Upload
others
View
18
Download
0
Embed Size (px)
Citation preview
Page 1
Digital Certificates Management
©2012 Vanguard Integrity Professionals, Inc.1
Digital Certificate Topics
• History or Cryptography • Cryptographic terms you need to know.• What Cryptographic Services are in z/OS?• Why do we need Cryptography?• What are Digital Certificates?• RACF RACDCERT Command• RACF Profiles for Digital Certificates• Administrator and Digital Certificates• Advisor and Digital Certificates
2 ©2012 Vanguard Integrity Professionals, Inc.
Page 2
History of Cryptography
• Clay tablets dated near 1500 BC found in Mesopotamia were used to encrypt a craftsman’s recipe for pottery glaze
• Hebrew scholars used simple substitution ciphers around 500 or 600 BC
• The ancient Greeks and Spartan military used the scytale transposition cipher
3 ©2012 Vanguard Integrity Professionals, Inc.
A Scytale
What is Encryption and Decryption
• A simple Algorithm, Cryptosystem and Cryptanalysis
Vanguard Provides Our Security (plaintext)Ydpjxdug Surylghv Rxu Vhftulwb (ciphertext)
• Simply Shifting the letters by X is used as cryptosystem– The number 3 is the secret key
A=D, B=E, C=F so on and so forth
Cryptography shields the data from casual view
4 ©2012 Vanguard Integrity Professionals, Inc.
Page 3
Technology used in Cryptography
• Manual Cryptography– Religious text and Egyptian hieroglyphs
• Mechanical Cryptography– Enigma machine (WWII)
3 alphabetic rotors = 17576 keys (26x26x26)
• Computerized Cryptography– Mainframes & PCs
5 ©2012 Vanguard Integrity Professionals, Inc.
How Strong is your Algorithm
Cryptographic Terms
• Common Algorithms – Data Encryption Standard (DES) OLD DON”T USE– Triple DES (Fading away)– Advanced Encryption Standard (AES)– Rivest-Shamir-Adleman (RSA)– Elliptic Curve Digital Signature Algorithm (ECDSA)– Hashes
• Key Types– Symmetric– Asymmetric
6 ©2012 Vanguard Integrity Professionals, Inc.
Page 4
RACF Release History
z/OS Version 1.n
• Cryptographic Services • Integrated Cryptographic Service Facility
(ICSF)– Hardware
• Open Cryptographic Services Facility (OCSF)– Software API for PKI
• Public Key Infrastructures (PKI) Services– Software environment facilitating encryption and
authentication• System Secure Sockets Layers (SSL)
– Protocol for secure data transmission
7 ©2012 Vanguard Integrity Professionals, Inc.
Why Do We Need Cryptography?
8 ©2012 Vanguard Integrity Professionals, Inc.
PrivacyNon-repudiation
Accountability
Integrity
Page 5
Security Services Needed for E-Business
Authentication Identify and verify user
Confidentiality Prevent disclosure of the data
Data Integrity Prevent modification of data
Non-Repudiation Proof of participation in transaction
Access Control Control access to resources
9 ©2012 Vanguard Integrity Professionals, Inc.
What? Me Learn Cryptography?
10 ©2012 Vanguard Integrity Professionals, Inc.
TLS and SSL use three cryptographic operations:• Symmetric Key Encryption• Asymmetric Key Encryption• Cryptographic Hash
zzz…
My boss didn’t tell me I had toknow crypto to do this job
I need a cup of coffee
Page 6
Sending Credentials
11 ©2012 Vanguard Integrity Professionals, Inc.
User IDInternet
Password
Symmetric or Secret Key Cryptography
12 ©2012 Vanguard Integrity Professionals, Inc.
Secret Key
PlaintextWelcome to Vanguard
Encryption/Decryption Key10101010101010101
CiphertextWelcome to Vanguard
110010101011100111011
PlaintextWelcome to Vanguard
• Symmetric encryption is secure and fast
• AES is now the new standard
• How do we distribute the secret key?
Carol Sue
Secret Key
Page 7
Asymmetric or Public Key Cryptography
13 ©2012 Vanguard Integrity Professionals, Inc.
PlaintextWelcome to Vanguard
PlaintextWelcome to Vanguard
Public Key AlgorithmWelcome to Vanguard
110010101011100111011
• Asymmetric is secure but slower than symmetric
• Carol Needs to know Sue’s public key
• How do we find out someone's public key?
Carol Sue
Sue’s Public
Key
Sue’s Private
Key
Private and Public Keys
• Private and Public keys are numerically related
• Data encrypted with one can only be decrypted with the other
14 ©2012 Vanguard Integrity Professionals, Inc.
Public Key AlgorithmWelcome to Vanguard
110010101011100111011
Page 8
Secret Key vs. Public Key
15 ©2012 Vanguard Integrity Professionals, Inc.
Pro– Fast
Con– How to distribute
key?– Must protect secret
key
Pro– Freely distribute public
key
Con– Slow– Must protect private key– Trust – is the public key
really from whom we think it is, or is it from an imposter?
Secret Key (Symmetric)
Public Key (Asymmetric)
Public Key Infrastructure (PKI)
16 ©2012 Vanguard Integrity Professionals, Inc.
1. Carol generates a random secret key
2. Carol encrypts the secret key with Sue’s public key
3. The secret key is transmitted securely
4. Sue decrypts the encrypted secret key with her private key
1 2 3 4
Sue’s Public
Key
Public Key Algorithm
Public Key Algorithm
Carol Sue
Sue’s Private
Key
Page 9
Best of Both Worlds
17 ©2012 Vanguard Integrity Professionals, Inc.
Now, both Carol and Sue possess the secret key
5. Carol encrypts message with the secret key
6. The encrypted message is sent securely
7. Sue decrypts the message with the secret key
5 6 7
Shared Secret
Key
Symmetric Key
Algorithm
Symmetric Key
Algorithm
Carol Sue
Shared Secret
Key
Encrypted message
Cryptographic Hash Function
18 ©2012 Vanguard Integrity Professionals, Inc.
Once upon a time, in a landfar far away, there was asecurity administrator whoeagerly enrolled in a RACFcourse. Little did that personrealize that the subject ofcryptography would be taughtin the class….………………….…………………………………… …………………………………………………………………………
HashingAlgorithm
Message
• One-way algorithm• Reduces data to a small digest• Digest is unique to the data
Message Digestd131dd02c5e6eec4693d9a0698aff95c
Page 10
Digital Signature - 1
19 ©2012 Vanguard Integrity Professionals, Inc.
NetworkHashingAlgorithm
MessageDigest
Joe
Joe’sMessage
EncryptedMessage
Digest
Joe’sMessage
I must make sure thatthis data is not alteredduring transmission
Public Key Algorithm
Joe’s Private
Key
Digital Signature - 2
20 ©2012 Vanguard Integrity Professionals, Inc.
Network
EncryptedMessage
Digest
HashingAlgorithm
MessageDigest
MessageDigest
Joe’sMessage
If both digests are the same,then the message was notaltered, and it was signed withJoe’s private key.
Equal ?
Joe’s Public
Key
Public Key Algorithm
Page 11
What Is A Digital Certificate?
21 ©2012 Vanguard Integrity Professionals, Inc.
Serial Number of Certificate
Distinguished Name of Issuer (CA)
Distinguished Name of Subject
Subject’s Public Key Info
- Algorithm
- Public Key
Expiration Date
Encrypt withPrivate Key of Certifying Authority
Signature of Certifying Authority
SHA-256
Public
Message Digest
Purpose of Digital Certificates
• Trusted validation of parties: by induction, I believe party is who he claims to be
• Scalability: get public keys only when really needed
• Transmission and storage of public keys can be insecure: replace storing securely many keys with:– store (insecurely) many certificates– store securely the root certificate– store securely the private key
• Can provide permissions (Authorizations)
22 ©2012 Vanguard Integrity Professionals, Inc.
Page 12
X.509 Digital Certificates
• A data structure that contains, at minimum, the following fields:– The distinguished name of the owner of the public key,
also called the subject's name– The distinguished name of the issuer of the certificate,
also called the issuer's name– The subject’s public key– The time period during which the certificate is valid, also
called the validity period– The certificate's serial number as designated by the issuer– The issuer's digital signature
23 ©2012 Vanguard Integrity Professionals, Inc.
Types of Digital Certificates
• Certificate-Authority Certificate or Root Certificate– Associated with a Certificate Authority– Used to verify signatures in other certificates– The CA is responsible for:
• identifying entities before certificate generation,• ensuring the quality of its own key pair,• keeping its private key secret.
• Intermediate (Really just a CA)– Signed by a trusted Certificate Authority– Used to verify signatures in other certificates– Responsible for:
• identifying entities before certificate generation,• ensuring the quality of its own key pair,• keeping its private key secret.
24 ©2012 Vanguard Integrity Professionals, Inc.
Page 13
Types of Digital Certificates
• Site Certificate (Unique to IBM) or Server Certificate Associated with a server or multiple servers – Signed by Certificate Authority(CA OR intermediate– Used to authenticate a server and enable secure
communication– Allows sharing of private keys
• User Certificate– Associated with a RACF user– Signed by Certificate Authority– Used to authenticate a user
25 ©2012 Vanguard Integrity Professionals, Inc.
Certificate Validation
26 ©2012 Vanguard Integrity Professionals, Inc.
Which ones do I need stored in my browser so I can view a secureweb page.
123245769aade343
VeriSign Intermediate(CA)
www.go2vanguard.com
Subject’s Public Key
Expiration DateSignature of
Certifying Authority
1ae234788aade343
VeriSign Intermediate CA
VeriSign Root CA
Subject’s Public Key
Expiration DateSignature of
Certifying Authority12bc34567aade3dd43
VeriSign Root CA
VeriSign Root CA
Subject’s Public Key
Expiration DateSignature of
Certifying Authority
Trusted
Trusted
Not Trusted
Page 14
• Collection of certificates that are available to the user
• Used to determine the trustworthiness of the client or server
• Virtual key ring:– Set of all certificates available for all users– Predefined *AUTH* and *SITE*
Key Rings
27 ©2012 Vanguard Integrity Professionals, Inc.
Certificates, CAs, Browsers
• Many operating systems contain CAs’ certificates available for all users.
• RACF Has the equivalent called “virtual rings”.
28 ©2012 Vanguard Integrity Professionals, Inc.
Page 15
Certificates, CAs, RACF
29 ©2012 Vanguard Integrity Professionals, Inc.
Trusted Root store (*AUTH*) in RACF
TLS for Secure Transaction
30 ©2012 Vanguard Integrity Professionals, Inc.
Web Browser
Client Browser Server
1
2
3
4
5
https://www.medserver.org/medicaldata.html
Server sends certificate with public key
Client sends symmetric key (encrypted with public key, server decrypts with private key)
Client authenticates (Validates Trust tree all Intermediate and CA’s)server’s certificate
…..Encrypted Data…..Encrypted Data…..Encrypted Data …..
Web Browser
Web Browser
Web Browser
Web Browser
All information encrypted with symmetric key
Page 16
The Life Cycle of a Certificate
31 ©2012 Vanguard Integrity Professionals, Inc.
Public ServicesImport CA TreeMark As trusted
Generate CertificateGenerate RequestSend to CA for signing
Return and ImportAttach to Rings
ExpireRolloverRekey
Private ServicesCreate Self signed CAMark As trustedExport and Deliver
Generate signed Certificates
Attach to Rings
ExpireRolloverRekey
RACDCERT Commands forDigital Certificates
©2012 Vanguard Integrity Professionals, Inc.32
Page 17
RACDCERT RACF RACF Database
The RACDCERT Command
• List information about the certificates for a user• Add a certificate definition and associate with a user• Alter the TRUST or the LABEL name for a certificate• Delete a certificate• List a certificate in a data set and determine if it is associated
with a userid• Create, delete, or list a key ring• Add or remove a certificate from a key ring• Generate a public/private key pair and certificate• Write a certificate to a data set• Create a certificate request• Add, list, modify, or delete a userid mapping
33 ©2012 Vanguard Integrity Professionals, Inc.
Using the RACDCERT Command
RACDCERT [ID(user) | SITE | CERTAUTH]
command-options
• ID(user) – directed to a User certificate
• SITE – directed to a Site certificate
• CERTAUTH – directed to a CA certificate
34 ©2012 Vanguard Integrity Professionals, Inc.
Page 18
Basic Rules for RACDCERT
Entity RADCERT Command Issued to ID Type
Certificate GENCERTGENREQADDLISTALTERDELETCHECKCERTEXPORTREKEYROLLOVER
RACF ID** CERTAUTH** SITE
Key Ring ADDRINGLISTRINGCONNECTREMOVE
RACFID
Certificate Filter MAPLISTMAPALTMAPDELMAP
RACFIDMultiple Mapping ID - MultiID
35 ©2012 Vanguard Integrity Professionals, Inc.
Basic Rules for RACDCERT
• If no ID is specified, the user who issues the command is used. – List my certificates.
• RACDCERT List(Label(‘cert1’))
– List someone else's certificates.• RACDCERT ID(user2) list(Label(‘cert1’))
• Labels are for management purposes only they are not part of the certificate.
• The control of RACDCERT is managed by FACILITY class profiles.
36 ©2012 Vanguard Integrity Professionals, Inc.
Page 19
Access to the RACDCERT Command
IRR.DIGTCERT.ADD Add certificate
IRR.DIGTCERT.ADDRING Add key ring
IRR.DIGTCERT.ALTER Alter certificate
IRR.DIGTCERT.CONNECT Connect cert to key ring
IRR.DIGTCERT.EXPORT Write cert to data set
IRR.DIGTCERT.GENCERT Generate certificate
IRR.DIGTCERT.LIST List certificate
IRR.DIGTCERT.LISTRING List key ring
37 ©2012 Vanguard Integrity Professionals, Inc.
FACILITY Class Profiles:
Who Can Issue RACDCERT?
• SPECIAL user - use all functions of RACDCERT
• FACILITY class profile IRR.DIGTCERT.function– READ – issue RACDCERT for self– UPDATE – issue RACDCERT for others– CONTROL – issue RACDCERT for SITE and CERTAUTH
certificates
• Example– Trusted Admins - Add CA certificates and Site certificates– Help Desk - List certificates and key rings for anyone– End Users
• Add, delete, and modify contents of their own key rings • Add, delete, and alter their own certificates
38 ©2012 Vanguard Integrity Professionals, Inc.
Page 20
• CAUTION owner is not like other profiles classes– Ownership does not give access or control in RACF– OWNER is who issued the Command Not the Certificate
owner– UACC does not give ACCESS– Causes false Audit findings due to being miss understood.
DIGTCERT CLASS
39 ©2012 Vanguard Integrity Professionals, Inc.
CLASS NAME,----- -------------------------------------------------------------------------,DIGTCERT 0A.OU=SBSVCS¢DEMO¢CERTIFICATE¢AUTHORITY.
O=SENERGY¢BUSINESS¢SYSTEMS.CUS
LEVEL OWNER UNIVERSAL YOUR ACCESS ACCESS WARNING,
----- -------- ---------------- ----------- -------,00 TSJC00 ALTER ALTER NO,
Resource Classes for Certificates
• DIGTCERTContains digital certificates and information related to them.
• DIGTRINGContains a profile for each key ring and provides information about the digital certificates that are part of each key ring.
• DIGTNMAPContains mapping class for certificate name filters.
• DIGTCRITSpecifies additional criteria for certificate name filters.
40 ©2012 Vanguard Integrity Professionals, Inc.
Page 21
Real life Example from before
• Request to secure our webserver www.go2vanguard.com– Create Self-signed certificate– Generate Certificate request to send off to VeriSign– Receive signed certificate– Replace Existing self signed – Import any intermediate certificates if required.– Connect to proper key rings– Test service
41 ©2012 Vanguard Integrity Professionals, Inc.
RACDCERT Command Examples
1. Create the public/private key pair and self-signed certificateRACDCERT ID(WEBSRV) GENCERT –
SUBJECTSDN(CN(‘www.go2vanguard.com’) –OU(‘Information Technology Dept’) –O(‘Vanguard Integrity Professionals’) –C(‘USA’) L(‘Las Vegas’) –
WITHLABEL(‘www.gowvangaurd.com’))
2. Create a certificate requestRACDCERT ID(WEBSRV) GENREQ(LABEL(‘www.gowvangaurd.com’) –
DSN(‘WEB.SERVER.GENREQ’))
42 ©2012 Vanguard Integrity Professionals, Inc.
Page 22
What a BASE64 cert looks like
3. Send the certificate request to the Certifying AuthorityCut and paste into an email and send to certifying authority
43 ©2012 Vanguard Integrity Professionals, Inc.
********************************* Top of Data **********************************-----BEGIN NEW CERTIFICATE REQUEST-----MIIC8TCCAdkCAQAwbDELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAm52MQswCQYDVQQHEwJ1czENMAsGA1UEChMEaG9tZTEOMAwGA1UECxMFdmVnYXMxETAPBgNVBAwTCGtka2RrZGtkMREwDwYDVQQDEwh0ZXN0MTExMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANK27andxtRmilPKXndsUkwI2VCKl9qlqDLYBo3G7OWjkvvyWPYhA40/P3smVbmc4+D6rJ8AA+Y4XnMViI68Ky6/WggxeW8y8NpUxM7SdpHoSZFeqiuKN+Rkyx4syml0HLzOgycdQd4OPL6qi405M95Ft8no9IZEuQ+zAV7hdrs0lo31wvuXjCpdcRgxXFhCjwfqH3GHH8JDXbbjbZWXPlek/g+Lbfuefd128cycS+HMGiLUHPLAhX2Pun7kr8ZhSYdyloZyyP9LKftSfP4MAWIl9KKpRzzC53yEOjBpHDnj+teBBqGk/mTD/62iRIQ/q6qiggULRAdBDmSPj8c428sCAwEAAaBAMD4GCSqGSIb3DQEJDjExMC8wHQYDVR0OBBYEFFOMSraujQu2wX4YZwHw1LM4nlCFMA4GA1UdDwEB/wQEAwIB9jANBgkqhkiG9w0BAQUFAAOCAQEAN7vwlvEY3NX9qXEBst3OKQxVVF67X5rYsMZUNNgv5uKEkSKGIx3kaN97vO0hC7wmiLRYO9u4ZgJ5m96sk7E9LeZcjvWo48TMPEYfWZMVSWGYeXdgNwdAA1/DjTuP4sqBV49qPmY71ASmaC359kr7qlPIgs27J65uAcJIjF5ovqjrh/Vv/p3Uu972HsplaFbHvsIEVDPLyykqvgyBMttj7/n98XuFHwj038YPV9YX/3XnDbVmc3xwrEKc7j5P5J3JajTSb5cdkgyNRLQMFjCA+Z+JuQiC+FoCRJ5cJF8PPz0yPChiJ2kVcq4ShnKYBBwIWu0qLlYxckU0xOLLXJYSQw==-----END NEW CERTIFICATE REQUEST-----******************************** Bottom of Data ********************************
RACDCERT Command Examples
4. Certifying Authority validates certificate, approves, signs and sends the SIGNED certificate back to requestor
5. Requestor receives the certificate into a data set ‘WWW.SERVER.CERT’
6. Replace the self-signed certificate with the certificate signed by CA
RACDCERT ID(WEBSRV) ADD(‘ITSERVER.CERT’) –
WITHLABEL(‘www.gowvangaurd.com’)
44 ©2012 Vanguard Integrity Professionals, Inc.
Page 23
RACDCERT Command Examples
7. Define a RACF KEYRING for a serverRACDCERT ID(WEBSRV) ADD RING(WEBRING)
8. Connect certificate to server’s key ring and mark as default certificate
RACDCERT ID(WEBSRV) CONNECT(LABEL(‘www.gowvangaurd.com’) -RING(WEBRING) DEFAULT))
45 ©2012 Vanguard Integrity Professionals, Inc.
When in doubt connect ID(USERID) or SITE as default. Some services suchas CICS do not have the ability to select a cert by Label name and must usethe DEFAULT keyword. Do Not connect CERTAUTH as Default
RACF Commands forDigital Certificates
©2012 Vanguard Integrity Professionals, Inc.46
Page 24
RACDCERT (Commands)
Working with Certificates– GENCERT (Generate certificate) – GENREQ (Generate request) – ADD (Add certificate)– ALTER (Alter certificate)– REKEY (Rekey certificate)– ROLLOVER (Rollover certificate) – DELETE (Delete certificate)– CHECKCERT (Check certificate) – EXPORT (Export certificate package)– IMPORT (Import certificate) – LIST (List certificate)
47 ©2012 Vanguard Integrity Professionals, Inc.
RACDCERT (Commands)
48 ©2012 Vanguard Integrity Professionals, Inc.
• Working with Rings– LISTRING (List key ring)– ADDRING (Add key ring– DELRING (Delete key ring)– CONNECT (Connect a certificate to key ring) – REMOVE (Remove certificate from key ring)
• Working with Mapping– MAP (Create mapping) – ALTMAP (Alter mapping) – DELMAP (Delete mapping) – LISTMAP (List mapping)
Page 25
RACDCERT GENCERT
49 ©2012 Vanguard Integrity Professionals, Inc.
• RACDCERT GENCERT [ (request-data-set-name) ][ ID(certificate-owner) | SITE | CERTAUTH ]
• [ SUBJECTSDN( [ CN('common-name') ] [ T('title') ] [ OU('organizational-unit-name1‘ , 'organizational-unit-name2', ...)
• [ O('organization-name') ] [ L('locality') ] [ SP('state-or-province') ] [ C('country') ] ) ]
• [ NOTBEFORE( [ DATE(yyyy-mm-dd) ] [ TIME(hh:mm:ss) ] ) ]
• [ NOTAFTER( [ DATE(yyyy-mm-dd) ] [ TIME(hh:mm:ss) ] ) ]
• [ WITHLABEL('label-name') ]
• [ SIGNWITH( [ CERTAUTH | SITE ] LABEL('label-name') ) ]
• [ SIZE(key-size) ]
• [ {PCICC [ (pkds-label | * ) ] | ICSF [ (pkds-label | * ) ] | DSA| |NISTECC| |BPECC |FROMICSF(pkds-label)} ]
• [ KEYUSAGE( [ CERTSIGN ] [ DATAENCRYPT ] [ DOCSIGN ] [ HANDSHAKE ] |[ KEYAGREE ] ) ]
• [ ALTNAME( IP(numeric-IP-address) DOMAIN('internet-domain-name')
EMAIL('email-address') URI('universal-resource-identifier') ) ]
GenCert examples
Certificate of Authority Certificate :RACDCERT GENCERT CERTAUTH SUBJECTSDN( -
OU(‘Vanguard DEMO CERTIFICATE AUTHORITY') -O(‘Vanguard Demo Systems') C('US')) -WITHLABEL(‘Local RACF PKI CA') -NOTAFTER(DATE(2020/01/01))
Server Certificate :RACDCERT GENCERT ID(FTPD) –
SUBJECTSDN(CN (‘172.16.20.121’) –O(‘Vanguard Integrity Professionals’) C(‘US’)) –SIZE(1024) –WITHLABEL(‘FTP_Cert’) –SIGNWITH(CERTAUTH LABEL(‘Local RACF PKI CA’))
Site Certificate :RACDCERT GENCERT SITE –
SUBJECTSDN(CN (‘Vanguard.Demo.Systems.Com’) –O(‘Vanguard Integrity Professionals’) C(‘US’)) –SIZE(1024) –WITHLABEL(‘FTP_Cert’) –SIGNWITH(CERTAUTH LABEL(‘Local RACF PKI CA’))
50 ©2012 Vanguard Integrity Professionals, Inc.
Page 26
RACDCERT GENREQ
RACDCERT GENREQ(LABEL(‘WEBSRV_Server_Cert’)) –ID(WEBSRV)) –DSN(‘WEBSRV.SERVER.GENREQ’)
51 ©2012 Vanguard Integrity Professionals, Inc.
*********************** Top of Data ****************************-----BEGIN NEW CERTIFICATE REQUEST-----MIIC8TCCAdkCAQAwbDELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAm52MQswCQYDVQQHEwJ1czENMAsGA1UEChMEaG9tZTEOMAwGA1UECxMFdmVnYXMxETAPBgNVBAwTCGtka2RrZGtkMREwDwYDVQQDEwh0ZXN0MTExMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANK27andxtRmilPKXndsUkwI2VCKl9qlqDLYBo3G7OWjkvvyWPYhA40/P3smVbmc4+D6rJ8AA+Y4XnMViI68Ky6/WggxeW8y8NpUxM7SdpHoSZFeqiuKN+Rkyx4syml0HLzOgycdQd4OPL6qi405M95Ft8no9IZEuQ+zAV7hdrs0lo31wvuXjCpdcRgxXFhCjwfqH3GHH8JDXbbjbZWXPlek/g+Lbfuefd128cycS+HMGiLUHPLAhX2Pun7kr8ZhSYdyloZyyP9LKftSfP4MAWIl9KKpRzzC53yEOjBpHDnj+teBBqGk/mTD/62iRIQ/q6qiggULRAdBDmSPj8c428sCAwEAAaBAMD4GCSqGSIb3DQEJDjExMC8wHQYDVR0OBBYEFFOMSraujQu2wX4YZwHw1LM4nlCFMA4GA1UdDwEB/wQEAwIB9jANBgkqhkiG9w0BAQUFAAOCAQEAN7vwlvEY3NX9qXEBst3OKQxVVF67X5rYsMZUNNgv5uKEkSKGIx3kaN97vO0hC7wmiLRYO9u4ZgJ5m96sk7E9LeZcjvWo48TMPEYfWZMVSWGYeXdgNwdAA1/DjTuP4sqBV49qPmY71ASmaC359kr7qlPIgs27J65uAcJIjF5ovqjrh/Vv/p3Uu972HsplaFbHvsIEVDPLyykqvgyBMttj7/n98XuFHwj038YPV9YX/3XnDbVmc3xwrEKc7j5P5J3JajTSb5cdkgyNRLQMFjCA+Z+JuQiC+FoCRJ5cJF8PPz0yPChiJ2kVcq4ShnKYBBwIWu0qLlYxckU0xOLLXJYSQw==-----END NEW CERTIFICATE REQUEST-----************** Bottom of Data ********************************
RACDCERT ADD
Certifying Authority validates certificate, approves, signs and sends the certificate back to requestor
Requestor receives the certificate into a data set‘WEBSRV.SERVER.CERT’
Replace the self-signed certificate with the certificate signed by CA
RACDCERT ADD(‘WEBSRV.SERVER.CERT’) ID(WEBSRV) –
WITHLABEL(‘WEBSRV_Server_Cert’)
52 ©2012 Vanguard Integrity Professionals, Inc.
Page 27
RACDCERT LIST examples
• RACDCERT <Identifier> LIST <options>– List All Certificates owned by USER1
RACDCERT ID(USER1) list
– List All CA’sRACDERT CERTAUTH LIST
– List all SITE Certificates RACDCERT SITE LIST
– List CA with label ‘Certificates RACDERT CERTAUTH LIST(LABEL('RSA Secure Server CA'))
53 ©2012 Vanguard Integrity Professionals, Inc.
Note: Only one Identifier USERID, SITE or CERTAUTH may be used.
RACDERT ALTER
• RACDCERT <Identifier> ALTER( <options>) option()
– Change a CA trust statusRACDERT CERTAUTH ALTER(LABEL('RSA Secure Server CA')) TRUST
• Note: CA’s Delivered by IBM are not marked as trusted. To all use they must be marked trusted and connected to a KEYRING.
– Change an existing label RACDERT ID(WEBSERV) ALTER(LABEL(www.go2vanguard.com'))
NEWLABEL(‘label’)
Note: Labels are for ease of administration
54 ©2012 Vanguard Integrity Professionals, Inc.
Note: Only one Identifier USERID, SITE or CERTAUTH may be used.
Page 28
RACDERT DELETE
• RACDCERT DELETE [ ID(certificate-owner) | SITE | CERTAUTH ] [ (LABEL('label-name')) ]| [ (SERIALNUMBER(serial-number) [ ISSUERSDN('issuer's-dn') ] ) ]
RACDCERT CERTAUTH DELETE(LABEL('Verisign Class 3 Primary CA'-))
Note: must specify ID can specify SERIALNUMBER or LABEL. All must be correct. CASE and Numbers exactly.
55 ©2012 Vanguard Integrity Professionals, Inc.
RACDCERT CHECKCERT
• RACDCERT CHECKCERT(data-set-name)
• [PASSWORD('pkcs12-password')] RACDCERT CHECKCERT(‘TSJC00.GTE.ROOT’)
Note: Password for certs with Keys, or packages typically
Start Date: 1998/08/12 16:29:00
End Date: 2018/08/13 15:59:00
Serial Number:
>01A5<
Issuer's Name:
>CN=GTE CyberTrust Global Root.OU=GTE CyberTrust Solutions, Inc..O=GTE<
> Corporation.C=US<
Subject's Name:
>CN=GTE CyberTrust Global Root.OU=GTE CyberTrust Solutions, Inc..O=GTE<
> Corporation.C=US<
Key Type: RSA
Key Size: 1024
56 ©2012 Vanguard Integrity Professionals, Inc.
Page 29
RACDCERT EXPORT
Export the Local Certificate to a data set
RACDCERT EXPORT(LABEL(‘Local_RACF_CA’)) –CERTAUTH –DSN(‘TSJC00.Local.RACF.CA’)
• Caution if you use passwords you must remember them.
• Hint CER/DER for Certauth.
57 ©2012 Vanguard Integrity Professionals, Inc.
RACDCERT REKEY
• RACDCERT REKEY(LABEL('existing-label-name')) [ID(certificate-owner) | SITE | CERTAUTH][SIZE(key-size)][NOTBEFORE([DATE(yyyy-mm-dd)] [TIME(hh:mm:ss)])][NOTAFTER([DATE(yyyy-mm-dd)] [TIME(hh:mm:ss)])][{PCICC[(pkds-label | * )]| ICSF[(pkds-label | * )]| |NISTECC| |BPECC}][WITHLABEL('to-be-created-label-name')]
A lot like GENCERT isn’t it
58 ©2012 Vanguard Integrity Professionals, Inc.
Page 30
RACDCERT ROLLOVER
• RACDCERT ROLLOVER(LABEL('old-label-name')) [ ID(certificate-owner) | SITE | CERTAUTH ]NEWLABEL('new-label-name')[ FORCE ]
RACDCERT ROLLOVER (LABEL(‘Local_RACF_CA’)) –CERTAUTH –NEWLABEL(‘Local.RACF.CA.NEW’)
What would you do next??
59 ©2012 Vanguard Integrity Professionals, Inc.
RACF Commands forDigital Certificates Rings
©2012 Vanguard Integrity Professionals, Inc.60
Page 31
RACDCERT ADDRING
• Define a RACF keyring for ID TN3270RACDCERT ADDRING(TSORING) ID(TN3270)
Remember you must define(add) the ring prior to using the ring
• Do not ADDRING for CERAUTH or SITE!!!– RACF has two Virtual Rings that are always available
• *AUTH*• *SITE*
61 ©2012 Vanguard Integrity Professionals, Inc.
RACDCERT CONNECT
• RACDCERT [ID(ring-owner)]
CONNECT(
[ID(certificate-owner) | SITE |CERTAUTH] LABEL('label-name')
RING(ring-name)
[DEFAULT][USAGE(PERSONAL | SITE | CERTAUTH)]
)
When In doubt use DEFAULT for PERSONAL
62 ©2012 Vanguard Integrity Professionals, Inc.
Page 32
RACDERT LISTRING
• RACDCERT ID(FTPD) LISTRING(RINGNAME)
• RACDCERT ID(FTPD) LISTRING(*)
• Cannot LISTRING SITE or CERTAUTH– IRRD120I Incorrect use of SITE. A Site Certificate cannot own a key ring.– They are VIRTUIAL and always exist.
63 ©2012 Vanguard Integrity Professionals, Inc.
RACDCERT REMOVE
• RACDCERT REMOVE([ID(certificate-owner) | SITE | CERTAUTH] LABEL('label-name')RING(ring-name)) [ ID(ring-owner) ]
RACDCERT ID(TN3270) REMOVE(LABEL(‘TN370_CERT’) RING(TSORING)
RACDCERT ID(TN3270) REMOVE(CERTAUTH LABEL(‘LOCAL_RACF_PKI_CERT’) RING(TSORING)
64 ©2012 Vanguard Integrity Professionals, Inc.
Page 33
Vanguard Administrator and Digital Certificates
©2012 Vanguard Integrity Professionals, Inc.72
Administrator and Digital Certificates
73 ©2012 Vanguard Integrity Professionals, Inc.
Page 34
Set Defaults
74 ©2012 Vanguard Integrity Professionals, Inc.
Default uses VDMOPT00 in VANOPTS
75 ©2012 Vanguard Integrity Professionals, Inc.
Page 35
VDMOPT00 in VANOPTS
76 ©2012 Vanguard Integrity Professionals, Inc.
Customized for Individual User
77 ©2012 Vanguard Integrity Professionals, Inc.
Page 36
Customized for Individual User
78 ©2012 Vanguard Integrity Professionals, Inc.
View Certificates
79 ©2012 Vanguard Integrity Professionals, Inc.
Page 37
View User and Site Certificates
80 ©2012 Vanguard Integrity Professionals, Inc.
No RACDCERT Command Parameter available to get this report.
Use of CMD Column Commands
81 ©2012 Vanguard Integrity Professionals, Inc.
Page 38
List User Profile Certificate Information
82 ©2012 Vanguard Integrity Professionals, Inc.
Profile Certificate Information
83 ©2012 Vanguard Integrity Professionals, Inc.
Page 39
View Ring Information
84 ©2012 Vanguard Integrity Professionals, Inc.
View Rings with Certificates
85 ©2012 Vanguard Integrity Professionals, Inc.
No RACDCERT Command Parameter available to get this report.
Page 40
1 Ring with 2 Certificates
86 ©2012 Vanguard Integrity Professionals, Inc.
Switch to Live for Additional Options
87 ©2012 Vanguard Integrity Professionals, Inc.
Page 41
Create a User Certificate
88 ©2012 Vanguard Integrity Professionals, Inc.
Create a User Certificate
89 ©2012 Vanguard Integrity Professionals, Inc.
Page 42
Create a User Certificate
90 ©2012 Vanguard Integrity Professionals, Inc.
Create a User Certificate
91 ©2012 Vanguard Integrity Professionals, Inc.
Page 43
Create a Keyring for a Server
92 ©2012 Vanguard Integrity Professionals, Inc.
Create a Keyring for a Server
93 ©2012 Vanguard Integrity Professionals, Inc.
Comparable RACF Command
RACDCERT ID(itserver) ADDRING(itring)
Page 44
Create a Keyring for a Server
94 ©2012 Vanguard Integrity Professionals, Inc.
Create a Server Certificate
95 ©2012 Vanguard Integrity Professionals, Inc.
Page 45
Create a Server Certificate
96 ©2012 Vanguard Integrity Professionals, Inc.
Create a Server Certificate
Comparable RACF Command
RACDCERT ID(ITSERVER) GENCERT –SUBJECTSDN(CN(‘go2vanguard.com’) –
OU(‘Information Technology Dept’) –O(‘Vanguard Integrity Professionals’) –C(‘USA’)) –
WITHLABEL(‘IT_Server_Cert’)
97 ©2012 Vanguard Integrity Professionals, Inc.
Page 46
Create a Server Certificate
98 ©2012 Vanguard Integrity Professionals, Inc.
Create a Certificate Request
99 ©2012 Vanguard Integrity Professionals, Inc.
Page 47
Create a Certificate Request
100 ©2012 Vanguard Integrity Professionals, Inc.
Create a Certificate Request
101 ©2012 Vanguard Integrity Professionals, Inc.
Page 48
Create a Certificate Request
102 ©2012 Vanguard Integrity Professionals, Inc.
Create a Certificate Request
103 ©2012 Vanguard Integrity Professionals, Inc.
Comparable RACF Command
RACDCERT ID(JOHNC) GENCERT –GENREQ(LABEL(‘test’) –DSN(‘JOHNC.GENREQ’))
Page 49
Create a Certificate Request
104 ©2012 Vanguard Integrity Professionals, Inc.
Create a Certificate Request
105 ©2012 Vanguard Integrity Professionals, Inc.
Page 50
Importing the Signed Cert
106 ©2012 Vanguard Integrity Professionals, Inc.
Create CA Signed Certificate
107 ©2012 Vanguard Integrity Professionals, Inc.
Comparable RACF Command
RACDCERT ID(ITSERVER) –WITHLABEL(‘IT_Server_Cert’) –DSN(‘ITSERVER.GENREQ’)
Page 51
Connect CA Signed Certificate to Ring
108 ©2012 Vanguard Integrity Professionals, Inc.
Connect CA Signed Certificate to Ring
109 ©2012 Vanguard Integrity Professionals, Inc.
Page 52
Connect CA Signed Certificate to Ring
110 ©2012 Vanguard Integrity Professionals, Inc.
Connect CA Signed Certificate to Ring
111 ©2012 Vanguard Integrity Professionals, Inc.
Comparable RACF Command
RACDCERT ID(ITSERVER) –CONNECT(LABEL(‘IT_Server_CA_Cert’) –RING(itring) DEFAULT))
Page 53
Export the non-CA ITSERVER Certificate
112 ©2012 Vanguard Integrity Professionals, Inc.
Export the ITSERVER Certificate
113 ©2012 Vanguard Integrity Professionals, Inc.
Comparable RACF Command
RACDCERT EXPORT(LABEL(‘IT_Server_Cert’)) –DSN(‘ITSERVER.CERT’) FORMAT(PKCS12DER)
Page 54
Evaluate a Certificate on a Data Set
114 ©2012 Vanguard Integrity Professionals, Inc.
Evaluate a Certificate on a Data Set
115 ©2012 Vanguard Integrity Professionals, Inc.
Comparable RACF Command
RACDCERT CHECKCERT(‘ITSERVER.CERT) –
PASSWORD(‘DANDYDON’)
Page 55
Evaluate a Certificate on a Data Set
116 ©2012 Vanguard Integrity Professionals, Inc.
Delete the non-CA Certificate
117 ©2012 Vanguard Integrity Professionals, Inc.
Page 56
Delete the non-CA Certificate
118 ©2012 Vanguard Integrity Professionals, Inc.
Comparable RACF Command
RACDCERT DELETE( LABEL(‘IT_Server_Cert’))
Vanguard Advisor and Digital Certificates
©2012 Vanguard Integrity Professionals, Inc.119
Page 57
Advisor Reporting for Digital Certificates
120 ©2012 Vanguard Integrity Professionals, Inc.
RACF Command Summary Report
121 ©2012 Vanguard Integrity Professionals, Inc.
Page 58
RACF Commands by Userid Report
122 ©2012 Vanguard Integrity Professionals, Inc.
Advisor RACDCERT Command
123 ©2012 Vanguard Integrity Professionals, Inc.
Page 59
RACF Command Detail Report
124 ©2012 Vanguard Integrity Professionals, Inc.
RACF Command Detail Report
125 ©2012 Vanguard Integrity Professionals, Inc.
Page 60
RACF Command Detail Report
126 ©2012 Vanguard Integrity Professionals, Inc.
RACF Command Detail Report
127 ©2012 Vanguard Integrity Professionals, Inc.
Page 61
RACF Command Detail Report
128 ©2012 Vanguard Integrity Professionals, Inc.
RACF Command Detail Report
129 ©2012 Vanguard Integrity Professionals, Inc.
Page 62
Resource Access Summary Report
130 ©2012 Vanguard Integrity Professionals, Inc.
Resource Access Summary Report
131 ©2012 Vanguard Integrity Professionals, Inc.
Page 63
Resource Access Summary Report
132 ©2012 Vanguard Integrity Professionals, Inc.
Resource Access Summary Report
133 ©2012 Vanguard Integrity Professionals, Inc.
Page 64
Resource Access Detail Report
134 ©2012 Vanguard Integrity Professionals, Inc.
Resource Access Detail Report
135 ©2012 Vanguard Integrity Professionals, Inc.
Page 65
Resource Access Summary Report
136 ©2012 Vanguard Integrity Professionals, Inc.
Resource Access Detail Report
137 ©2012 Vanguard Integrity Professionals, Inc.
Page 66
Resource Access Detail Report
138 ©2012 Vanguard Integrity Professionals, Inc.
Resources
• Security Server RACF Security Administrator’s Guide – Chapter titled “RACF and Digital Certificates”
• Security Server RACF Command Language Reference – See RACDCERT command
• Implementing PKI Services on z/OS (Redbook -SG24-6968)– http://www.redbooks.ibm.com/abstracts/sg246968.html?Open
• RACF Home Page– http://www-03.ibm.com/systems/z/os/zos/features/racf/
139 ©2012 Vanguard Integrity Professionals, Inc.