:

•PKI CA certificates that are owned by CERTAUTH: 'ROOTCA PKI CA', 'SUBCA1 PKI CA', 'SUBCA2 PKI CA'

•IDs for the servers:

– PKI daemon ID: PKISRVD

– HTTP server ID: WEBSRV

– LDAP server ID: GLDSRV

•PKI key rings:

– PKISRVD/CAring.ROOTCA, contains ROOTCA PKI CA

– PKISRVD/CAring.SUBCA1, contains ROOTCA PKI CA, SUBCA1 PKI CA, and SUBCA1 RA

– PKISRVD/CAring.SUBCA2, contains ROOTCA PKI CA, SUBCA2 PKI CA, and SUBCA2 PKI RA

•One HTTP server for all domains:

– HTTP server certificate that is owned by WEBSRV with label 'SSL Cert'.

– HTTP key ring: WEBSRV/SSLring contains ROOTCA PKI CA, SSL Cert, SUBCA1 PKI CA, and SUBCA2 PKI CA.

•Start procedures in SYS1.PROCLIB:

– HTTP server - SYS1.PROCLIB(IHSSRVER): s ihssrver

– LDAP server - SYS1.PROCLIB(GLDSRV): s gldsrv

– PKI server - SYS1.PROCLIB(PKISERVD):

• S pkiservd,jobname=rootca,dir='/etc/pkiserv/rootca'

• S pkiservd,jobname=subca1,dir='/etc/pkiserv/subca1'

• S pkiservd,jobname=subca2,dir='/etc/pkiserv/subca2'

1.2.1 Building the scenario

The environment was built at the z/OS Version 2 Release 2 level.

The following directories are needed for the configuration files:

•/etc/pkiserv/rootca

•/etc/pkiserv/subca1

•/etc/pkiserv/subca2

The following directories are needed to store the CRL files if CRL Distribution point is to be created by using the HTTP protocol :

•/var/pkiserv/rootca

•/var/pkiserv/subca1

•/var/pkiserv/subca2

The following products are needed to build the scenario:

•An HTTP server to manage requests through a web server.

Note: The z/OS level is V2.2 and HTTP Server - powered by Apache is used.

•An LDAP for posting certificates and Certificate Revocation List (CRL).

•Sendmail (optional) for sending email notifications to certificate requesters and administrators.

•VSAM data sets to store the object store and issue certificate lists.

Although the ROOTCA, SUBCA1, and SUBCA2 share the HTTP server and LDAP server, the configuration files and VSAM data set store is unique to each CA.

For more information about building and configuring the ROOTCA PKI instance, HTTP server, the LDAP server, and some configuration work for SUBCA1 and SUBCA2, see Chapter 2, “Setting up the Root CA environment” on page 5.

For more information about building and configuring the SUBCA1 and SUBCA2 intermediate CAs, see Chapter 3, “Setting up SUBCA1 and SUBCA2 under ROOTCA” on page 37. (The configuration work is for each unique instance only.)

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 1. Welcome to PKI Services on z/OS

Create new playlist

Sign In

Sign Up

Table of Contents for
Chapter 1. Welcome to PKI Services on z/OS