|
Administration Web application
Assists authorized administrators to review requests for certificates, approve or reject requests, renew certificates, or revoke certificates through their own Web browsers. The application consists of sample screens that you can easily customize to display your organization’s logo. It also supports the following tasks:
- Reviewing pending certificate requests.
- Querying pending requests to process those that meet certain criteria.
- Displaying detailed information about a certificate or request.
- Monitoring certificate information, such as validity period.
- Annotating the reason for an administrative action.
- Preregister a Simple Certificate Enrollment Protocol (SCEP) client application, to permit the application to autonomously request certificates.
End-user Web application
Guides your users to request, obtain, and renew certificates through their Web browsers. The application consists of sample screens that you can easily customize to meet your organization’s needs for certificate content and standards for appearance. It offers several certificate templates that you can use to create requests for a variety of certificate types, based on the certificate’s intended purpose and validity period, and supports certificate requests that are automatically approved.
Exit
Provides advanced customization for additional authorization checking, validating, and changing parameters on calls to the R_PKIServ callable service (IRRSPX00), and capturing certificates for further processing. You can call this exit from the PKIServ CGIs and use its IRRSPX00 pre-processing and post-processing functions. A code sample in C language code is included.
ICSF (optional)
IBM’s Integrated Cryptographic Services Facility (ICSF) allows PKI Services to provide these functions.
- Securely stores the PKI Services certificate authority’s private signing key.
- Allows PKI Services to create a key pair for a generated certificate on behalf of requestors when requestors are unable to provide their own key pairs.
LDAP
The directory that maintains information about the valid and revoked certificates that PKI Services issues in an LDAP-compliant format. You can use an LDAP server such as z/OS Security Server LDAP.
PKI Services daemon
The server daemon that acts as your certificate authority, confirming the identities of users and servers, verifying that they are entitled to certificates with the requested attributes, and approving and rejecting requests to issue and renew certificates. It includes support for:
- An issued certificate list (ICL) to track issued certificates.
- Certificate revocation lists (CRLs) and Online Certificate Status Protocol (OCSP) to track revoked certificates.
- Simple Certificate Enrollment Protocol (SCEP) requests to issue certificates directly to an SCEP client.
- Certificate Management Protocol (CMP) requests to issue certificates directly to a CMP client.
DB2 (optional)
Provides an alternative to VSAM data sets as the repository for the object store request database and the issued certificate list (ICL). Installations that expect to generate and track hundreds of thousands of certificates and requests can choose DB2 as the repository and benefit from DB2's superior scaling and reliability.
R_PKIServ callable service (IRRSPX00)
The application programming interface (API) that allows authorized applications, such as servers, to programmatically request the functions of PKI Services to generate, retrieve and administer certificates.
RACF (or equivalent)
Controls who can use the functions of the R_PKIServ callable service and protects the components of your PKI Services system. RACF creates your certificate authority’s certificate, key ring and private key. You can also use it to store the private key, if ICSF is not available.
z/OS HTTP Server
PKI Services uses the Web server to encrypt messages, authenticate requests, and transfer certificates to intended recipients if you implement the PKI Services Web application using REXX CGI execs.
Websphere Application Server
Websphere can be used as an alternative to the z/OS HTTP Server if you implement the PKI Services Web application using Java server pages (JSPs).
|
