Digital Certificates Management

(1)

Digital Certificates Management

Digital Certificate Topics

• History or Cryptography

• Cryptographic terms you need to know.

• What Cryptographic Services are in z/OS?

• Why do we need Cryptography?

• What are Digital Certificates?

• RACF RACDCERT Command

• RACF Profiles for Digital Certificates

• Administrator and Digital Certificates

• Advisor and Digital Certificates

(2)

History of Cryptography

• Clay tablets dated near 1500 BC found in

Mesopotamia were used to encrypt a craftsman’s

recipe for pottery glaze

• Hebrew scholars used simple substitution ciphers

around 500 or 600 BC

• The ancient Greeks and Spartan military used the

scytale transposition cipher

A Scytale

What is Encryption and Decryption

• A simple Algorithm, Cryptosystem and Cryptanalysis

Vanguard Provides Our Security

(plaintext)

Ydpjxdug Surylghv Rxu Vhftulwb (ciphertext)

• Simply Shifting the letters by X is used as

cryptosystem

– The number 3 is the secret key

A=D, B=E, C=F so on and so forth

(3)

Technology used in Cryptography

• Manual Cryptography

– Religious text and Egyptian hieroglyphs

• Mechanical Cryptography

– Enigma machine (WWII)

3 alphabetic rotors = 17576 keys (26x26x26)

• Computerized Cryptography

– Mainframes & PCs

How Strong is your Algorithm

Cryptographic Terms

• Common Algorithms

– Data Encryption Standard (DES) OLD DON”T USE

– Triple DES (Fading away)

– Advanced Encryption Standard (AES)

– Rivest-Shamir-Adleman (RSA)

– Elliptic Curve Digital Signature Algorithm (ECDSA)

– Hashes

• Key Types

– Symmetric

– Asymmetric

(4)

RACF Release History

z/OS Version 1.n

• Cryptographic Services

• Integrated Cryptographic Service Facility

(ICSF)

– Hardware

• Open Cryptographic Services Facility (OCSF)

– Software API for PKI

• Public Key Infrastructures (PKI) Services

– Software environment facilitating encryption and

authentication

• System Secure Sockets Layers (SSL)

– Protocol for secure data transmission

Why Do We Need Cryptography?

Privacy

Non-repudiation

Accountability

(5)

Security Services Needed for E-Business

Authentication

Identify and verify user

Confidentiality

Prevent disclosure of the data

Data Integrity

Prevent modification of data

Non-Repudiation

Proof of participation in transaction

Access Control

Control access to resources

What? Me Learn Cryptography?

TLS and SSL use three cryptographic

operations:

• Symmetric Key Encryption

• Asymmetric Key Encryption

• Cryptographic Hash

zzz…

My boss didn’t tell me I had to

know crypto to do this job

I need a cup of coffee

(6)

Sending Credentials

User ID

Internet

Password

Symmetric or Secret Key Cryptography

Secret Key

Plaintext

Welcome to Vanguard

Encryption/Decryption Key

10101010101010101

Ciphertext

Welcome to Vanguard

110010101011100111011

Plaintext

Welcome to Vanguard

• Symmetric encryption is secure and fast

• AES is now the new standard

• How do we distribute the secret key?

Carol

Sue

(7)

Asymmetric or Public Key Cryptography

Plaintext

Welcome to Vanguard

Plaintext

Welcome to Vanguard

Public Key Algorithm

Welcome to Vanguard

110010101011100111011

• Asymmetric is secure but slower than symmetric

• Carol Needs to know Sue’s public key

• How do we find out someone's public key?

Carol

Sue

Sue’s

Public

Key

Sue’s

Private

Key

Private and Public Keys

• Private and Public keys

are numerically related

• Data encrypted with one

can only be decrypted

with the other

Public Key Algorithm

Welcome to Vanguard

110010101011100111011

(8)

Secret Key vs. Public Key

Pro

– Fast

Con

– How to distribute

key?

– Must protect secret

key

Pro

– Freely distribute public

key

Con

– Slow

– Must protect private key

– Trust – is the public key

really from whom we

think it is, or is it from an

imposter?

Secret Key

(Symmetric)

(Asymmetric)

Public Key

Public Key Infrastructure (PKI)

1. Carol generates a random secret key

2. Carol encrypts the secret key with Sue’s public key

3. The secret key is transmitted securely

4. Sue decrypts the encrypted secret key with her private key

1

2

3

4 Sue’s

Public

Key

Public Key

Algorithm

Public Key

Algorithm

Carol

Sue

Sue’s

Private

Key

(9)

Best of Both Worlds

Now, both Carol and Sue possess the secret key

5. Carol encrypts message with the secret key

6. The encrypted message is sent securely

7. Sue decrypts the message with the secret key

5

6

7 Shared

Secret

Key

Symmetric

Key

Algorithm

Symmetric

Key

Algorithm

Carol

Sue

Shared

Secret

Key

Encrypted message

Cryptographic Hash Function

Once upon a time, in a land

far far away, there was a

security administrator who

eagerly enrolled in a RACF

course. Little did that person

realize that the subject of

cryptography would be taught

in the class….……….

………

Hashing

Algorithm

Message

• One-way algorithm

• Reduces data to a small digest

• Digest is unique to the data

Message Digest

(10)

Digital Signature - 1

Network

Hashing

Algorithm

Message

Digest

Joe

Joe’s

Message

Encrypted

Message

Digest

Joe’s

Message

I must make sure that

this data is not altered

during transmission

Public Key

Algorithm

Joe’s

Private

Key

Digital Signature - 2

Network

Encrypted

Message

Digest

Hashing

Algorithm

Message

Digest

Message

Digest

Joe’s

Message

If both digests are the same,

then the message was not

altered, and it was signed with

Joe’s private key.

Equal ?

Joe’s

Public

Key

Public Key

Algorithm

(11)

What Is A Digital Certificate?

Serial Number of Certificate

Distinguished Name of Issuer (CA)

Distinguished Name of Subject

Subject’s Public Key Info

- Algorithm

- Public Key

Expiration Date

Encrypt with

Private Key of

Certifying

Authority

Signature of Certifying Authority

SHA-256

Public

Message Digest

Purpose of Digital Certificates

• Trusted validation of parties: by induction, I believe

party is who he claims to be

• Scalability: get public keys only when really needed

• Transmission and storage of public keys can be

insecure: replace storing securely many keys with:

– store (insecurely) many certificates

– store securely the root certificate

– store securely the private key

(12)

X.509 Digital Certificates

• A data structure that contains, at minimum, the

following fields:

– The distinguished name of the owner of the public key,

also called the subject's name

– The distinguished name of the issuer of the certificate,

also called the issuer's name

– The subject’s public key

– The time period during which the certificate is valid, also

called the validity period

– The certificate's serial number as designated by the issuer

– The issuer's digital signature

Types of Digital Certificates

• Certificate-Authority Certificate or Root Certificate

– Associated with a Certificate Authority

– Used to verify signatures in other certificates

– The CA is responsible for:

• identifying entities before certificate generation,

• ensuring the quality of its own key pair,

• keeping its private key secret.

• Intermediate (Really just a CA)

– Signed by a trusted Certificate Authority

– Used to verify signatures in other certificates

– Responsible for:

• identifying entities before certificate generation,

• ensuring the quality of its own key pair,

(13)

Types of Digital Certificates

• Site Certificate (Unique to IBM) or Server Certificate

Associated with a server or multiple servers

– Signed by Certificate Authority(CA OR intermediate

– Used to authenticate a server and enable secure

communication

– Allows sharing of private keys

• User Certificate

– Associated with a RACF user

– Signed by Certificate Authority

– Used to authenticate a user

Certificate Validation

Which ones do I need

stored in my browser

so I can view a secure

web page.

123245769aade343

VeriSign Intermediate(CA)

www.go2vanguard.com

Subject’s Public Key

Expiration Date

Signature of Certifying Authority

1ae234788aade343

VeriSign Intermediate CA

VeriSign Root CA

Subject’s Public Key

Expiration Date

12bc34567aade3dd43

VeriSign Root CA

Subject’s Public Key

Expiration Date

Trusted

Not Trusted

(14)

• Collection of certificates that are available to the

user

• Used to determine the trustworthiness of the client

or server

• Virtual key ring:

– Set of all certificates available for all users

– Predefined AUTH and SITE

Key Rings

Certificates, CAs, Browsers

• Many operating systems contain CAs’ certificates

available for all users.

(15)

Certificates, CAs, RACF

Trusted Root store (AUTH) in RACF

TLS for Secure Transaction

W eb Browser

Client Browser

Server

1

2

3

4

5 https://www.medserver.org/medicaldata.html

Server sends certificate with public key

Client sends symmetric key (encrypted with

public key, server decrypts with private key)

Client authenticates (Validates Trust tree all Intermediate and CA’s)

server’s certificate

…..Encrypted Data…..Encrypted Data…..Encrypted Data …..

W eb Browser W eb Browser W eb Browser W eb Browser

(16)

The Life Cycle of a Certificate

Public Services

Import CA Tree

Mark As trusted

Generate Certificate

Generate Request

Send to CA for signing

Return and Import

Attach to Rings

Expire

Rollover

Rekey

Private Services

Create Self signed CA

Mark As trusted

Export and Deliver

Generate signed

Certificates

Attach to Rings

Expire

Rollover

Rekey

RACDCERT Commands for

Digital Certificates

(17)

RACDCERT

RACF

Database

The RACDCERT Command

• List information about the certificates for a user

• Add a certificate definition and associate with a user

• Alter the TRUST or the LABEL name for a certificate

• Delete a certificate

• List a certificate in a data set and determine if it is associated

with a userid

• Create, delete, or list a key ring

• Add or remove a certificate from a key ring

• Generate a public/private key pair and certificate

• Write a certificate to a data set

• Create a certificate request

• Add, list, modify, or delete a userid mapping

Using the RACDCERT Command

RACDCERT [ID(user) | SITE | CERTAUTH]

command-options

• ID(user) – directed to a User certificate

• SITE – directed to a Site certificate

(18)

Basic Rules for RACDCERT

Entity

RADCERT Command

Issued to ID Type

Certificate

GENCERT

GENREQ

ADD

LIST

ALTER

DELET

CHECKCERT

EXPORT

REKEY

ROLLOVER

RACF ID

** CERTAUTH

** SITE

Key Ring

ADDRING

LISTRING

CONNECT

REMOVE

RACFID

Certificate Filter

MAP

LISTMAP

ALTMAP

DELMAP

RACFID

Multiple Mapping ID - MultiID

Basic Rules for RACDCERT

• If no ID is specified, the user who issues the

command is used.

– List my certificates.

• RACDCERT List(Label(‘cert1’))

– List someone else's certificates.

• RACDCERT ID(user2) list(Label(‘cert1’))

• Labels are for management purposes only they are

not part of the certificate.

• The control of RACDCERT is managed by

FACILITY class profiles.

(19)

Access to the RACDCERT Command

IRR.DIGTCERT.ADD

Add certificate

IRR.DIGTCERT.ADDRING

Add key ring

IRR.DIGTCERT.ALTER

Alter certificate

IRR.DIGTCERT.CONNECT

Connect cert to key ring

IRR.DIGTCERT.EXPORT

Write cert to data set

IRR.DIGTCERT.GENCERT

Generate certificate

IRR.DIGTCERT.LIST

List certificate

IRR.DIGTCERT.LISTRING

List key ring

FACILITY Class Profiles:

Who Can Issue RACDCERT?

• SPECIAL user - use all functions of RACDCERT

• FACILITY class profile IRR.DIGTCERT.function

– READ – issue RACDCERT for self

– UPDATE – issue RACDCERT for others

– CONTROL – issue RACDCERT for SITE and CERTAUTH

certificates

• Example

– Trusted Admins - Add CA certificates and Site certificates

– Help Desk - List certificates and key rings for anyone

– End Users

• Add, delete, and modify contents of their own key rings

• Add, delete, and alter their own certificates

(20)

• CAUTION owner is not like other profiles classes

– Ownership does not give access or control in RACF

– OWNER is who issued the Command Not the Certificate

owner

– UACC does not give ACCESS

– Causes false Audit findings due to being miss understood.

DIGTCERT CLASS

CLASS NAME,

---

---,

DIGTCERT 0A.OU=SBSVCS¢DEMO¢CERTIFICATE¢AUTHORITY.

O=SENERGY¢BUSINESS¢SYSTEMS.CUS

LEVEL OWNER UNIVERSAL YOUR

ACCESS ACCESS

WARNING,

---

---,

00 TSJC00 ALTER ALTER

NO,

Resource Classes for Certificates

• DIGTCERT

Contains digital certificates and information related to

them.

• DIGTRING

Contains a profile for each key ring and provides

information about the digital certificates that are part

of each key ring.

• DIGTNMAP

Contains mapping class for certificate name filters.

• DIGTCRIT

(21)

Real life Example from before

• Request to secure our webserver

www.go2vanguard.com

– Create Self-signed certificate

– Generate Certificate request to send off to VeriSign

– Receive signed certificate

– Replace Existing self signed

– Import any intermediate certificates if required.

– Connect to proper key rings

– Test service

RACDCERT Command Examples

1. Create the public/private key pair and self-signed certificate

RACDCERT ID(WEBSRV) GENCERT –

SUBJECTSDN(CN(‘www.go2vanguard.com’) –

OU(‘Information Technology Dept’) –

O(‘Vanguard Integrity Professionals’) –

C(‘USA’) L(‘Las Vegas’) –

WITHLABEL(‘www.gowvangaurd.com’))

2. Create a certificate request

RACDCERT ID(WEBSRV) GENREQ(LABEL(‘www.gowvangaurd.com’) –

DSN(‘WEB.SERVER.GENREQ’))

(22)

What a BASE64 cert looks like

3. Send the certificate request to the Certifying Authority

Cut and paste into an email and send to certifying authority

* Top of Data **

---BEGIN NEW CERTIFICATE

REQUEST---MIIC8TCCAdkCAQAwbDELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAm52MQswCQYDVQQH

EwJ1czENMAsGA1UEChMEaG9tZTEOMAwGA1UECxMFdmVnYXMxETAPBgNVBAwTCGtk

a2RrZGtkMREwDwYDVQQDEwh0ZXN0MTExMTCCASIwDQYJKoZIhvcNAQEBBQADggEP

ADCCAQoCggEBANK27andxtRmilPKXndsUkwI2VCKl9qlqDLYBo3G7OWjkvvyWPYh

A40/P3smVbmc4+D6rJ8AA+Y4XnMViI68Ky6/WggxeW8y8NpUxM7SdpHoSZFeqiuK

N+Rkyx4syml0HLzOgycdQd4OPL6qi405M95Ft8no9IZEuQ+zAV7hdrs0lo31wvuX

jCpdcRgxXFhCjwfqH3GHH8JDXbbjbZWXPlek/g+Lbfuefd128cycS+HMGiLUHPLA

hX2Pun7kr8ZhSYdyloZyyP9LKftSfP4MAWIl9KKpRzzC53yEOjBpHDnj+teBBqGk

/mTD/62iRIQ/q6qiggULRAdBDmSPj8c428sCAwEAAaBAMD4GCSqGSIb3DQEJDjEx

MC8wHQYDVR0OBBYEFFOMSraujQu2wX4YZwHw1LM4nlCFMA4GA1UdDwEB/wQEAwIB

9jANBgkqhkiG9w0BAQUFAAOCAQEAN7vwlvEY3NX9qXEBst3OKQxVVF67X5rYsMZU

NNgv5uKEkSKGIx3kaN97vO0hC7wmiLRYO9u4ZgJ5m96sk7E9LeZcjvWo48TMPEYf

WZMVSWGYeXdgNwdAA1/DjTuP4sqBV49qPmY71ASmaC359kr7qlPIgs27J65uAcJI

jF5ovqjrh/Vv/p3Uu972HsplaFbHvsIEVDPLyykqvgyBMttj7/n98XuFHwj038YP

V9YX/3XnDbVmc3xwrEKc7j5P5J3JajTSb5cdkgyNRLQMFjCA+Z+JuQiC+FoCRJ5c

JF8PPz0yPChiJ2kVcq4ShnKYBBwIWu0qLlYxckU0xOLLXJYSQw==

---END NEW CERTIFICATE

REQUEST--- Bottom of Data REQUEST---

RACDCERT Command Examples

4. Certifying Authority validates certificate, approves, signs

and sends the SIGNED certificate back to requestor

5. Requestor receives the certificate into a data set

‘WWW.SERVER.CERT’

6. Replace the self-signed certificate with the certificate signed

by CA

RACDCERT ID(WEBSRV) ADD(‘ITSERVER.CERT’) –

WITHLABEL(‘www.gowvangaurd.com’)

(23)

RACDCERT Command Examples

7. Define a RACF KEYRING for a server

RACDCERT ID(WEBSRV) ADD RING(WEBRING)

8. Connect certificate to server’s key ring and mark as default

certificate

RACDCERT ID(WEBSRV) CONNECT(LABEL(‘www.gowvangaurd.com’)

-RING(WEBRING) DEFAULT))

When in doubt connect ID(USERID) or SITE as default. Some services such

as CICS do not have the ability to select a cert by Label name and must use

the DEFAULT keyword. Do Not connect CERTAUTH as Default

RACF Commands for

Digital Certificates

(24)

RACDCERT (Commands)

Working with Certificates

– GENCERT (Generate certificate)

– GENREQ (Generate request)

– ADD (Add certificate)

– ALTER (Alter certificate)

– REKEY (Rekey certificate)

– ROLLOVER (Rollover certificate)

– DELETE (Delete certificate)

– CHECKCERT (Check certificate)

– EXPORT (Export certificate package)

– IMPORT (Import certificate)

– LIST (List certificate)

RACDCERT (Commands)

• Working with Rings

– LISTRING (List key ring)

– ADDRING (Add key ring

– DELRING (Delete key ring)

– CONNECT (Connect a certificate to key ring)

– REMOVE (Remove certificate from key ring)

• Working with Mapping

– MAP (Create mapping)

– ALTMAP (Alter mapping)

– DELMAP (Delete mapping)

– LISTMAP (List mapping)

(25)

RACDCERT GENCERT

• RACDCERT GENCERT [ (request-data-set-name) ]

[ ID(certificate-owner) | SITE | CERTAUTH ]

• [ SUBJECTSDN( [ CN('common-name') ] [ T('title') ] [ OU('organizational-unit-name1‘ ,

'organizational-unit-name2', ...)

• [ O('organization-name') ] [ L('locality') ] [ SP('state-or-province') ] [ C('country') ] ) ]

• [ NOTBEFORE( [ DATE(yyyy-mm-dd) ] [ TIME(hh:mm:ss) ] ) ]

• [ NOTAFTER( [ DATE(yyyy-mm-dd) ] [ TIME(hh:mm:ss) ] ) ]

• [ WITHLABEL('label-name') ]

• [ SIGNWITH( [ CERTAUTH | SITE ] LABEL('label-name') ) ]

• [ SIZE(key-size) ]

• [ {PCICC [ (pkds-label | * ) ] | ICSF [ (pkds-label | * ) ] | DSA| |NISTECC| |BPECC

|FROMICSF(pkds-label)} ]

• [ KEYUSAGE( [ CERTSIGN ] [ DATAENCRYPT ] [ DOCSIGN ] [ HANDSHAKE ] |[

KEYAGREE ] ) ]

• [ ALTNAME( IP(numeric-IP-address) DOMAIN('internet-domain-name')

EMAIL('email-address') URI('universal-resource-identifier') ) ]

GenCert examples

Certificate of Authority Certificate :

RACDCERT GENCERT CERTAUTH SUBJECTSDN(

OU(‘Vanguard DEMO CERTIFICATE AUTHORITY')

O(‘Vanguard Demo Systems') C('US'))

WITHLABEL(‘Local RACF PKI CA')

-NOTAFTER(DATE(2020/01/01))

Server Certificate :

RACDCERT GENCERT ID(FTPD) –

SUBJECTSDN(CN (‘172.16.20.121’) –

O(‘Vanguard Integrity Professionals’) C(‘US’)) –

SIZE(1024) –

WITHLABEL(‘FTP_Cert’) –

SIGNWITH(CERTAUTH LABEL(‘Local RACF PKI CA’))

Site Certificate :

RACDCERT GENCERT SITE –

SUBJECTSDN(CN (‘Vanguard.Demo.Systems.Com’) –

O(‘Vanguard Integrity Professionals’) C(‘US’)) –

SIZE(1024) –

WITHLABEL(‘FTP_Cert’) –

(26)

RACDCERT GENREQ

RACDCERT GENREQ(LABEL(‘WEBSRV_Server_Cert’)) –

ID(WEBSRV)) –

DSN(‘WEBSRV.SERVER.GENREQ’)

*********************** Top of Data **************************** ---BEGIN NEW CERTIFICATE

REQUEST---MIIC8TCCAdkCAQAwbDELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAm52MQswCQYDVQQH EwJ1czENMAsGA1UEChMEaG9tZTEOMAwGA1UECxMFdmVnYXMxETAPBgNVBAwTCGtk a2RrZGtkMREwDwYDVQQDEwh0ZXN0MTExMTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBANK27andxtRmilPKXndsUkwI2VCKl9qlqDLYBo3G7OWjkvvyWPYh A40/P3smVbmc4+D6rJ8AA+Y4XnMViI68Ky6/WggxeW8y8NpUxM7SdpHoSZFeqiuK N+Rkyx4syml0HLzOgycdQd4OPL6qi405M95Ft8no9IZEuQ+zAV7hdrs0lo31wvuX jCpdcRgxXFhCjwfqH3GHH8JDXbbjbZWXPlek/g+Lbfuefd128cycS+HMGiLUHPLA hX2Pun7kr8ZhSYdyloZyyP9LKftSfP4MAWIl9KKpRzzC53yEOjBpHDnj+teBBqGk /mTD/62iRIQ/q6qiggULRAdBDmSPj8c428sCAwEAAaBAMD4GCSqGSIb3DQEJDjEx MC8wHQYDVR0OBBYEFFOMSraujQu2wX4YZwHw1LM4nlCFMA4GA1UdDwEB/wQEAwIB 9jANBgkqhkiG9w0BAQUFAAOCAQEAN7vwlvEY3NX9qXEBst3OKQxVVF67X5rYsMZU NNgv5uKEkSKGIx3kaN97vO0hC7wmiLRYO9u4ZgJ5m96sk7E9LeZcjvWo48TMPEYf WZMVSWGYeXdgNwdAA1/DjTuP4sqBV49qPmY71ASmaC359kr7qlPIgs27J65uAcJI jF5ovqjrh/Vv/p3Uu972HsplaFbHvsIEVDPLyykqvgyBMttj7/n98XuFHwj038YP V9YX/3XnDbVmc3xwrEKc7j5P5J3JajTSb5cdkgyNRLQMFjCA+Z+JuQiC+FoCRJ5c JF8PPz0yPChiJ2kVcq4ShnKYBBwIWu0qLlYxckU0xOLLXJYSQw==

---END NEW CERTIFICATE

REQUEST---************** Bottom of Data REQUEST---**************REQUEST---******************

RACDCERT ADD

Certifying Authority validates certificate, approves, signs and sends the

certificate back to requestor

Requestor receives the certificate into a data set

‘WEBSRV.SERVER.CERT’

Replace the self-signed certificate with the certificate signed by CA

RACDCERT ADD(‘WEBSRV.SERVER.CERT’) ID(WEBSRV) –

WITHLABEL(‘WEBSRV_Server_Cert’)

(27)

RACDCERT LIST examples

• RACDCERT <Identifier> LIST <options>

– List All Certificates owned by USER1

RACDCERT ID(USER1) list

– List All CA’s

RACDERT CERTAUTH LIST

– List all SITE Certificates

RACDCERT SITE LIST

– List CA with label ‘Certificates

RACDERT CERTAUTH LIST(LABEL('RSA Secure Server CA'))

Note: Only one Identifier USERID, SITE or CERTAUTH may be used.

RACDERT ALTER

• RACDCERT <Identifier> ALTER( <options>) option()

– Change a CA trust status

RACDERT CERTAUTH ALTER(LABEL('RSA Secure Server CA')) TRUST

• Note: CA’s Delivered by IBM are not marked as trusted. To all use they must be marked

trusted and connected to a KEYRING.

– Change an existing label

RACDERT ID(WEBSERV) ALTER(LABEL(www.go2vanguard.com'))

NEWLABEL(‘label’)

Note: Labels are for ease of administration

(28)

RACDERT DELETE

• RACDCERT DELETE

[ ID(certificate-owner) | SITE | CERTAUTH ]

[ (LABEL('label-name')) ]

| [ (SERIALNUMBER(serial-number)

[ ISSUERSDN('issuer's-dn') ] ) ]

RACDCERT CERTAUTH DELETE(LABEL('Verisign Class 3 Primary CA'-))

Note: must specify ID can specify SERIALNUMBER or LABEL. All must

be correct. CASE and Numbers exactly.

RACDCERT CHECKCERT

• RACDCERT CHECKCERT(data-set-name)

• [PASSWORD('pkcs12-password')]

RACDCERT CHECKCERT(‘TSJC00.GTE.ROOT’)

Note: Password for certs with Keys, or packages typically

Start Date: 1998/08/12 16:29:00

End Date: 2018/08/13 15:59:00

Serial Number:

>01A5<

Issuer's Name:

>CN=GTE CyberTrust Global Root.OU=GTE CyberTrust Solutions, Inc..O=GTE<

> Corporation.C=US<

Subject's Name:

>CN=GTE CyberTrust Global Root.OU=GTE CyberTrust Solutions, Inc..O=GTE<

> Corporation.C=US<

Key Type: RSA

Key Size: 1024

(29)

RACDCERT EXPORT

Export the Local Certificate to a data set

RACDCERT EXPORT(LABEL(‘Local_RACF_CA’)) –

CERTAUTH –

DSN(‘TSJC00.Local.RACF.CA’)

• Caution if you use passwords you must remember

them.

• Hint CER/DER for Certauth.

RACDCERT REKEY

• RACDCERT REKEY(LABEL('existing-label-name'))

[ID(certificate-owner) | SITE | CERTAUTH]

[SIZE(key-size)]

[NOTBEFORE([DATE(yyyy-mm-dd)] [TIME(hh:mm:ss)])]

[NOTAFTER([DATE(yyyy-mm-dd)] [TIME(hh:mm:ss)])]

[{PCICC[(pkds-label | * )]

| ICSF[(pkds-label | * )]

| |NISTECC

| |BPECC}]

[WITHLABEL('to-be-created-label-name')]

(30)

RACDCERT ROLLOVER

• RACDCERT ROLLOVER(LABEL('old-label-name'))

[ ID(certificate-owner) | SITE | CERTAUTH ]

NEWLABEL('new-label-name')

[ FORCE ]

RACDCERT ROLLOVER (LABEL(‘Local_RACF_CA’)) –

CERTAUTH –

NEWLABEL(‘Local.RACF.CA.NEW’)

What would you do next??

RACF Commands for

Digital Certificates Rings

(31)

RACDCERT ADDRING

• Define a RACF keyring for ID TN3270

RACDCERT ADDRING(TSORING)

ID(TN3270)

Remember you must define(add) the ring prior to using the ring

• Do not ADDRING for CERAUTH or SITE!!!

– RACF has two Virtual Rings that are always available

• AUTH

• SITE

RACDCERT CONNECT

• RACDCERT [ID(ring-owner)]

CONNECT(

[ID(certificate-owner) | SITE |CERTAUTH]

LABEL('label-name')

RING(ring-name)

[DEFAULT]

[USAGE(PERSONAL | SITE | CERTAUTH)]

)

(32)

RACDERT LISTRING

• RACDCERT ID(FTPD) LISTRING(RINGNAME)

• RACDCERT ID(FTPD) LISTRING(*)

• Cannot LISTRING SITE or CERTAUTH

– IRRD120I Incorrect use of SITE. A Site Certificate cannot own a key ring.

– They are VIRTUIAL and always exist.

RACDCERT REMOVE

• RACDCERT REMOVE([ID(certificate-owner) | SITE |

CERTAUTH]

LABEL('label-name')

RING(ring-name)

) [ ID(ring-owner) ]

RACDCERT ID(TN3270) REMOVE(LABEL(‘TN370_CERT’)

RING(TSORING)

RACDCERT ID(TN3270) REMOVE(CERTAUTH

LABEL(‘LOCAL_RACF_PKI_CERT’) RING(TSORING)

(33)

Vanguard Administrator and

Digital Certificates

(34)

Set Defaults

(35)

VDMOPT00 in VANOPTS

(36)

Customized for Individual User

(37)

View User and Site Certificates

No RACDCERT Command Parameter available to get this report.

(38)

List User Profile Certificate Information

(39)

View Ring Information

View Rings with Certificates

(40)

1 Ring with 2 Certificates

(41)

Create a User Certificate

(42)

Create a User Certificate

(43)

Create a Keyring for a Server

Comparable RACF Command

RACDCERT ID(itserver) ADDRING(itring)

(44)

Create a Keyring for a Server

(45)

Create a Server Certificate

Comparable RACF Command

RACDCERT ID(ITSERVER) GENCERT –

SUBJECTSDN(CN(‘go2vanguard.com’) –

OU(‘Information Technology Dept’) –

O(‘Vanguard Integrity Professionals’) –

C(‘USA’)) –

(46)

Create a Server Certificate

(47)

Create a Certificate Request

(48)

Create a Certificate Request

Comparable RACF Command

RACDCERT ID(JOHNC) GENCERT –

GENREQ(LABEL(‘test’) –

(49)

Create a Certificate Request

(50)

Importing the Signed Cert

Create CA Signed Certificate

Comparable RACF Command

RACDCERT ID(ITSERVER) –

WITHLABEL(‘IT_Server_Cert’) –

DSN(‘ITSERVER.GENREQ’)

(51)

Connect CA Signed Certificate to Ring

(52)

Connect CA Signed Certificate to Ring

Comparable RACF Command

RACDCERT ID(ITSERVER) –

CONNECT(LABEL(‘IT_Server_CA_Cert’) –

RING(itring) DEFAULT))

(53)

Export the non-CA ITSERVER Certificate

Export the ITSERVER Certificate

Comparable RACF Command

RACDCERT EXPORT(LABEL(‘IT_Server_Cert’)) –

DSN(‘ITSERVER.CERT’) FORMAT(PKCS12DER

)

(54)

Evaluate a Certificate on a Data Set

Comparable RACF Command

RACDCERT

CHECKCERT(‘ITSERVER.CERT) –

PASSWORD(‘DANDYDON’)

(55)

Evaluate a Certificate on a Data Set

(56)

Delete the non-CA Certificate

Comparable RACF Command

RACDCERT DELETE( LABEL(‘IT_Server_Cert’))

Vanguard Advisor and

Digital Certificates

(57)

Advisor Reporting for Digital Certificates

(58)

RACF Commands by Userid Report

(59)

RACF Command Detail Report

(60)

RACF Command Detail Report

(61)

RACF Command Detail Report

(62)

Resource Access Summary Report

(63)

Resource Access Summary Report

(64)

Resource Access Detail Report

(65)

Resource Access Summary Report

(66)

Resource Access Detail Report

Resources

• Security Server RACF Security Administrator’s

Guide – Chapter titled “RACF and Digital

Certificates”

• Security Server RACF Command Language

Reference – See RACDCERT command

• Implementing PKI Services on z/OS (Redbook

-SG24-6968)

– http://www.redbooks.ibm.com/abstracts/sg246968.html?Open

• RACF Home Page