Front cover Contents Notices Trademarks Preface The team that wrote this redbook Become a published author Comments welcome Chapter 1. Security Server PKI Services 1.1 Overview of digital certificate 1.2 The PKIX standards 1.2.1 CA hierarchy 1.2.2 The X.509 certificate and Certificate Revocation List 1.2.3 The x.509 v3 certificate extension fields 1.2.4 Certificate and CRL appearance 1.3 The z/OS PKI Services 1.3.1 Security Server PKI Services in z/OS 1.3.2 Prerequisite products 1.3.3 Requests supported by z/OS PKI Services 1.3.4 Browser and server certificates 1.3.5 The z/OS PKI Services architecture 1.4 Security Server PKI Services enhancement in z/OS V1R4 1.4.1 Sysplex support 1.4.2 Event notification via e-mail 1.4.3 Additional distinguished name qualifier support 1.4.4 LDAP password encryption 1.4.5 PKCS#7 certificate chain support 1.4.6 Key generation via PCICC 1.4.7 Additional default CERTAUTH 1.4.8 Summary of z/OS PKI external characteristics as of z/OS V1R4 Chapter 2. RACF for PKI Services 2.1 Introduction to creating an RACF environment for new products 2.1.1 RACF group structure 2.1.2 Machine user IDs 2.1.3 System data set profiles 2.1.4 Ownership 2.2 New RACF features 2.2.1 Access control lists 2.2.2 Automatic assignment of UID/GID 2.3 Setting up RACF environment for PKI prerequisites 2.3.1 z/OS UNIX level security 2.3.2 RACF for Web server 2.3.3 RACF for OCSF and OCEP 2.3.4 RACF for LDAP 2.3.5 RACF for ICSF 2.4 Setting up the RACF environment for PKI Services 2.4.1 Add RACF groups for PKI Services 2.4.2 Adding RACF user IDs for PKI Services 2.4.3 Adding PKI data set profiles 2.4.4 Using RACF to create certificates 2.4.5 Daemon and server control for PKI user ID and surrogate user ID. 2.4.6 Allow PKI user ID to act as CA 2.4.7 Allow Web server to access its own key ring 2.4.8 Allow Web server user ID to switch identity to surrogate user ID 2.4.9 Profile for PKI Services procedure in class STARTED 2.4.10 Allow access for PKISTU to OCSF 2.4.11 ICSF 2.4.12 Protect certificate functions 2.5 RACF administration for PKI Services 2.5.1 Creating a help desk function 2.5.2 Administering certificates with the HostIdMappings extension 2.5.3 Display your PKI Services certificates 2.5.4 Establishing PKI Services as intermediate certificate authority 2.5.5 Renewing your PKI Services CA certificate 2.5.6 Recovering a CA certificate profile 2.5.7 Controlling applications that call R_PKIServ 2.5.8 Using encrypted passwords for LDAP servers 2.5.9 Register a Personal Certificate with RACF Chapter 3. Easy steps to get PKI up and running 3.1 Preparing the PKI Server installation 3.1.1 Steps to set up the PKI server 3.2 Prepare and configure the environment 3.3 Setting up the Web servers for PKI 3.3.1 Why do we need two Web servers? 3.3.2 Setting up the Web server as a secure Web server 3.3.3 Customizing the Web server for SSL 3.3.4 Customizing the first Web server for PKI 3.3.5 Customizing the second Web server for PKI 3.4 Setting up the LDAP server for PKI 3.4.1 LDAP setup: running the ldapcnf utility 3.5 Setting up the PKI Services task 3.6 Configure OCSF and OCEP to work with PKI Services 3.7 Configure the PKI Services 3.7.1 Set up the environment variables for PKI Services 3.7.2 Customizing the PKI Services configuration file 3.7.3 Customizing the PKI template 3.8 Checking the VSAM data set Chapter 4. Customizing the z/OS PKI Services: the template file 4.1 The template file, CGI, and the Web end user 4.1.1 The template file sections. 4.1.2 The CGI modules 4.1.3 Relationship between CGI modules and Web user templates 4.1.4 An example of simple customization of the template file 4.2 Structure of the template file for interaction with the PKI Administrator 4.2.1 The CGI modules 4.2.2 Customization of the administration Web pages 4.2.3 PKI administrator e-mail address 4.2.4 PKI Services certification policy 4.2.5 Link to PKI Services from your home page 4.2.6 Certificate authentication for administrators Chapter 5. PKI Installation using the IKYSETUP REXX exec 5.1 IKYSETUP overview 5.2 IKYSETUP variables 5.2.1 Compulsory changes to IKYSETUP 5.2.2 Probable changes to IKYSETUP 5.2.3 Optional changes to IKYSETUP Chapter 6. PKI Exit 6.1 PKI Exit main routine 6.2 Steps for installing and modifying the exit code sample 6.3 Test for scenario 1 Chapter 7. PKI Services and the Cryptographic Coprocessor 7.1 Introduction to Cryptography Solution on S/390 - zSeries 7.1.1 Cryptographic Coprocessor Feature (CCF) 7.1.2 PCI Cryptographic Coprocessor (PCICC) 7.1.3 PCI Cryptographic Accelerator (PCICA) 7.1.4 Assigning coprocessors to an LPAR 7.2 Cryptographic solution on z990 7.2.1 CP Assist for Cryptographic Function 7.2.2 PCI Extended Cryptographic Coprocessor 7.2.3 Software requirements 7.3 Integrated Cryptographic Services Facility 7.3.1 CKDS and PKDS 7.3.2 Controlling access to ICSF resources 7.4 Boosting SSL connection with hardware encryption 7.4.1 Secure Sockets Layer (SSL) 7.4.2 IBM HTTP Server accessing the cryptographic coprocessor 7.4.3 Checking hardware encryption for Web server encryption 7.5 Keeping your CA signature key secure with ICSF 7.5.1 RACF taking advantage of ICSF 7.6 Sharing PKDS in a sysplex environment Chapter 8. LDAP enhancements for availability. 8.1 Optional LDAP enhancements for availability 8.1.1 Redundancy Appendix A. PKI Exit sample Appendix B. List of sample files provided with PKI Services httpd.conf sample for PKI Web server 1 httpd.envvars sample for the PKI Web server httpd.conf sample for PKI Web server 2 pkiserv.conf pkiserv.envars pkiserv.tmpl PKI Services subcomponents and message levels JCL samples Related publications IBM Redbooks Other publications Online resources How to get IBM Redbooks Index Back cover.
Description based on publisher supplied metadata and other sources.
Electronic reproduction. Ann Arbor, Michigan : ProQuest Ebook Central, 2021. Available via World Wide Web. Access may be limited to ProQuest Ebook Central affiliated libraries.
Print version: Redbooks, IBM Implementing PKI Services on z/OS