Transcription
RACDCERTA Survival GuideNigel Pentland - NAGMonday, 1 February 2010
AcknowledgementsWai Choi - IBMDocument SearchMonday, 1 February 2010
RACDCERT functions Certificate generation‣‣RACDCERT GENCERT - generate key pair and certificate‣RACDCERT ADD - install a certificate and public/private key‣‣‣‣‣‣‣RACDCERT ADDRING - create a key ringRACDCERT GENREQ - generate a certificate requestCertificate installationCertificate administrationMonday, 1 February 2010RACDCERT CONNECT - place a certificate in key ringRACDCERT REMOVE - remove a certificate from a key ringRACDCERT LISTRING - delringisplay key ring informationRACDCERT DELRING - delete a key ringRACDCERT LIST - display certificate information from an installed certificateRACDCERT ALTER - change certificate installation information
RACDCERT functions Certificate administration.‣‣‣‣‣‣‣RACDCERT DELETE - delete certificate and key pair‣‣RACDCERT REKEY - renew certificate with new key pairMonday, 1 February 2010RACDCERT CHECKCERT - display certificate information from a datasetRACDCERT EXPORT - export a certificateRACDCERT MAP - create a certificate filterRACDCERT ALTMAP - change the certificate filterRACDCERT DELMAP - delete a certificate filterRACDCERT LISTMAP - display certificate informationRACDCERT ROLLOVER - finalize the REKEY process
Control of RACDCERTRecommended profiles that should be defined as a minimum andaccess granted to only approved digital certificate administrators:SETR CLASSACT(DIGTCERT DIGTCRIT DIGTNMAP DIGTRING)SETR RACLIST(DIGTCERT DIGTCRIT DIGTNMAP DIGTRING)RDEFINE FACILITY IRR.DIGTCERT.** UACC(NONE)RDEFINE FACILITY IRR.DIGTCERT.ADD UACC(NONE)RDEFINE FACILITY IRR.DIGTCERT.ADDRING UACC(NONE)RDEFINE FACILITY IRR.DIGTCERT.ALTER UACC(NONE)RDEFINE FACILITY IRR.DIGTCERT.ALTMAP UACC(NONE)RDEFINE FACILITY IRR.DIGTCERT.CHECKCERT UACC(NONE)RDEFINE FACILITY IRR.DIGTCERT.CONNECT UACC(NONE)RDEFINE FACILITY IRR.DIGTCERT.DELETE UACC(NONE)RDEFINE FACILITY IRR.DIGTCERT.DELMAP UACC(NONE)RDEFINE FACILITY IRR.DIGTCERT.DELRING UACC(NONE)RDEFINE FACILITY IRR.DIGTCERT.EXPORT UACC(NONE)RDEFINE FACILITY IRR.DIGTCERT.EXPORTKEY UACC(NONE)RDEFINE FACILITY IRR.DIGTCERT.GENCERT UACC(NONE)RDEFINE FACILITY IRR.DIGTCERT.GENREQ UACC(NONE)RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)RDEFINE FACILITY IRR.DIGTCERT.LISTMAP UACC(NONE)RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)RDEFINE FACILITY IRR.DIGTCERT.MAP UACC(NONE)RDEFINE FACILITY IRR.DIGTCERT.REMOVE UACC(NONE)Monday, 1 February 2010
Control of RACDCERTTo allow your administrators to manage the certificates:PE IRR.DIGTCERT.** CL(FACI) ID(SYS1) AC(CO)PE IRR.DIGTCERT.ADD CL(FACI) ID(SYS1) AC(CO)PE IRR.DIGTCERT.ADDRING CL(FACI) ID(SYS1) AC(CO)PE IRR.DIGTCERT.ALTER CL(FACI) ID(SYS1) AC(CO)PE IRR.DIGTCERT.ALTMAP CL(FACI) ID(SYS1) AC(CO)PE IRR.DIGTCERT.CHECKCERT CL(FACI) ID(SYS1) AC(CO)PE IRR.DIGTCERT.CONNECT CL(FACI) ID(SYS1) AC(CO)PE IRR.DIGTCERT.DELETE CL(FACI) ID(SYS1) AC(CO)PE IRR.DIGTCERT.DELMAP CL(FACI) ID(SYS1) AC(CO)PE IRR.DIGTCERT.DELRING CL(FACI) ID(SYS1) AC(UP)PE IRR.DIGTCERT.EXPORT CL(FACI) ID(SYS1) AC(CO)PE IRR.DIGTCERT.EXPORTKEY CL(FACI) ID(SYS1) AC(CO)PE IRR.DIGTCERT.GENCERT CL(FACI) ID(SYS1) AC(CO)PE IRR.DIGTCERT.GENREQ CL(FACI) ID(SYS1) AC(CO)PE IRR.DIGTCERT.LIST CL(FACI) ID(SYS1) AC(CO)PE IRR.DIGTCERT.LISTMAP CL(FACI) ID(SYS1) AC(CO)PE IRR.DIGTCERT.LISTRING CL(FACI) ID(SYS1) AC(CO)PE IRR.DIGTCERT.MAP CL(FACI) ID(SYS1) AC(UP)PE IRR.DIGTCERT.REMOVE CL(FACI) ID(SYS1) AC(CO)To allow users to list, and thereby access, their own certificates and keyrings:PE IRR.DIGTCERT.LIST CL(FACI) ID(*) AC(RE)PE IRR.DIGTCERT.LISTRING CL(FACI) ID(*) AC(CO)Monday, 1 February 2010
Control of RACDCERTThe RDATALIB RACF class (v1.9)In addition to the new function codes, a new RACF class is now provided to allowmore granular access control over the users of the R datalib functions. The newRACF class name is RDATALIB. The format of the profiles in the RDATALIB class is: ring owner . ring name . function The new R datalib functions in z/OS V1R9 are considered update functions.Therefore, their profiles are of the form: ring owner . ring name .UPDThe older functions, prior to z/OS V1R9, only list the RACF database and thereforetheir profiles are of the form: ring owner . ring name .LSTIf the new profiles are absent, R datalib reverts to checking authorization using theold IRR.DIGICERT.* profiles in the FACILITY class.Monday, 1 February 2010
RACDCERT basicsCertificates are referenced through the RACDCERT commands using acombination of 'Owner' and 'certificate label'.ID(certificate-owner) SITE CERTAUTHSpecifies that the new certificate is either a user certificate associatedwith the specified user ID, a site certificate, or a certificate-authoritycertificate. If you do not specify ID, SITE, or CERTAUTH, the default is ID,and certificate-owner defaults to the user ID of the command issuer.Hence certificates must be uniquely identifiable by owner and certificatelabelMonday, 1 February 2010
RACDCERT debugDEBUG keyword (new to Release 10)Add the DEBUG keyword when you issue the RACDCERT command toobtain additional diagnostic messages for failures related to encryptioncalls, and RACF-invoked ICHEINTY ALTER, RACROUTEREQUEST EXTRACT, and RACROUTE REQUEST DEFINE calls.The content of these additional diagnostic messages are notdocumented in the RACF publication library.If you report a problem to the IBM Support Center, use the DEBUGkeyword to gather diagnostic information.Monday, 1 February 2010
Areas to look at. what is a certificate? what is a key ring? who is the ‘owner’? the connect command! some gotchas to watch out for.Monday, 1 February 2010
What is a certificate?DNDatesIssuerpublic keykeyusagesignatureMonday, 1 February 2010private key
What is a certificate?GENCERTDNDatesIssuerpublic keykeyusagesignatureMonday, 1 February 2010private keyRACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('root') OU('Technology') O('National Australia Group Europe') L('Glasgow') SP('Scotland') C('GB')) SIZE(1024) NOTBEFORE(DATE(2009-12-16)) NOTAFTER(DATE(2040-11-11)) WITHLABEL('ROOT') KEYUSAGE(CERTSIGN)Generate new key pair,and create new certificate.
What is a certificate?GENREQDNRACDCERT ID(CERTOWN)GENREQ(LABEL('VERISIGN CSR')) DSN('HLQ.PKCS10.REQ1')DatesIssuerpublic keyprivate keykeyusagesignatureMonday, 1 February 2010Creating a CSR,using existing key pair
What is a certificate?GENREQ (renew part 1)DNRACDCERT ID(ALICE) GENREQ(LABEL('[email protected]')) DSN('HLQ.PKCS10.REQ1')DatesIssuerpublic keyprivate keykeyusagesignatureMonday, 1 February 2010Creating a CSR is first stepto renewing a certificatewithout renewing the keys
What is a certificate?GENCERT (renew part 2)DNDatesIssuerpublic keykeyusagesignatureMonday, 1 February 2010private keyRACDCERT GENCERT ('HLQ.PKCS10.REQ1') ID(ALICE) NOTBEFORE(DATE(2009-11-30)) NOTAFTER(DATE(2011-01-09)) WITHLABEL('[email protected]') SIGNWITH(CERTAUTH LABEL('RSA-ROOT')) KEYUSAGE(DATAENCRYPT,HANDSHAKE) ALTNAME(EMAIL('[email protected]'))Create certificate using CSRfrom previous GENREQ
What is a certificate?REKEYDNRACDCERT REKEY(LABEL('LIVE-MQ-ROOT')) CERTAUTH SIZE(2048) NOTBEFORE(DATE(2009-09-29)) NOTAFTER(DATE(2023-09-29)) WITHLABEL('NEW-ROOT')DatesIssuerpublic keyprivate keykeyusagesignatureMonday, 1 February 2010Generate new certificatebased on details of existing,but with a fresh key pair.
What is a certificate?ROLLOVERDNRACDCERT ROLLOVER(VERISIGN-CERT))ID(CERTOWN) NEWLABEL('NEW-VERISIGN-CERT ')DatesIssuerpublic keykeyusagesignatureprivate keyFinalise certificate renewal bydeleting old private key and:PERSONAL - remove old certificateCERTAUTH / SITE - not removedMonday, 1 February 2010
What is a key ring?A key ring is a method of grouping together a collection ofcertificates, and associating a purpose with eachcertificate connected to the ring.Purposes are essentially either:(a) associated with a private key andused as a 'personal' certificate(b) use as part of a chain of trust to establishthe trustworthiness of a public certificateMonday, 1 February 2010
What is a key ring?RACDCERT ID(FTPTASK) LISTRING(FTPRING)Digital ring information for user FTPTASK:Ring: FTPRING Certificate Label Name---------------------FTP SERVERCert AUTHCERTAUTHNO3RD PARTY ROOTCERTAUTHCERTAUTHNOMonday, 1 February 2010DEFAULT------YES
What is a key ring?Properly formed key ring with trusted chain openssl s client -connect tn3270-server.net:992 -state -showcertsLoading 'screen' into random state - doneCONNECTED(00000770)SSL connect:before/connect initializationSSL connect:SSLv2/v3 write client hello ASSL connect:SSLv3 read server hello Adepth 1 /C GB/ST State/L Location/O Organisation/OU Technology/CN Root CAverify error:num 19:self signed certificate in certificate chainverify return:0SSL connect:SSLv3 read server certificate ASSL connect:SSLv3 read server done ASSL connect:SSLv3 write client key exchange ASSL connect:SSLv3 write change cipher spec ASSL connect:SSLv3 write finished ASSL connect:SSLv3 flush dataSSL connect:SSLv3 read finished AMonday, 1 February 2010
What is a key ring?RACDCERT ID(FTPTASK) LISTRING(FTPRING)Digital ring information for user FTPTASK:Ring: FTPRING Certificate Label Name---------------------FTP SERVERMonday, 1 February 2010Cert -----YES
What is a key ring?No Trusted CA in key ring openssl s client -connect tn3270-server.net:992 -state -showcertsLoading 'screen' into random state - doneCONNECTED(00000770)SSL connect:before/connect initializationSSL connect:SSLv2/v3 write client hello ASSL connect:SSLv3 read server hello Adepth 0 /C GB/ST State/L Location/O Organisation/OU Technology/CN tn3270-server.netverify error:num 20:unable to get local issuer certificateverify return:1depth 0 /C GB/ST State/L Location/O Organisation/OU Technology/CN tn3270-server.netverify error:num 27:certificate not trustedverify return:1depth 0 /C GB/ST State/L Location/O Organisation/OU Technology/CN tn3270-server.netverify error:num 21:unable to verify the first certificateverify return:1SSL connect:SSLv3 read server certificate ASSL connect:SSLv3 read server done ASSL connect:SSLv3 write client key exchange ASSL connect:SSLv3 write change cipher spec ASSL connect:SSLv3 write finished ASSL connect:SSLv3 flush dataSSL connect:SSLv3 read finished AMonday, 1 February 2010
Virtual key ringsSupport for Virtual Key RingsThis support is intended to treat the collection of all thecertificates owned by one userID, including the SITE andCERTAUTH reserved IDs, as an independent key ring.The use of the CERTAUTH virtual key ring is intended toeliminate the need to manually created multiple key ringsfor SSL enabled applications such as FTP.Example: in FTP.DATAKEYRING *AUTH*/*Monday, 1 February 2010
Who is the ‘owner’?RACF profiles have owners. Certificate owners aredifferent to RACF profile owners.The RACF profile owner of a certificate profile is notsignificant, it is purely historical.Because of the way RACF internally referencescertificates, they must not only be uniquely identifiableby owner and certificate label, they must also beunique by certificate serial number plus DNMonday, 1 February 2010
Who is the ‘owner’?General resource basic data record (0500)GRBD OWNER ID Char 282 289The user ID or group name which owns the profile.Whatʼs the relationship between User and Certificate?0207User Certificate Name0500General Resource Basic Data0560General Resource Certificate Data RecordMonday, 1 February 2010
Who is the ‘owner’?0207 irrcerta 02.CN GSEõdemoõroot.OU RACFõGroup.O GuideõShareõEurope.C GB0207 irrcerta 09.CN GSEõdemoõintermediate.OU RACFõGroup.O GuideõShareõEurope.C GB0207 GSEUSER 07.CN GSEõdemoõintermediate.OU RACFõGroup.O GuideõShareõEurope.C GB0207 GSEUSER 01.CN gse.demo.server.com.OU RACFõGroup.O GuideõShareõEurope.C GB0207 GSEUSER 03.CN GSEõdemoõroot.OU RACFõGroup.O GuideõShareõEurope.C GB0500 01.CN gse.demo.server.com.OU RACFõGroup.O GuideõShareõEurope.C GB0560 01.CN gse.demo.server.com.OU RACFõGroup.O GuideõShareõEurope.C GB0500 02.CN GSEõdemoõroot.OU RACFõGroup.O GuideõShareõEurope.C GB0560 02.CN GSEõdemoõroot.OU RACFõGroup.O GuideõShareõEurope.C GB0500 03.CN GSEõdemoõroot.OU RACFõGroup.O GuideõShareõEurope.C GB0560 03.CN GSEõdemoõroot.OU RACFõGroup.O GuideõShareõEurope.C GB0500 07.CN GSEõdemoõintermediate.OU RACFõGroup.O GuideõShareõEurope.C GB0560 07.CN GSEõdemoõintermediate.OU RACFõGroup.O GuideõShareõEurope.C GB0500 09.CN GSEõdemoõintermediate.OU RACFõGroup.O GuideõShareõEurope.C GB0560 09.CN GSEõdemoõintermediate.OU RACFõGroup.O GuideõShareõEurope.C GBMonday, 1 February 2010
Who is the ‘owner’?RLIST DIGTCERT *LEVEL OWNERUNIVERSAL ACCESS----- ----------------------00IBMUSER?!INSTALLATION DATA !----------------- !NONE !!APPLICATION DATA !---------------- !irrcerta !Monday, 1 February 2010YOUR ACCESS----------NONEWARNING !------- !NO !
Who is the ‘owner’?Alternatives to the RLIST command are:SR CLASS(DIGTCERT)RACDCERT ID(USER) LISTRACDCERT CERTAUTH LISTbut this also dumps information for ALLcertificates and is very limited as it cannotbe ‘filtered’.(use RACF109)Monday, 1 February 2010
The connect command!RACDCERT CONNECT is the method of configuring a key ring.It's similar to connecting users to groups, only here we areconnecting certificates to key rings.Just as a group must first be created before a user can beconnected, so a key ring must be created before a certificatecan be connected.Just as users are connected with different levels of AUTHORITYto a group, certificates are connected to key rings different typesof USAGE.Monday, 1 February 2010
The connect command!RACDCERT ID(FTPTASK) LISTRING(FTPRING)Digital ring information for user FTPTASK:Ring: FTPRING Certificate Label Name---------------------FTP SERVERCert AUTHCERTAUTHNO3RD PARTY ROOTCERTAUTHCERTAUTHNOMonday, 1 February 2010DEFAULT------YES
The connect command!RACDCERT ID(FTPTASK) CONNECT(ID(FTPTASK) LABEL('FTP SERVER') RING(FTPRING) DEFAULT USAGE(PERSONAL))RACDCERT ID(FTPTASK) CONNECT(CERTAUTH LABEL('ROOT') RING(FTPRING) USAGE(CERTAUTH))RACDCERT ID(FTPTASK) CONNECT(CERTAUTH LABEL('3RD PARTY ROOT') RING(FTPRING) USAGE(CERTAUTH))Monday, 1 February 2010
The connect ID(TCPIP) LABEL('TN3270') RING(CONRING) DEFAULT )CONNECT(CERTAUTH LABEL('ROOT') RING(CONRING) )LISTRING(CONRING)Digital ring information for user TCPIP:Ring: CONRING Certificate Label Name-------------------------------TN3270Cert ERTAUTHCERTAUTHMonday, 1 February 2010DEFAULT------YESNO
The connect command!RACDCERT ID(Mary) CONNECT(ID(John) LABEL )Ring owner: Mary, Cert owner: JohnRACDCERT ID(Mary) CONNECT(LABEL )Ring owner: Mary, Cert owner: MaryRACDCERT CONNECT(ID(John) LABEL )Ring owner: Issuer of command, Cert owner: JohnRACDCERT CONNECT(LABEL )Ring owner: Issuer of command, Cert owner: Issuer of commandThe ring owner can not be CERTAUTH or SITE, while the cert owner can.The usage keyword is used to override the default usage originated fromthe owner. By default, CERTAUTH's cert has usage CERTAUTH, SITE'scert has usage SITE, personal cert (ID(xxx)) has usage PERSONAL.Monday, 1 February 2010
Syntax gotchas max label length max DN element length input dataset allocationMonday, 1 February 201032 characters64 charactersMust be VB
More gotchas certificates created with LABEL000000001 deleting a certificate owning ID removesALL certificates ‘owned’ by said ID root certificates with 4096 bit key lengthMonday, 1 February 2010
Stop PressAdd a certificate with a very long Distinguished Name to RACFThe APARs implementing support in RACF and PKI Services to handlecertificates with distinguished names longer than 246 characters are nowavailable.RACF: OA30560PKI: OA30952With the RACF PTF, the problem of adding a certificate requested from a wellknown CA which has a very long distinguished name will be solved.Monday, 1 February 2010
Monday, 1 February 2010
The End.Monday, 1 February 2010
RACDCERT ID(CERTOWN) GENREQ(LABEL('VERISIGN CSR')) DSN('HLQ.PKCS10.REQ1') Creating a CSR, using existing key pair Monday, 1 February 2010. What is a certificate? DN Dates Issuer public key privat