Note: Ensure that you read all the comments in the SAMPLIB members and complete the appropriate tasks.
|
DELETE -
PKISRVD.ROOTCA.VSAM.OST -
CLUSTER -
PURGE -
ERASE
IDC3012I ENTRY PKISRVD.ROOTCA.VSAM.OST NOT FOUND
IDC3009I ** VSAM CATALOG RETURN CODE IS 8 - REASON CODE IS IGG0CLA3-42
IDC0551I ** ENTRY PKISRVD.ROOTCA.VSAM.OST NOT DELETED
IDC0001I FUNCTION COMPLETED, HIGHEST CONDITION CODE WAS 8
DELETE -
PKISRVD.ROOTCA.VSAM.ICL -
CLUSTER -
PURGE -
ERASE
IDC3012I ENTRY PKISRVD.ROOTCA.VSAM.ICL NOT FOUND
IDC3009I ** VSAM CATALOG RETURN CODE IS 8 - REASON CODE IS IGG0CLA3-42
IDC0551I ** ENTRY PKISRVD.ROOTCA.VSAM.ICL NOT DELETED
IDC0001I FUNCTION COMPLETED, HIGHEST CONDITION CODE WAS 8
IF MAXCC LT 9 THEN SET MAXCC = 0
|
IDCAMS SYSTEM SERVICES
DEFINE CLUSTER -
(NAME(PKISRVD.ROOTCA.VSAM.OST) -
VOL(BH6ST5) -
RECSZ(1024 32756) -
INDEXED -
NOREUSE -
KEYS(4 0) -
SHR(2) -
CYL(3,1) -
LOG(NONE) -
OWNER(PKISRVD) ) -
DATA -
(NAME(PKISRVD.ROOTCA.VSAM.OST.DA) -
CISZ(4096) -
SPANNED) -
INDEX -
(NAME(PKISRVD.ROOTCA.VSAM.OST.IX))
IDC0508I DATA ALLOCATION STATUS FOR VOLUME BH6ST5 IS 0
IDC0509I INDEX ALLOCATION STATUS FOR VOLUME BH6ST5 IS 0
IDC0001I FUNCTION COMPLETED, HIGHEST CONDITION CODE WAS 0
DEFINE CLUSTER -
(NAME(PKISRVD.ROOTCA.VSAM.ICL) -
VOL(BH6ST5) -
RECSZ(1024 32756) -
INDEXED -
NOREUSE -
KEYS(4 0) -
SHR(2) -
CYL(3,1) -
LOG(NONE) -
OWNER(PKISRVD) ) -
DATA -
(NAME(PKISRVD.ROOTCA.VSAM.ICL.DA) -
CISZ(4096) -
SPANNED) -
INDEX -
(NAME(PKISRVD.ROOTCA.VSAM.ICL.IX))
IDC0508I DATA ALLOCATION STATUS FOR VOLUME BH6ST5 IS 0
IDC0509I INDEX ALLOCATION STATUS FOR VOLUME BH6ST5 IS 0
IDC0001I FUNCTION COMPLETED, HIGHEST CONDITION CODE WAS 0
IDCAMS SYSTEM SERVICES
IDC0002I IDCAMS PROCESSING COMPLETE. MAXIMUM CONDITION CODE WAS 0
|
DATA SET UTILITY - GENERATE
GENERATE MAXFLDS=4,MAXLITS=80
RECORD FIELD=(20,X'0000000000000000000000000000000000000000',,1),
FIELD=(20,X'0000000000000000000000000000000000000000',,21),
FIELD=(20,X'0000000000000000000000000000000000000000',,41),
FIELD=(20,X'0000000000000000000000000000000000000000',,61)
PROCESSING ENDED AT EOD
|
IDCAMS SYSTEM SERVICES
REPRO INFILE(SYSDATA) -
OUTDATASET(PKISRVD.ROOTCA.VSAM.OST)
IDC0005I NUMBER OF RECORDS PROCESSED WAS 1
IDC0001I FUNCTION COMPLETED, HIGHEST CONDITION CODE WAS 0
REPRO INFILE(SYSDATA) -
OUTDATASET(PKISRVD.ROOTCA.VSAM.ICL)
IDC0005I NUMBER OF RECORDS PROCESSED WAS 1
IDC0001I FUNCTION COMPLETED, HIGHEST CONDITION CODE WAS 0
IDC0002I IDCAMS PROCESSING COMPLETE. MAXIMUM CONDITION CODE WAS 0
|
IDCAMS SYSTEM SERVICES
DEFINE ALTERNATEINDEX -
(NAME(PKISRVD.ROOTCA.VSAM.OST.AIX) -
RELATE(PKISRVD.ROOTCA.VSAM.OST)-
VOL(BH6ST5) -
TRK(5,1) -
KEYS(24 44) ) -
DATA -
(NAME(PKISRVD.ROOTCA.VSAM.OST.AIX.DA)) -
INDEX -
(NAME(PKISRVD.ROOTCA.VSAM.OST.AIX.IX))
IDC0508I DATA ALLOCATION STATUS FOR VOLUME BH6ST5 IS 0
IDC0509I INDEX ALLOCATION STATUS FOR VOLUME BH6ST5 IS 0
IDC0001I FUNCTION COMPLETED, HIGHEST CONDITION CODE WAS 0
DEFINE PATH -
(NAME(PKISRVD.ROOTCA.VSAM.OST.PATH) -
PATHENTRY(PKISRVD.ROOTCA.VSAM.OST.AIX))
IDC0001I FUNCTION COMPLETED, HIGHEST CONDITION CODE WAS 0
DEFINE ALTERNATEINDEX -
(NAME(PKISRVD.ROOTCA.VSAM.OST.STATAIX) -
RELATE(PKISRVD.ROOTCA.VSAM.OST)-
VOL(BH6ST5) -
TRK(5,1) -
KEYS(40 4) ) -
DATA -
(NAME(PKISRVD.ROOTCA.VSAM.OST.STATAIX.DA)) -
INDEX -
(NAME(PKISRVD.ROOTCA.VSAM.OST.STATAIX.IX))
IDC0508I DATA ALLOCATION STATUS FOR VOLUME BH6ST5 IS 0
IDC0509I INDEX ALLOCATION STATUS FOR VOLUME BH6ST5 IS 0
IDC0001I FUNCTION COMPLETED, HIGHEST CONDITION CODE WAS 0
DEFINE PATH -
(NAME(PKISRVD.ROOTCA.VSAM.OST.STATUS) -
PATHENTRY(PKISRVD.ROOTCA.VSAM.OST.STATAIX))
IDC0001I FUNCTION COMPLETED, HIGHEST CONDITION CODE WAS 0
|
DEFINE ALTERNATEINDEX -
(NAME(PKISRVD.ROOTCA.VSAM.ICL.STATAIX) -
RELATE(PKISRVD.ROOTCA.VSAM.ICL)-
VOL(BH6ST5) -
TRK(5,1) -
KEYS(40 4) ) -
DATA -
(NAME(PKISRVD.ROOTCA.VSAM.ICL.STATAIX.DA)) -
INDEX -
(NAME(PKISRVD.ROOTCA.VSAM.ICL.STATAIX.IX))
IDC0508I DATA ALLOCATION STATUS FOR VOLUME BH6ST5 IS 0
IDC0509I INDEX ALLOCATION STATUS FOR VOLUME BH6ST5 IS 0
IDC0001I FUNCTION COMPLETED, HIGHEST CONDITION CODE WAS 0
DEFINE PATH -
(NAME(PKISRVD.ROOTCA.VSAM.ICL.STATUS) -
PATHENTRY(PKISRVD.ROOTCA.VSAM.ICL.STATAIX))
IDC0001I FUNCTION COMPLETED, HIGHEST CONDITION CODE WAS 0
DEFINE ALTERNATEINDEX -
(NAME(PKISRVD.ROOTCA.VSAM.OST.REQAIX) -
RELATE(PKISRVD.ROOTCA.VSAM.OST)-
VOL(BH6ST5) -
TRK(5,1) -
KEYS(32 12) ) -
DATA -
(NAME(PKISRVD.ROOTCA.VSAM.OST.REQAIX.DA)) -
INDEX -
(NAME(PKISRVD.ROOTCA.VSAM.OST.REQAIX.IX))
IDC0508I DATA ALLOCATION STATUS FOR VOLUME BH6ST5 IS 0
IDC0509I INDEX ALLOCATION STATUS FOR VOLUME BH6ST5 IS 0
IDC0001I FUNCTION COMPLETED, HIGHEST CONDITION CODE WAS 0
DEFINE PATH -
(NAME(PKISRVD.ROOTCA.VSAM.OST.REQUESTR) -
PATHENTRY(PKISRVD.ROOTCA.VSAM.OST.REQAIX))
IDC0001I FUNCTION COMPLETED, HIGHEST CONDITION CODE WAS 0
DEFINE ALTERNATEINDEX -
IDCAMS SYSTEM SERVICES
(NAME(PKISRVD.ROOTCA.VSAM.ICL.REQAIX) -
RELATE(PKISRVD.ROOTCA.VSAM.ICL)-
VOL(BH6ST5) -
TRK(5,1) -
KEYS(32 12) ) -
DATA -
(NAME(PKISRVD.ROOTCA.VSAM.ICL.REQAIX.DA)) -
INDEX -
(NAME(PKISRVD.ROOTCA.VSAM.ICL.REQAIX.IX))
IDC0508I DATA ALLOCATION STATUS FOR VOLUME BH6ST5 IS 0
IDC0509I INDEX ALLOCATION STATUS FOR VOLUME BH6ST5 IS 0
IDC0001I FUNCTION COMPLETED, HIGHEST CONDITION CODE WAS 0
DEFINE PATH -
(NAME(PKISRVD.ROOTCA.VSAM.ICL.REQUESTR) -
PATHENTRY(PKISRVD.ROOTCA.VSAM.ICL.REQAIX))
IDC0001I FUNCTION COMPLETED, HIGHEST CONDITION CODE WAS 0
|
BLDINDEX INDATASET(PKISRVD.ROOTCA.VSAM.OST) -
OUTDATASET(PKISRVD.ROOTCA.VSAM.OST.AIX)
IDC0652I PKISRVD.ROOTCA.VSAM.OST.AIX SUCCESSFULLY BUILT
IDC0001I FUNCTION COMPLETED, HIGHEST CONDITION CODE WAS 0
BLDINDEX INDATASET(PKISRVD.ROOTCA.VSAM.OST) -
OUTDATASET(PKISRVD.ROOTCA.VSAM.OST.STATAIX)
IDC0652I PKISRVD.ROOTCA.VSAM.OST.STATAIX SUCCESSFULLY BUILT
IDC0001I FUNCTION COMPLETED, HIGHEST CONDITION CODE WAS 0
BLDINDEX INDATASET(PKISRVD.ROOTCA.VSAM.ICL) -
OUTDATASET(PKISRVD.ROOTCA.VSAM.ICL.STATAIX)
IDC0652I PKISRVD.ROOTCA.VSAM.ICL.STATAIX SUCCESSFULLY BUILT
IDC0001I FUNCTION COMPLETED, HIGHEST CONDITION CODE WAS 0
BLDINDEX INDATASET(PKISRVD.ROOTCA.VSAM.OST) -
OUTDATASET(PKISRVD.ROOTCA.VSAM.OST.REQAIX)
IDC0652I PKISRVD.ROOTCA.VSAM.OST.REQAIX SUCCESSFULLY BUILT
IDC0001I FUNCTION COMPLETED, HIGHEST CONDITION CODE WAS 0
BLDINDEX INDATASET(PKISRVD.ROOTCA.VSAM.ICL) -
OUTDATASET(PKISRVD.ROOTCA.VSAM.ICL.REQAIX)
IDC0652I PKISRVD.ROOTCA.VSAM.ICL.REQAIX SUCCESSFULLY BUILT
IDC0001I FUNCTION COMPLETED, HIGHEST CONDITION CODE WAS 0
|
PRINT -
INDATASET(PKISRVD.ROOTCA.VSAM.OST) CHAR
IDCAMS SYSTEM SERVICES
LISTING OF DATA SET -PKISRVD.ROOTCA.VSAM.OST
KEY OF RECORD - ....
..................................................................
IDC0005I NUMBER OF RECORDS PROCESSED WAS 1
IDC0001I FUNCTION COMPLETED, HIGHEST CONDITION CODE WAS 0
IDCAMS SYSTEM SERVICES
PRINT -
INDATASET(PKISRVD.ROOTCA.VSAM.ICL) CHAR
IDCAMS SYSTEM SERVICES
LISTING OF DATA SET -PKISRVD.ROOTCA.VSAM.ICL
KEY OF RECORD - ....
..................................................................
IDC0005I NUMBER OF RECORDS PROCESSED WAS 1
IDC0001I FUNCTION COMPLETED, HIGHEST CONDITION CODE WAS 0
IDCAMS SYSTEM SERVICES
IDC0002I IDCAMS PROCESSING COMPLETE. MAXIMUM CONDITION CODE WAS 0
|
Note: For more information, see the “Installing and configuring IBM HTTP Server on the z/OS V2R2 system” section of Chapter 2 in IBM HTTP Server - Powered by Apache SC27-8417.
|
Note: The websrv user ID should exist. Define this user if it was not yet created. Ensure that the home directory of websrv points to /etc/websrv1, as shown in Example 2-1.
|
cd /etc
mkdir websrv1
chmod 770 websrv1
cd /usr/lpp/ihsa_zos/bin
install_ihs /etc/websrv1 80
KWRES01:/usr/lpp/ihsa_zos/bin: >install_ihs /etc/websrv1 80
Copying install directory and creating symlinks...
Updating install paths...
cmd: /usr/lpp/ihsa_zos/bin/postinst -i /etc/websrv1 -t install -v PORT=80 -v SERVERNAME=WTSC76.ITSO.IBM.COM
cd /etc/websrv1
chown -R websrv conf
chown -R websrv logs
|
KWRES01:/SYSTEM/etc/websrv1/bin: >apachectl -v
Server version: IBM_HTTP_Server/9.0.0.0-PI54808 (Unix)
Server built: Jan 20 2016 17:19:40
KWRES01:/SYSTEM/etc/websrv1/bin: >apachectl configtest
Syntax OK
|
Before the changes
ca_domain = "" /* @L4A*/
if LENGTH(ca_domain) > 8 then /* @L4A*/
ca_domain_trunc = LEFT(ca_domain,8) /* @L4A*/
else /* @L4A*/
ca_domain_trunc = ca_domain /* @L4A*/
OrgUnit = STRIP(ca_domain "Human Resources Certificate Authority")
/* @L4A*/
ca_dn= "OU('"||OrgUnit||"')",
"O('Your Company')",
"C('Your Country 2 Letter Abbreviation')" /* @L4C*/
ca_label = STRIP(ca_domain "Local PKI CA") /* Label for CA
certificate with the
CA Domain name
After the changes
ca_domain = "ROOTCA" /* @L4A*/
if LENGTH(ca_domain) > 8 then /* @L4A*/
ca_domain_trunc = LEFT(ca_domain,8) /* @L4A*/
else /* @L4A*/
ca_domain_trunc = ca_domain /* @L4A*/
OrgUnit = STRIP(ca_domain "IBM PKI RedBooks")
/* @L4A*/
ca_dn= "OU('"||OrgUnit||"')",
"O('IBM')",
"C('US')" /* @L4C*/
ca_label = STRIP(ca_domain "ROOTCA PKI CA") /* Label for CA
certificate with the
CA Domain name
|
Before the changes
ra_label = STRIP(ca_domain "Local PKI RA") /*Label for
RA Certificate @01C*/
After the changes
ra_label = STRIP(ca_domain “PKI RA") /*Label for
RA Certificate @01C*/
|
Before the changes
web_dn=,
"CN('www.YourCompany.com')",
"O('Your Company')",
"L('Your City')",
"SP('Your Full State or Province Name')",
"C('Your Country 2 Letter Abbreviation')"
After the changes
web_dn=,
"CN('wtsc76.itso.ibm.com')",
"O('IBM')",
"L('Poughkeepsie')",
"SP('New York')",
"C('US')"
|
web_ring = "SSLring" /* SAF keyring for web server */
|
Creating the CA certificate ...
RACDCERT GENCERT CERTAUTH SUBJECTSDN(OU('ROOTCA IBM PKI RedBooks') O('IBM') C('US')) WITHLABEL('ROOTCA PKI CA') NOTAFTER(DATE(2036/08/15)) SIZE(2048)
Enter a passphrase to protect the key. You will need
this value later if you need to restore the key.
Attention, the value will be displayed in the screen:
|
-------------------------------------------------
Information needed for PKI Services UNIX set up:
-------------------------------------------------
The daemon user ID is:
PKISRVD
The VSAM high-level qualifier is:
PKISRVD
This is needed for the [ObjectStore] section in pkiserv.conf
The PKI Services' DER encoded certificate is in data set:
'PKISRVD.ROOTCA.CACERT.DERBIN'
The webserver's DER encoded root
CA certificate is in data set:
'PKISRVD.ROOTCA.WEBROOT.DERBIN'
This must be OPUT to /var/pkiserv/cacert.der with the BINARY option
The fully qualified PKI Services' SAF keyring is:
PKISRVD/CAring.ROOTCA
This is needed for the [SAF] section in pkiserv.conf
The label of the PKI Services' RA certificate is:
ROOTCA PKI RA
This is needed for the [SAF] section in pkiserv.conf
The PKI Services CA DN is:
OU=ROOTCA IBM PKI RedBooks,O=IBM,C=US
The suffix must match the LDAP suffix in slapd.conf
The PKI Services RA DN is:
CN=Registration Authority,OU=ROOTCA IBM PKI RedBooks,O=IBM,C=US
The suffix must match the LDAP suffix in slapd.conf
The recommended location for the pkiserv.conf and pkiserv.tmpl is:
/etc/pkiserv/ROOTCA
Set the following environment variables in pkiserv.envars:
_PKISERV_CA_DOMAIN=ROOTCA
_PKISERV_CONFIG_PATH=/etc/pkiserv/ROOTCA
Set the following environment variable in your virtual host files:
_PKISERV_CONFIG_PATH_ROOTCA =/etc/pkiserv/ROOTCA
The webserver's SAF keyring is:
SSLring
This is needed for the KeyFile directive in virtual host files
The Webserver's DN is:
CN=wtsc76.itso.ibm.com,O=IBM,L=Poughkeepsie,ST=New York,C=US
The left most RDN must be the webserver's fully qualified domain name
|
Note: The /var/pkiserv directory is specified in the HTTP server configuration.
|
Data set
|
Description
|
pkiserv.conf
|
The configuration file that contains various settings and values.
|
pkiserv.envars
|
The environmental variables file.
|
pkiserv.tmpl
|
The certificate templates file that is used with REXX CGI executable files. It
contains HTML-style code that builds the web pages that are underlying certificate requests.
|
expiringmsg.form
|
The form for an email that is sent to a user when a certificate is going to expire.
|
pendingmsg.form
|
The form for an email that is sent to an administrator when requests are pending approval.
|
pendingmsg2.form
|
The form is your company sends an email notification to an administrator about requests that are approved with modifications.
|
readymsg.form
|
The form for an email that is sent to a user when the PKI Services administrator approves a certificate request and the certificate is ready for retrieval.
|
rejectmsg.form
|
The form for an email that is sent to a user when the PKI Services
administrator rejects a certificate request.
|
renewcertmsg.form
|
The form for an email that is sent to a user when PKI Services automatically renews an expiring certificate.
|
recoverymsg.form
|
The form for an email that is sent to a user who requested that PKI Services recover a certificate for which PKI Services generated the key pair.
|
# Data set name of the VSAM request (object store) base CLUSTER
#
ObjectDSN='pkisrvd.ROOTCA.VSAM.ost'
# Data set name of the VSAM object store PATH for the transaction ID
# (TID) alternate index.
#
ObjectTidDSN='pkisrvd.ROOTCA.VSAM.ost.path'
# Data set name of the VSAM object store PATH for the status alternate
# index
#
ObjectStatusDSN='pkisrvd.ROOTCA.VSAM.ost.status'
# Data set name of the VSAM object store PATH for the requestor
# alternate index
#
ObjectRequestorDSN='pkisrvd.ROOTCA.VSAM.ost.requestr'
# Data set name of the VSAM issued certificate list (ICL) base CLUSTER
#
ICLDSN='pkisrvd.ROOTCA.VSAM.icl'
# Data set name of the VSAM ICL PATH for the status alternate index
#
ICLStatusDSN='pkisrvd.ROOTCA.VSAM.icl.status'
# Data set name of the VSAM ICL PATH for the requestor alternate index
#
ICLRequestorDSN='pkisrvd.ROOTCA.VSAM.icl.requestr'
|
# full pathname or data set name containing the 'your certificate is
# ready to be retrieved' message form. Defaults to no message issued
ReadyMessageForm=/etc/pkiserv/rootca/readymsg.form
# full pathname or data set name containing the 'your certificate
# request has been rejected' message form. Defaults to no message issued
RejectMessageForm=/etc/pkiserv/rootca/rejectmsg.form
# full pathname or data set name containing the 'your certificate is
# about to expire' message form. Defaults to no message issued
ExpiringMessageForm=/etc/pkiserv/rootca/expiringmsg.form
# full pathname or data set name containing the request(s) pending for
# approval message form. Defaults to no notification sent.
AdminNotifyForm=/etc/pkiserv/rootca/pendingmsg.form
# full pathname or data set name containing the request(s) approved
# with modifications message form. Defaults to no notification sent.
AdminNotifyModForm=/etc/pkiserv/rootca/pendingmsg2.form
# full pathname or data set name containing the renewed certificate
# message form for automatic certificate renewal.
# If absent, automatic certificate renewal is disabled.
RenewCertForm=/etc/pkiserv/rootca/renewcertmsg.form
# full pathname or data set name containing information on
# the list of certificates that match the criteria specified
# to recover key generated certificates.
# If absent, recovery query results will not be sent.
RecoverForm=/etc/pkiserv/rootca/recoverymsg.form
|
KeyRing=PKISRVD/CAring.ROOTCA
#TokenName=PKISRVD.rootca.PKIToken
# The Label name for the PKI RA certificate connected to the Key ring
# specified in the KeyRing value above
#
RALabel=ROOTCA PKI RA
|
NumServers=1
PostInterval=5m
Server1=wtsc76.itso.ibm.com:390
AuthName1=CN=admin
AuthPwd1=secret
|
Note: For the product system, you might not want to make the password available in the configuration file. You can make use of the LDAPBIND class profile. For more information, see the “Storing information for encrypted passwords for your LDAP servers” section of z/OS PKI Services Guide and Reference.
|
# When running as a CA Domain, set the CA Domain name by assigning
# desired value to the _PKISERV_CA_DOMAIN variable.
# Note: The first eight characters must be unique.
#
# example: _PKISERV_CA_DOMAIN=WebAppCA
_PKISERV_CA_DOMAIN=ROOTCA
#
# Configuration File location and Message configuration Options
#
_PKISERV_CONFIG_PATH=/etc/pkiserv/rootca
|
KWRES01:/SYSTEM/etc/pkiserv/rootca: >ls *.form
expiringmsg.form pendingmsg2.form recoverymsg.form renewcertmsg.form
pendingmsg.form readymsg.form rejectmsg.form
|
From:IBM RB ROOTCA PKI
Subject:Certificate Expiration
Attention - Please do not reply to this message as it was automatically sent by a service machine.
Dear %%requestor%%,
Thank you for choosing IBM RB ROOTCA PKI. The certificate you requested for
subject %%dn%% expires at %%notafter%% local time. If you want to renew
your certificate, please visit:
http://www.dimeocert.com wtsc76.itso.ibm.com/Rootca/public-cgi/camain.rexx
If this is a browser certificate, you must use the same workstation and browser that you used when you requested the original certificate. If this is a server
certificate, you will have to submit a PKCS#10 certificate request.
|
//*********************************************************************
//* *
//* Licensed Materials - Property of IBM *
//* 5650-ZOS *
//* Copyright IBM Corp. 2001, 2013 *
//* Status=HKY7790 *
//* *
//*********************************************************************
//*********************************************************************
//* *
//* Procedure for starting the PKI Services Daemon *
//* *
//*********************************************************************
//PKISERVD PROC REGSIZE=256M, X
// OUTCLASS='A', X
// TZ='EST5EDT', X
// FN='pkiserv.envars', X
// DIR='/etc/pkiserv/rootca', X
// STDO='1>DD:STDOUT', X
// STDE='2>DD:STDERR'
//*--------------------------------------------------------------------
//GO EXEC PGM=IKYPKID,REGION=®SIZE,TIME=1440,
// PARM=('ENVAR("_CEE_ENVFILE=&DIR/&FN","TZ=&TZ") / &STDO &STDE')
//STDOUT DD SYSOUT=&OUTCLASS
//STDERR DD SYSOUT=&OUTCLASS
//SYSOUT DD SYSOUT=&OUTCLASS
//CEEDUMP DD SYSOUT=&OUTCLASS
|
Note: For more information, see Chapter 7 of Cryptographic Services PKI Services Guide and Reference SA23-2286.
|
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule authnz_saf_module modules/mod_authnz_saf.so
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
|
#
# AddType allows you to add to or override the MIME configuration
# file mime.types for specific file types.
#
#The following four types are for PKI Services
AddType application/x-x509-user-cert .cer
AddType application/x-x509-ca-cert .der
AddType application/octet-stream .msi
AddType application/pkix-crl .crl
|
Include conf/vhost80.conf
Include conf/vhost443.conf
Include conf/vhost1443.conf
|
Note: If you are not using the default ports 80 and 443, you must include the port number in the URL.
|
Note: If your AliasMatch does not point to /var/pkiserv, you must add a corresponding DirectoryMatch section as with the section for /var/pkiserv.
|
Note: We are setting up for all the 3 PKI instances, including ROOOTCA, SUBCA1, and SUBCA2 (not the ROOTCA only).
|
SetEnv _PKISERV_CONFIG_PATH_ROOTCA "/etc/pkiserv/rootca"
SetEnv _PKISERV_CONFIG_PATH_ADMROOTCA "/etc/pkiserv/rootca"
SetEnv _PKISERV_CONFIG_PATH_SUBCA1 "/etc/pkiserv/subca1"
SetEnv _PKISERV_CONFIG_PATH_ADMSUBCA1 "/etc/pkiserv/subca1"
SetEnv _PKISERV_CONFIG_PATH_SUBCA2 "/etc/pkiserv/subca2"
SetEnv _PKISERV_CONFIG_PATH_ADMSUBCA2 "/etc/pkiserv/subca2"
|
RewriteRule ^/(AdmRootca|Rootca)/ssl-cgi/(.*) https://wtsc76.itso.ibm.com/$1/ssl-cgi-bin/$2 [R,NE]
RewriteRule ^/(AdmSubca1|Subca1)/ssl-cgi/(.*) https://wtsc76.itso.ibm.com/$1/ssl-cgi-bin/$2 [R,NE]
RewriteRule ^/(AdmSubca2|Subca2)/ssl-cgi/(.*) https://wtsc76.itso.ibm.com/$1/ssl-cgi-bin/$2 [R,NE]
RewriteRule ^/(AdmRootca|Rootca)/clientauth-cgi/(.*) https://wtsc76.itso.ibm.com:1443/$1/clientauth-cgi-bin/$2 [R,NE]
RewriteRule ^/(AdmSubca1|Subca1)/clientauth-cgi/(.*) https://wtsc76.itso.ibm.com:1443/$1/clientauth-cgi-bin/$2 [R,NE]
RewriteRule ^/(AdmSubca1|Subca2)/clientauth-cgi/(.*)
https://wtsc76.itso.ibm.com:1443/$1/clientauth-cgi-bin/$2 [R,NE]
|
RewriteRule ^/(AdmRootca|Rootca)/public-cgi/(.*) http://wtsc76.itso.ibm.com/$1/public-cgi/$2 [R,NE,L]
RewriteRule ^/(AdmSubca1|Subca1)/public-cgi/(.*) http://wtsc76.itso.ibm.com/$1/public-cgi/$2 [R,NE,L]
RewriteRule ^/(AdmSubca2|Subca2)/public-cgi/(.*) http://wtsc76.itso.ibm.com/$1/public-cgi/$2 [R,NE,L]
RewriteRule ^/(AdmRootca|Rootca)/ssl-cgi/(.*)
https://wtsc76.itso.ibm.com/$1/ssl-cgi-bin/$2 [R,NE]
RewriteRule ^/(AdmSubca1|Subca1)/ssl-cgi/(.*)
https://wtsc76.itso.ibm.com/$1/ssl-cgi-bin/$2 [R,NE]
RewriteRule ^/(AdmSubca2|Subca2)/ssl-cgi/(.*)
https://wtsc76.itso.ibm.com/$1/ssl-cgi-bin/$2 [R,NE]
RewriteRule ^/(AdmRootca|Rootca)/clientauth-cgi/(.*)
https://wtsc76.itso.ibm.com:1443/$1/clientauth-cgi-bin/$2 [R,NE,L]
RewriteRule ^/(AdmSubca1|Subca1)/clientauth-cgi/(.*)
https://wtsc76.itso.ibm.com:1443/$1/clientauth-cgi-bin/$2 [R,NE,L]
RewriteRule ^/(AdmSubca1|Subca2)/clientauth-cgi/(.*)
https://wtsc76.itso.ibm.com:1443/$1/clientauth-cgi-bin/$2 [R,NE,L]
|
RewriteRule ^/(AdmRootca|Rootca)/public-cgi/(.*)
http://wtsc76.itso.ibm.com/$1/public-cgi/$2 [R,NE,L]
RewriteRule ^/(AdmSubca1|Subca1)/public-cgi/(.*)
http://wtsc76.itso.ibm.com/$1/public-cgi/$2 [R,NE,L]
RewriteRule ^/(AdmSubca2|Subca2)/public-cgi/(.*)
http://wtsc76.itso.ibm.com/$1/public-cgi/$2 [R,NE,L]
RewriteRule ^/(AdmRootca|Rootca)/ssl-cgi/(.*)
https://wtsc76.itso.ibm.com/$1/ssl-cgi-bin/$2 [R,NE,L]
RewriteRule ^/(AdmSubca1|Subca1)/ssl-cgi/(.*)
https://wtsc76.itso.ibm.com/$1/ssl-cgi-bin/$2 [R,NE,L]
RewriteRule ^/(AdmSubca2|Subca2)/ssl-cgi/(.*)
https://wtsc76.itso.ibm.com/$1/ssl-cgi-bin/$2 [R,NE,L]
|
AliasMatch /rootca/crls/(.*) /var/pkiserv/rootca/$1
AliasMatch /subca1/crls/(.*) /var/pkiserv/subca1/$1
AliasMatch /subca2/crls/(.*) /var/pkiserv/subca2/$1
|
vhost80:
ScriptAliasMatch /(AdmRootca|AdmSubca1|AdmSubca2)/public-cgi/(.*) /usr/lpp/pkiserv/PKIServ/public-cgi/$2
ScriptAliasMatch /(Rootca|Subca1|Subca2)/public-cgi/(.*) /usr/lpp/pkiserv/PKIServ/public-cgi/$2
vhost443:
ScriptAliasMatch ^/(AdmRootca|Rootca)/(public-cgi|ssl-cgi-bin)/(.*) "/usr/lpp/pkiserv/PKIServ/$2/$3"
ScriptAliasMatch ^/(AdmSubca1|Subca1)/(public-cgi|ssl-cgi-bin)/(.*) "/usr/lpp/pkiserv/PKIServ/$2/$3"
ScriptAliasMatch ^/(AdmSubca2|Subca2)/(public-cgi|ssl-cgi-bin)/(.*) "/usr/lpp/pkiserv/PKIServ/$2/$3"
vhost1443:
ScriptAliasMatch ^/(AdmRootca|Rootca)/(clientauth-cgi|clientauth-cgi-bin)/(.*) "/usr/lpp/pkiserv/PKIServ/clientauth-cgi-bin/$3"
ScriptAliasMatch ^/(AdmSubca1|Subca1)/(clientauth-cgi|clientauth-cgi-bin)/(.*) "/usr/lpp/pkiserv/PKIServ/clientauth-cgi-bin/$3"
ScriptAliasMatch ^/(AdmSubca2|Subca2)/(clientauth-cgi|clientauth-cgi-bin)/(.*) "/usr/lpp/pkiserv/PKIServ/clientauth-cgi-bin/$3"
|
vhost443:
<LocationMatch "^/(AdmRootca|Rootca)/ssl-cgi-bin(/(auth|surrogateauth) )?/cagetcert.rexx">
Charsetoptions TranslateAllMimeTypes
</LocationMatch>
<LocationMatch "^/(AdmSubca1|Subca1)/ssl-cgi-bin(/(auth|surrogateauth) )?/cagetcert.rexx">
Charsetoptions TranslateAllMimeTypes
</LocationMatch>
<LocationMatch "^/(AdmSubca2|Subca2)/ssl-cgi-bin(/(auth|surrogateauth) )?/cagetcert.rexx">
Charsetoptions TranslateAllMimeTypes
</LocationMatch>
vhost1443:
<LocationMatch "^/(AdmRootca|Rootca)/clientauth-cgi-bin/auth/pkicmp">
CharsetOptions NoTranslateRequestBodies
</LocationMatch>
<LocationMatch "^/(AdmSubca1|Subca1)/clientauth-cgi-bin/auth/pkicmp">
CharsetOptions NoTranslateRequestBodies
</LocationMatch>
<LocationMatch "^/(AdmSubca2|Subca2)/clientauth-cgi-bin/auth/pkicmp">
CharsetOptions NoTranslateRequestBodies
</LocationMatch>
|
//*---------------------------------------------------------
//IHSSRVER PROC ACTION='start',
// DIR='/etc/websrv1',
// CONF='conf/httpd.conf'
//*---------------------------------------------------------
//IHS EXEC PGM=BPXBATCH,
// PARM='SH &DIR/bin/apachectl -k &ACTION -f &CONF -DNO_DETACH',
// MEMLIMIT=512M
//STDOUT DD PATH='&DIR/logs/proc.output',
// PATHOPTS=(OWRONLY,OCREAT,OTRUNC),
// PATHMODE=(SIRUSR,SIWUSR,SIRGRP,SIWGRP)
//STDERR DD PATH='&DIR/logs/proc.errors',
// PATHOPTS=(OWRONLY,OCREAT,OTRUNC),
// PATHMODE=(SIRUSR,SIWUSR,SIRGRP,SIWGRP)
//* SYSMDUMP DD ...
// PEND
//* ================================================================ */
//* PROPRIETARY-STATEMENT: */
//* Licensed Material - Property of IBM */
//* */
//* 5724-I63, 5724-H88, 5655-N01, 5733-W61, 5655-M23 */
//* (C) Copyright IBM Corp. 2006 */
//* All Rights Reserved */
//* US Government Users Restricted Rights - Use, duplication or */
//* disclosure restricted by GSA ADP Schedule Contract with IBM Corp.*/
//* ================================================================ */
|
Note: For more information about setting up the LDAP server, see Chapter 3 of Cryptographic Services PKI Services Guide and Reference SA23-2286.
|
dn: c=us
objectclass: top
objectclass: country
c: us
dn: o=The Firm
objectclass: top
objectclass: organization
o: The Firm
|
o=The Firm
objectclass=top
objectclass=organization
o=The Firm
|
Note: For the production system, you might not want to make the LDAP password available in the configuration file after the initial setup.
For more information, see this website:
|
dn: OU=ROOTCA ITSO PKI Redbooks,O=IBM,C=US
changetype: modify
aclentry: group:cn=anybody:normal:rsc:system:rsc:critical:rsc
|
Note: You are accessing the rootca certificate that is in /var/pkiserv, which is specified in vhost80.conf.
|
18.217.181.166