PKI Services for z/OS

Components and Related Products

Administration Web application

Assists authorized administrators to review requests for certificates, approve or reject requests, renew certificates, or revoke certificates through their own Web browsers. The application consists of sample screens that you can easily customize to display your organization’s logo. It also supports the following tasks:

End-user Web application

Guides your users to request, obtain, and renew certificates through their Web browsers. The application consists of sample screens that you can easily customize to meet your organization’s needs for certificate content and standards for appearance. It offers several certificate templates that you can use to create requests for a variety of certificate types, based on the certificate’s intended purpose and validity period, and supports certificate requests that are automatically approved.


Provides advanced customization for additional authorization checking, validating, and changing parameters on calls to the R_PKIServ callable service (IRRSPX00), and capturing certificates for further processing. You can call this exit from the PKIServ CGIs and use its IRRSPX00 pre-processing and post-processing functions. A code sample in C language code is included.

ICSF (optional)

IBM’s Integrated Cryptographic Services Facility (ICSF) allows PKI Services to provide these functions.


The directory that maintains information about the valid and revoked certificates that PKI Services issues in an LDAP-compliant format. You can use an LDAP server such as z/OS Security Server LDAP.

PKI Services daemon

The server daemon that acts as your certificate authority, confirming the identities of users and servers, verifying that they are entitled to certificates with the requested attributes, and approving and rejecting requests to issue and renew certificates. It includes support for:

DB2 (optional)

Provides an alternative to VSAM data sets as the repository for the object store request database and the issued certificate list (ICL). Installations that expect to generate and track hundreds of thousands of certificates and requests can choose DB2 as the repository and benefit from DB2's superior scaling and reliability.

R_PKIServ callable service (IRRSPX00)

The application programming interface (API) that allows authorized applications, such as servers, to programmatically request the functions of PKI Services to generate, retrieve and administer certificates.

RACF (or equivalent)

Controls who can use the functions of the R_PKIServ callable service and protects the components of your PKI Services system. RACF creates your certificate authority’s certificate, key ring and private key. You can also use it to store the private key, if ICSF is not available.

z/OS HTTP Server

PKI Services uses the Web server to encrypt messages, authenticate requests, and transfer certificates to intended recipients if you implement the PKI Services Web application using REXX CGI execs.

Websphere Application Server and Liberty Profile

Websphere and the Liberty Profile can be used as alternatives to the z/OS HTTP Server if you implement the PKI Services Web application using Java server pages (JSPs).

Contact IBM

Browse z/OS