digital certificates managementjc - go2vanguard.com€¦ · types of digital certificates •...

Digital Certificates Management

©2012 Vanguard Integrity Professionals, Inc.1

Digital Certificate Topics

• History or Cryptography • Cryptographic terms you need to know.• What Cryptographic Services are in z/OS?• Why do we need Cryptography?• What are Digital Certificates?• RACF RACDCERT Command• RACF Profiles for Digital Certificates• Administrator and Digital Certificates• Advisor and Digital Certificates

2 ©2012 Vanguard Integrity Professionals, Inc.

History of Cryptography

• Clay tablets dated near 1500 BC found in Mesopotamia were used to encrypt a craftsman’s recipe for pottery glaze

• Hebrew scholars used simple substitution ciphers around 500 or 600 BC

• The ancient Greeks and Spartan military used the scytale transposition cipher


A Scytale

What is Encryption and Decryption

• A simple Algorithm, Cryptosystem and Cryptanalysis

Vanguard Provides Our Security (plaintext)Ydpjxdug Surylghv Rxu Vhftulwb (ciphertext)

• Simply Shifting the letters by X is used as cryptosystem– The number 3 is the secret key

A=D, B=E, C=F so on and so forth

Cryptography shields the data from casual view


Technology used in Cryptography

• Manual Cryptography– Religious text and Egyptian hieroglyphs

• Mechanical Cryptography– Enigma machine (WWII)

3 alphabetic rotors = 17576 keys (26x26x26)

• Computerized Cryptography– Mainframes & PCs


How Strong is your Algorithm

Cryptographic Terms

• Common Algorithms – Data Encryption Standard (DES) OLD DON”T USE– Triple DES (Fading away)– Advanced Encryption Standard (AES)– Rivest-Shamir-Adleman (RSA)– Elliptic Curve Digital Signature Algorithm (ECDSA)– Hashes

• Key Types– Symmetric– Asymmetric


RACF Release History

z/OS Version 1.n

• Cryptographic Services • Integrated Cryptographic Service Facility

(ICSF)– Hardware

• Open Cryptographic Services Facility (OCSF)– Software API for PKI

• Public Key Infrastructures (PKI) Services– Software environment facilitating encryption and

authentication• System Secure Sockets Layers (SSL)

– Protocol for secure data transmission


Why Do We Need Cryptography?


PrivacyNon-repudiation

Accountability

Integrity

Security Services Needed for E-Business

Authentication Identify and verify user

Confidentiality Prevent disclosure of the data

Data Integrity Prevent modification of data

Non-Repudiation Proof of participation in transaction

Access Control Control access to resources


What? Me Learn Cryptography?


TLS and SSL use three cryptographic operations:• Symmetric Key Encryption• Asymmetric Key Encryption• Cryptographic Hash

zzz…

My boss didn’t tell me I had toknow crypto to do this job

I need a cup of coffee

Sending Credentials


User IDInternet

Password

Symmetric or Secret Key Cryptography


Secret Key

PlaintextWelcome to Vanguard

Encryption/Decryption Key10101010101010101

CiphertextWelcome to Vanguard

110010101011100111011


• Symmetric encryption is secure and fast

• AES is now the new standard

• How do we distribute the secret key?

Carol Sue

Secret Key

Asymmetric or Public Key Cryptography




Public Key AlgorithmWelcome to Vanguard

110010101011100111011

• Asymmetric is secure but slower than symmetric

• Carol Needs to know Sue’s public key

• How do we find out someone's public key?

Carol Sue

Sue’s Public

Key

Sue’s Private

Key

Private and Public Keys

• Private and Public keys are numerically related

• Data encrypted with one can only be decrypted with the other


Public Key AlgorithmWelcome to Vanguard

110010101011100111011

Secret Key vs. Public Key


Pro– Fast

Con– How to distribute

key?– Must protect secret

key

Pro– Freely distribute public

key

Con– Slow– Must protect private key– Trust – is the public key

really from whom we think it is, or is it from an imposter?

Secret Key (Symmetric)

Public Key (Asymmetric)

Public Key Infrastructure (PKI)


1. Carol generates a random secret key

2. Carol encrypts the secret key with Sue’s public key

3. The secret key is transmitted securely

4. Sue decrypts the encrypted secret key with her private key

1 2 3 4

Sue’s Public

Key

Public Key Algorithm


Carol Sue

Sue’s Private

Key

Best of Both Worlds


Now, both Carol and Sue possess the secret key

5. Carol encrypts message with the secret key

6. The encrypted message is sent securely

7. Sue decrypts the message with the secret key

5 6 7

Shared Secret

Key

Symmetric Key

Algorithm

Symmetric Key

Algorithm

Carol Sue

Shared Secret

Key

Encrypted message

Cryptographic Hash Function


Once upon a time, in a landfar far away, there was asecurity administrator whoeagerly enrolled in a RACFcourse. Little did that personrealize that the subject ofcryptography would be taughtin the class….………………….…………………………………… …………………………………………………………………………

HashingAlgorithm

Message

• One-way algorithm• Reduces data to a small digest• Digest is unique to the data

Message Digestd131dd02c5e6eec4693d9a0698aff95c

Digital Signature - 1


NetworkHashingAlgorithm

MessageDigest

Joe

Joe’sMessage

EncryptedMessage

Digest

Joe’sMessage

I must make sure thatthis data is not alteredduring transmission


Joe’s Private

Key

Digital Signature - 2


Network

EncryptedMessage

Digest

HashingAlgorithm

MessageDigest

MessageDigest

Joe’sMessage

If both digests are the same,then the message was notaltered, and it was signed withJoe’s private key.

Equal ?

Joe’s Public

Key


What Is A Digital Certificate?


Serial Number of Certificate

Distinguished Name of Issuer (CA)

Distinguished Name of Subject

Subject’s Public Key Info

- Algorithm

- Public Key

Expiration Date

Encrypt withPrivate Key of Certifying Authority

Signature of Certifying Authority

SHA-256

Public

Message Digest

Purpose of Digital Certificates

• Trusted validation of parties: by induction, I believe party is who he claims to be

• Scalability: get public keys only when really needed

• Transmission and storage of public keys can be insecure: replace storing securely many keys with:– store (insecurely) many certificates– store securely the root certificate– store securely the private key

• Can provide permissions (Authorizations)


X.509 Digital Certificates

• A data structure that contains, at minimum, the following fields:– The distinguished name of the owner of the public key,

also called the subject's name– The distinguished name of the issuer of the certificate,

also called the issuer's name– The subject’s public key– The time period during which the certificate is valid, also

called the validity period– The certificate's serial number as designated by the issuer– The issuer's digital signature


Types of Digital Certificates

• Certificate-Authority Certificate or Root Certificate– Associated with a Certificate Authority– Used to verify signatures in other certificates– The CA is responsible for:

• identifying entities before certificate generation,• ensuring the quality of its own key pair,• keeping its private key secret.

• Intermediate (Really just a CA)– Signed by a trusted Certificate Authority– Used to verify signatures in other certificates– Responsible for:

• identifying entities before certificate generation,• ensuring the quality of its own key pair,• keeping its private key secret.


Types of Digital Certificates

• Site Certificate (Unique to IBM) or Server Certificate Associated with a server or multiple servers – Signed by Certificate Authority(CA OR intermediate– Used to authenticate a server and enable secure

communication– Allows sharing of private keys

• User Certificate– Associated with a RACF user– Signed by Certificate Authority– Used to authenticate a user


Certificate Validation


Which ones do I need stored in my browser so I can view a secureweb page.

123245769aade343

VeriSign Intermediate(CA)

www.go2vanguard.com

Subject’s Public Key

Expiration DateSignature of

Certifying Authority

1ae234788aade343

VeriSign Intermediate CA

VeriSign Root CA



Certifying Authority12bc34567aade3dd43

VeriSign Root CA

VeriSign Root CA



Certifying Authority

Trusted

Trusted

Not Trusted

• Collection of certificates that are available to the user

• Used to determine the trustworthiness of the client or server

• Virtual key ring:– Set of all certificates available for all users– Predefined *AUTH* and *SITE*

Key Rings


Certificates, CAs, Browsers

• Many operating systems contain CAs’ certificates available for all users.

• RACF Has the equivalent called “virtual rings”.


Certificates, CAs, RACF


Trusted Root store (*AUTH*) in RACF

TLS for Secure Transaction


Web Browser

Client Browser Server

1

2

3

4

5

https://www.medserver.org/medicaldata.html

Server sends certificate with public key

Client sends symmetric key (encrypted with public key, server decrypts with private key)

Client authenticates (Validates Trust tree all Intermediate and CA’s)server’s certificate

…..Encrypted Data…..Encrypted Data…..Encrypted Data …..

Web Browser

Web Browser

Web Browser

Web Browser

All information encrypted with symmetric key

The Life Cycle of a Certificate


Public ServicesImport CA TreeMark As trusted

Generate CertificateGenerate RequestSend to CA for signing

Return and ImportAttach to Rings

ExpireRolloverRekey

Private ServicesCreate Self signed CAMark As trustedExport and Deliver

Generate signed Certificates

Attach to Rings

ExpireRolloverRekey

RACDCERT Commands forDigital Certificates


RACDCERT RACF RACF Database

The RACDCERT Command

• List information about the certificates for a user• Add a certificate definition and associate with a user• Alter the TRUST or the LABEL name for a certificate• Delete a certificate• List a certificate in a data set and determine if it is associated

with a userid• Create, delete, or list a key ring• Add or remove a certificate from a key ring• Generate a public/private key pair and certificate• Write a certificate to a data set• Create a certificate request• Add, list, modify, or delete a userid mapping


Using the RACDCERT Command

RACDCERT [ID(user) | SITE | CERTAUTH]

command-options

• ID(user) – directed to a User certificate

• SITE – directed to a Site certificate

• CERTAUTH – directed to a CA certificate


Basic Rules for RACDCERT

Entity RADCERT Command Issued to ID Type

Certificate GENCERTGENREQADDLISTALTERDELETCHECKCERTEXPORTREKEYROLLOVER

RACF ID** CERTAUTH** SITE

Key Ring ADDRINGLISTRINGCONNECTREMOVE

RACFID

Certificate Filter MAPLISTMAPALTMAPDELMAP

RACFIDMultiple Mapping ID - MultiID


Basic Rules for RACDCERT

• If no ID is specified, the user who issues the command is used. – List my certificates.

• RACDCERT List(Label(‘cert1’))

– List someone else's certificates.• RACDCERT ID(user2) list(Label(‘cert1’))

• Labels are for management purposes only they are not part of the certificate.

• The control of RACDCERT is managed by FACILITY class profiles.


Access to the RACDCERT Command

IRR.DIGTCERT.ADD Add certificate

IRR.DIGTCERT.ADDRING Add key ring

IRR.DIGTCERT.ALTER Alter certificate

IRR.DIGTCERT.CONNECT Connect cert to key ring

IRR.DIGTCERT.EXPORT Write cert to data set

IRR.DIGTCERT.GENCERT Generate certificate

IRR.DIGTCERT.LIST List certificate

IRR.DIGTCERT.LISTRING List key ring


FACILITY Class Profiles:

Who Can Issue RACDCERT?

• SPECIAL user - use all functions of RACDCERT

• FACILITY class profile IRR.DIGTCERT.function– READ – issue RACDCERT for self– UPDATE – issue RACDCERT for others– CONTROL – issue RACDCERT for SITE and CERTAUTH

certificates

• Example– Trusted Admins - Add CA certificates and Site certificates– Help Desk - List certificates and key rings for anyone– End Users

• Add, delete, and modify contents of their own key rings • Add, delete, and alter their own certificates


• CAUTION owner is not like other profiles classes– Ownership does not give access or control in RACF– OWNER is who issued the Command Not the Certificate

owner– UACC does not give ACCESS– Causes false Audit findings due to being miss understood.

DIGTCERT CLASS


CLASS NAME,----- -------------------------------------------------------------------------,DIGTCERT 0A.OU=SBSVCS¢DEMO¢CERTIFICATE¢AUTHORITY.

O=SENERGY¢BUSINESS¢SYSTEMS.CUS

LEVEL OWNER UNIVERSAL YOUR ACCESS ACCESS WARNING,

----- -------- ---------------- ----------- -------,00 TSJC00 ALTER ALTER NO,

Resource Classes for Certificates

• DIGTCERTContains digital certificates and information related to them.

• DIGTRINGContains a profile for each key ring and provides information about the digital certificates that are part of each key ring.

• DIGTNMAPContains mapping class for certificate name filters.

• DIGTCRITSpecifies additional criteria for certificate name filters.


Real life Example from before

• Request to secure our webserver www.go2vanguard.com– Create Self-signed certificate– Generate Certificate request to send off to VeriSign– Receive signed certificate– Replace Existing self signed – Import any intermediate certificates if required.– Connect to proper key rings– Test service


RACDCERT Command Examples

1. Create the public/private key pair and self-signed certificateRACDCERT ID(WEBSRV) GENCERT –

SUBJECTSDN(CN(‘www.go2vanguard.com’) –OU(‘Information Technology Dept’) –O(‘Vanguard Integrity Professionals’) –C(‘USA’) L(‘Las Vegas’) –

WITHLABEL(‘www.gowvangaurd.com’))

2. Create a certificate requestRACDCERT ID(WEBSRV) GENREQ(LABEL(‘www.gowvangaurd.com’) –

DSN(‘WEB.SERVER.GENREQ’))


What a BASE64 cert looks like

3. Send the certificate request to the Certifying AuthorityCut and paste into an email and send to certifying authority


********************************* Top of Data **********************************-----BEGIN NEW CERTIFICATE REQUEST-----MIIC8TCCAdkCAQAwbDELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAm52MQswCQYDVQQHEwJ1czENMAsGA1UEChMEaG9tZTEOMAwGA1UECxMFdmVnYXMxETAPBgNVBAwTCGtka2RrZGtkMREwDwYDVQQDEwh0ZXN0MTExMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANK27andxtRmilPKXndsUkwI2VCKl9qlqDLYBo3G7OWjkvvyWPYhA40/P3smVbmc4+D6rJ8AA+Y4XnMViI68Ky6/WggxeW8y8NpUxM7SdpHoSZFeqiuKN+Rkyx4syml0HLzOgycdQd4OPL6qi405M95Ft8no9IZEuQ+zAV7hdrs0lo31wvuXjCpdcRgxXFhCjwfqH3GHH8JDXbbjbZWXPlek/g+Lbfuefd128cycS+HMGiLUHPLAhX2Pun7kr8ZhSYdyloZyyP9LKftSfP4MAWIl9KKpRzzC53yEOjBpHDnj+teBBqGk/mTD/62iRIQ/q6qiggULRAdBDmSPj8c428sCAwEAAaBAMD4GCSqGSIb3DQEJDjExMC8wHQYDVR0OBBYEFFOMSraujQu2wX4YZwHw1LM4nlCFMA4GA1UdDwEB/wQEAwIB9jANBgkqhkiG9w0BAQUFAAOCAQEAN7vwlvEY3NX9qXEBst3OKQxVVF67X5rYsMZUNNgv5uKEkSKGIx3kaN97vO0hC7wmiLRYO9u4ZgJ5m96sk7E9LeZcjvWo48TMPEYfWZMVSWGYeXdgNwdAA1/DjTuP4sqBV49qPmY71ASmaC359kr7qlPIgs27J65uAcJIjF5ovqjrh/Vv/p3Uu972HsplaFbHvsIEVDPLyykqvgyBMttj7/n98XuFHwj038YPV9YX/3XnDbVmc3xwrEKc7j5P5J3JajTSb5cdkgyNRLQMFjCA+Z+JuQiC+FoCRJ5cJF8PPz0yPChiJ2kVcq4ShnKYBBwIWu0qLlYxckU0xOLLXJYSQw==-----END NEW CERTIFICATE REQUEST-----******************************** Bottom of Data ********************************


4. Certifying Authority validates certificate, approves, signs and sends the SIGNED certificate back to requestor

5. Requestor receives the certificate into a data set ‘WWW.SERVER.CERT’

6. Replace the self-signed certificate with the certificate signed by CA

RACDCERT ID(WEBSRV) ADD(‘ITSERVER.CERT’) –

WITHLABEL(‘www.gowvangaurd.com’)



7. Define a RACF KEYRING for a serverRACDCERT ID(WEBSRV) ADD RING(WEBRING)

8. Connect certificate to server’s key ring and mark as default certificate

RACDCERT ID(WEBSRV) CONNECT(LABEL(‘www.gowvangaurd.com’) -RING(WEBRING) DEFAULT))


When in doubt connect ID(USERID) or SITE as default. Some services suchas CICS do not have the ability to select a cert by Label name and must usethe DEFAULT keyword. Do Not connect CERTAUTH as Default

RACF Commands forDigital Certificates


RACDCERT (Commands)

Working with Certificates– GENCERT (Generate certificate) – GENREQ (Generate request) – ADD (Add certificate)– ALTER (Alter certificate)– REKEY (Rekey certificate)– ROLLOVER (Rollover certificate) – DELETE (Delete certificate)– CHECKCERT (Check certificate) – EXPORT (Export certificate package)– IMPORT (Import certificate) – LIST (List certificate)


RACDCERT (Commands)


• Working with Rings– LISTRING (List key ring)– ADDRING (Add key ring– DELRING (Delete key ring)– CONNECT (Connect a certificate to key ring) – REMOVE (Remove certificate from key ring)

• Working with Mapping– MAP (Create mapping) – ALTMAP (Alter mapping) – DELMAP (Delete mapping) – LISTMAP (List mapping)

RACDCERT GENCERT


• RACDCERT GENCERT [ (request-data-set-name) ][ ID(certificate-owner) | SITE | CERTAUTH ]

• [ SUBJECTSDN( [ CN('common-name') ] [ T('title') ] [ OU('organizational-unit-name1‘ , 'organizational-unit-name2', ...)

• [ O('organization-name') ] [ L('locality') ] [ SP('state-or-province') ] [ C('country') ] ) ]

• [ NOTBEFORE( [ DATE(yyyy-mm-dd) ] [ TIME(hh:mm:ss) ] ) ]

• [ NOTAFTER( [ DATE(yyyy-mm-dd) ] [ TIME(hh:mm:ss) ] ) ]

• [ WITHLABEL('label-name') ]

• [ SIGNWITH( [ CERTAUTH | SITE ] LABEL('label-name') ) ]

• [ SIZE(key-size) ]

• [ {PCICC [ (pkds-label | * ) ] | ICSF [ (pkds-label | * ) ] | DSA| |NISTECC| |BPECC |FROMICSF(pkds-label)} ]

• [ KEYUSAGE( [ CERTSIGN ] [ DATAENCRYPT ] [ DOCSIGN ] [ HANDSHAKE ] |[ KEYAGREE ] ) ]

• [ ALTNAME( IP(numeric-IP-address) DOMAIN('internet-domain-name')

EMAIL('email-address') URI('universal-resource-identifier') ) ]

GenCert examples

Certificate of Authority Certificate :RACDCERT GENCERT CERTAUTH SUBJECTSDN( -

OU(‘Vanguard DEMO CERTIFICATE AUTHORITY') -O(‘Vanguard Demo Systems') C('US')) -WITHLABEL(‘Local RACF PKI CA') -NOTAFTER(DATE(2020/01/01))

Server Certificate :RACDCERT GENCERT ID(FTPD) –

SUBJECTSDN(CN (‘172.16.20.121’) –O(‘Vanguard Integrity Professionals’) C(‘US’)) –SIZE(1024) –WITHLABEL(‘FTP_Cert’) –SIGNWITH(CERTAUTH LABEL(‘Local RACF PKI CA’))

Site Certificate :RACDCERT GENCERT SITE –

SUBJECTSDN(CN (‘Vanguard.Demo.Systems.Com’) –O(‘Vanguard Integrity Professionals’) C(‘US’)) –SIZE(1024) –WITHLABEL(‘FTP_Cert’) –SIGNWITH(CERTAUTH LABEL(‘Local RACF PKI CA’))


RACDCERT GENREQ

RACDCERT GENREQ(LABEL(‘WEBSRV_Server_Cert’)) –ID(WEBSRV)) –DSN(‘WEBSRV.SERVER.GENREQ’)


*********************** Top of Data ****************************-----BEGIN NEW CERTIFICATE REQUEST-----MIIC8TCCAdkCAQAwbDELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAm52MQswCQYDVQQHEwJ1czENMAsGA1UEChMEaG9tZTEOMAwGA1UECxMFdmVnYXMxETAPBgNVBAwTCGtka2RrZGtkMREwDwYDVQQDEwh0ZXN0MTExMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANK27andxtRmilPKXndsUkwI2VCKl9qlqDLYBo3G7OWjkvvyWPYhA40/P3smVbmc4+D6rJ8AA+Y4XnMViI68Ky6/WggxeW8y8NpUxM7SdpHoSZFeqiuKN+Rkyx4syml0HLzOgycdQd4OPL6qi405M95Ft8no9IZEuQ+zAV7hdrs0lo31wvuXjCpdcRgxXFhCjwfqH3GHH8JDXbbjbZWXPlek/g+Lbfuefd128cycS+HMGiLUHPLAhX2Pun7kr8ZhSYdyloZyyP9LKftSfP4MAWIl9KKpRzzC53yEOjBpHDnj+teBBqGk/mTD/62iRIQ/q6qiggULRAdBDmSPj8c428sCAwEAAaBAMD4GCSqGSIb3DQEJDjExMC8wHQYDVR0OBBYEFFOMSraujQu2wX4YZwHw1LM4nlCFMA4GA1UdDwEB/wQEAwIB9jANBgkqhkiG9w0BAQUFAAOCAQEAN7vwlvEY3NX9qXEBst3OKQxVVF67X5rYsMZUNNgv5uKEkSKGIx3kaN97vO0hC7wmiLRYO9u4ZgJ5m96sk7E9LeZcjvWo48TMPEYfWZMVSWGYeXdgNwdAA1/DjTuP4sqBV49qPmY71ASmaC359kr7qlPIgs27J65uAcJIjF5ovqjrh/Vv/p3Uu972HsplaFbHvsIEVDPLyykqvgyBMttj7/n98XuFHwj038YPV9YX/3XnDbVmc3xwrEKc7j5P5J3JajTSb5cdkgyNRLQMFjCA+Z+JuQiC+FoCRJ5cJF8PPz0yPChiJ2kVcq4ShnKYBBwIWu0qLlYxckU0xOLLXJYSQw==-----END NEW CERTIFICATE REQUEST-----************** Bottom of Data ********************************

RACDCERT ADD

Certifying Authority validates certificate, approves, signs and sends the certificate back to requestor

Requestor receives the certificate into a data set‘WEBSRV.SERVER.CERT’

Replace the self-signed certificate with the certificate signed by CA

RACDCERT ADD(‘WEBSRV.SERVER.CERT’) ID(WEBSRV) –

WITHLABEL(‘WEBSRV_Server_Cert’)


RACDCERT LIST examples

• RACDCERT <Identifier> LIST <options>– List All Certificates owned by USER1

RACDCERT ID(USER1) list

– List All CA’sRACDERT CERTAUTH LIST

– List all SITE Certificates RACDCERT SITE LIST

– List CA with label ‘Certificates RACDERT CERTAUTH LIST(LABEL('RSA Secure Server CA'))


Note: Only one Identifier USERID, SITE or CERTAUTH may be used.

RACDERT ALTER

• RACDCERT <Identifier> ALTER( <options>) option()

– Change a CA trust statusRACDERT CERTAUTH ALTER(LABEL('RSA Secure Server CA')) TRUST

• Note: CA’s Delivered by IBM are not marked as trusted. To all use they must be marked trusted and connected to a KEYRING.

– Change an existing label RACDERT ID(WEBSERV) ALTER(LABEL(www.go2vanguard.com'))

NEWLABEL(‘label’)

Note: Labels are for ease of administration


Note: Only one Identifier USERID, SITE or CERTAUTH may be used.

RACDERT DELETE

• RACDCERT DELETE [ ID(certificate-owner) | SITE | CERTAUTH ] [ (LABEL('label-name')) ]| [ (SERIALNUMBER(serial-number) [ ISSUERSDN('issuer's-dn') ] ) ]

RACDCERT CERTAUTH DELETE(LABEL('Verisign Class 3 Primary CA'-))

Note: must specify ID can specify SERIALNUMBER or LABEL. All must be correct. CASE and Numbers exactly.


RACDCERT CHECKCERT

• RACDCERT CHECKCERT(data-set-name)

• [PASSWORD('pkcs12-password')] RACDCERT CHECKCERT(‘TSJC00.GTE.ROOT’)

Note: Password for certs with Keys, or packages typically

Start Date: 1998/08/12 16:29:00

End Date: 2018/08/13 15:59:00

Serial Number:

>01A5<

Issuer's Name:

>CN=GTE CyberTrust Global Root.OU=GTE CyberTrust Solutions, Inc..O=GTE<

> Corporation.C=US<

Subject's Name:

>CN=GTE CyberTrust Global Root.OU=GTE CyberTrust Solutions, Inc..O=GTE<

> Corporation.C=US<

Key Type: RSA

Key Size: 1024


RACDCERT EXPORT

Export the Local Certificate to a data set

RACDCERT EXPORT(LABEL(‘Local_RACF_CA’)) –CERTAUTH –DSN(‘TSJC00.Local.RACF.CA’)

• Caution if you use passwords you must remember them.

• Hint CER/DER for Certauth.


RACDCERT REKEY

• RACDCERT REKEY(LABEL('existing-label-name')) [ID(certificate-owner) | SITE | CERTAUTH][SIZE(key-size)][NOTBEFORE([DATE(yyyy-mm-dd)] [TIME(hh:mm:ss)])][NOTAFTER([DATE(yyyy-mm-dd)] [TIME(hh:mm:ss)])][{PCICC[(pkds-label | * )]| ICSF[(pkds-label | * )]| |NISTECC| |BPECC}][WITHLABEL('to-be-created-label-name')]

A lot like GENCERT isn’t it


RACDCERT ROLLOVER

• RACDCERT ROLLOVER(LABEL('old-label-name')) [ ID(certificate-owner) | SITE | CERTAUTH ]NEWLABEL('new-label-name')[ FORCE ]

RACDCERT ROLLOVER (LABEL(‘Local_RACF_CA’)) –CERTAUTH –NEWLABEL(‘Local.RACF.CA.NEW’)

What would you do next??


RACF Commands forDigital Certificates Rings


RACDCERT ADDRING

• Define a RACF keyring for ID TN3270RACDCERT ADDRING(TSORING) ID(TN3270)

Remember you must define(add) the ring prior to using the ring

• Do not ADDRING for CERAUTH or SITE!!!– RACF has two Virtual Rings that are always available

• *AUTH*• *SITE*


RACDCERT CONNECT

• RACDCERT [ID(ring-owner)]

CONNECT(

[ID(certificate-owner) | SITE |CERTAUTH] LABEL('label-name')

RING(ring-name)

[DEFAULT][USAGE(PERSONAL | SITE | CERTAUTH)]

)

When In doubt use DEFAULT for PERSONAL


RACDERT LISTRING

• RACDCERT ID(FTPD) LISTRING(RINGNAME)

• RACDCERT ID(FTPD) LISTRING(*)

• Cannot LISTRING SITE or CERTAUTH– IRRD120I Incorrect use of SITE. A Site Certificate cannot own a key ring.– They are VIRTUIAL and always exist.


RACDCERT REMOVE

• RACDCERT REMOVE([ID(certificate-owner) | SITE | CERTAUTH] LABEL('label-name')RING(ring-name)) [ ID(ring-owner) ]

RACDCERT ID(TN3270) REMOVE(LABEL(‘TN370_CERT’) RING(TSORING)

RACDCERT ID(TN3270) REMOVE(CERTAUTH LABEL(‘LOCAL_RACF_PKI_CERT’) RING(TSORING)


Vanguard Administrator and Digital Certificates


Administrator and Digital Certificates


Set Defaults


Default uses VDMOPT00 in VANOPTS


VDMOPT00 in VANOPTS


Customized for Individual User


Customized for Individual User


View Certificates


View User and Site Certificates


No RACDCERT Command Parameter available to get this report.

Use of CMD Column Commands


List User Profile Certificate Information


Profile Certificate Information


View Ring Information


View Rings with Certificates


No RACDCERT Command Parameter available to get this report.

1 Ring with 2 Certificates


Switch to Live for Additional Options


Create a User Certificate




Create a Keyring for a Server




Comparable RACF Command

RACDCERT ID(itserver) ADDRING(itring)



Create a Server Certificate






RACDCERT ID(ITSERVER) GENCERT –SUBJECTSDN(CN(‘go2vanguard.com’) –

OU(‘Information Technology Dept’) –O(‘Vanguard Integrity Professionals’) –C(‘USA’)) –

WITHLABEL(‘IT_Server_Cert’)




Create a Certificate Request







RACDCERT ID(JOHNC) GENCERT –GENREQ(LABEL(‘test’) –DSN(‘JOHNC.GENREQ’))

Importing the Signed Cert


Create CA Signed Certificate



RACDCERT ID(ITSERVER) –WITHLABEL(‘IT_Server_Cert’) –DSN(‘ITSERVER.GENREQ’)

Connect CA Signed Certificate to Ring









RACDCERT ID(ITSERVER) –CONNECT(LABEL(‘IT_Server_CA_Cert’) –RING(itring) DEFAULT))

Export the non-CA ITSERVER Certificate


Export the ITSERVER Certificate



RACDCERT EXPORT(LABEL(‘IT_Server_Cert’)) –DSN(‘ITSERVER.CERT’) FORMAT(PKCS12DER)

Evaluate a Certificate on a Data Set





RACDCERT CHECKCERT(‘ITSERVER.CERT) –

PASSWORD(‘DANDYDON’)



Delete the non-CA Certificate


Delete the non-CA Certificate



RACDCERT DELETE( LABEL(‘IT_Server_Cert’))

Vanguard Advisor and Digital Certificates


Advisor Reporting for Digital Certificates


RACF Command Summary Report


RACF Commands by Userid Report


Advisor RACDCERT Command


RACF Command Detail Report




Resource Access Summary Report




Resource Access Detail Report






Resources

• Security Server RACF Security Administrator’s Guide – Chapter titled “RACF and Digital Certificates”

• Security Server RACF Command Language Reference – See RACDCERT command

• Implementing PKI Services on z/OS (Redbook -SG24-6968)– http://www.redbooks.ibm.com/abstracts/sg246968.html?Open

• RACF Home Page– http://www-03.ibm.com/systems/z/os/zos/features/racf/


digital certificates managementjc - go2vanguard.com€¦ · types of digital certificates •...

Documents