Digital Certificates Support from z/OS PKI Services and ... · GSE Enterprise Systems Security Working Group December 13th 2013 Wai Choi, CISSP IBM Corporation RACF/PKI Development
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
IBM Systems and Technology GroupIBM Systems and Technology Group
Trademarks
• CICS*
• DB2*
• IBM*
• IBM (logo)*
• OS/390*
• RACF*
• Websphere*
• z/OS*
The following are trademarks of the International Business Machines Corporation in the United States and/or other countries.
The following are trademarks or registered trademarks of other companies.
* Registered trademarks of IBM Corporation
* All other products may be trademarks or registered trademarks of their respective companies.
Identrus is a trademark of Identrus, Inc
VeriSign is a trademark of VeriSign, Inc
Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.
Notes:
Performance is in Internal Throughput Rate (ITR) ratio based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput that any user will experience will vary depending upon considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve throughput improvements equivalent to the performance ratios stated here.
IBM hardware products are manufactured from new parts, or new and serviceable used parts. Regardless, our warranty terms apply.
All customer examples cited or described in this presentation are presented as illustrations of the manner in which some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions.
This publication was produced in the United States. IBM may not offer the products, services or features discussed in this document in other countries, and the information may be subject to change without notice. Consult your local IBM business contact for information on the product or services available in your area.
All statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.
Information about non-IBM products is obtained from the manufacturers of those products or their published announcements. IBM has not tested those products and cannot confirm the performance, compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
Prices subject to change without notice. Contact your IBM representative or Business Partner for the most current pricing in your geography.
IBM Systems and Technology GroupIBM Systems and Technology Group
� Support secure key in TKDS� Create Extended Validation (EV) certificates � Provide granular administration authorization control� Ability to restrict a subordinate CA from signing another subordinate
CA� optionally issue console message when CRL processing ends
New Certificate Enhancements on PKI Services for z/OS V2R1
IBM Systems and Technology GroupIBM Systems and Technology Group
Secure TKDS Support
• In the past, unlike the keys stored in the ICSF Public Key Data Set (PKDS), the keys stored in the Token Key Data Set (TKDS) are clear keys, not secure keys.
• “Secure Key” means that sensitive key material is always wrapped under a master key.
• In Web Deliverable #12, ICSF supports secure key on TKDS.
• To enable the applications to use the secure key in TKDS, RACF, PKI Services and System SSL need to be updated accordingly.
• Enables multiple PKI Services administrators to perform different actions on different types of certificates within a domain.
• Eg. an administrator can be authorized to approve a server digital certificate, but not be authorized to approve a SCEP digital certificate.
• Authorization is based on the domain, action and the template:
• A switch is provided to turn on this granular check
• A new class PKISERV is created for resources used by different types of administration functions
• If granular checking is on, these resources will be checked, in addition to the existing authority check on the administrative functions
• Example:
• READ access to
• MYDOMAIN.QUERYREQS.1YBSSL and MYDOMAIN.QUERYCERTS.1YBSSL
• Allow the administrator to perform QUERYREQS and QUERYCERTS on the requests and certificates respectively, created with the '1-Year PKI SSL Browser Certificate' template in domain named MYDOMAIN.
IBM Systems and Technology GroupIBM Systems and Technology Group
PKI ServicesCA Path Length Enforcement
• PKI Services can issue intermediate Certificate Authority certificates. All CA Certificates must contain the Basic Constraints extension, which identifies:
• Whether the certificate is a CA (required)
• The maximum depth of the certification path (optional)
• PKI Services only create the CA indication field, but not the path length value.
Although it is optional, many customers would like to have that value set to control the number of CAs that can follow
• Starting in V2R1 PKI Services can optionally create the path length value in
the Basic Constraints extension.
• This allows a CA to restrict a subordinate CA from signing another subordinate
IBM Systems and Technology GroupIBM Systems and Technology Group
� Support secure key in TKDS from RACDCERT and R_datalib� RACDCERT ADD, CHECKCERT enhancement � New RACDCERT LISTCHAIN� Prevent the accidental deletion of a certificate that is the base of a
request� DBUnload more certificate details � New Health check for expiring certificates
New Certificate Enhancements on RACF for z/OS V2R1
• For the existing private key type X'00000002' - ICSF key token label, if the first character is an '=' sign, it is a key token from the TKDS, otherwise it is from the PKDS.
• New private key types will be handled by functions DataGetFirst and DataGetNext
IBM Systems and Technology GroupIBM Systems and Technology Group
IRRDBU00: Additional Certificate Information
• The RACF Database Unload Utility (IRRDBU00) unloads basic information about digital certificates into the General Resource Certificate Data Record which contains:
• The record type (“0560”)
• The name of the general resource profile which contains the certificate
• The class (“DIGTCERT”)
• The date and time from which the certificate is valid
• The date and time after which the certificate is no longer valid
• The type of key associated with the certificate
• The key size
• The last eight bytes of the last certificate signed with this key
• A sequence number for certificates within a ring
• What's missing? The issuer's distinguished name (IDN) and the subject's DN (SDN) of the certificate!
• This information is encoded within the certificate
• Maps to the profile name, but given the profile name, you can't get the IDN or SDN