How do I enable signature validation of the System SSL or ICSF modules in a mode that has been designed to meet the FIPS 140-2 criteria?

Document ID : KB000017925
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:  

How do I enable signature validation of the System SSL or ICSF modules in a mode that has been designed to meet the FIPS 140-2 criteria?

 

Answer:  

To enable signature validation of the System SSL modules additional steps are required prior to the execution of a FIPS enabled System SSL application. These steps include:

  1. Defining specific ESM profiles and Keyring to enable the verification of the System SSL module signature when loaded by the z/OS loader.
  2. Defining specific ESM profiles(ACF2 GSO SIGVER records) and identifying which System SSL modules require signature verification.

The following steps need to be followed by the ACF2 system administrator to enable signature validation of the System SSL modules:

*

* Mark the IBM root CA as TRUSTed if not already TRUSTed
*
* CA ACF2 supplies the STG Code-Signing Certificate Authority so you do not 
* have to define them yourselves. The certificates are added when CA ACF2 
* starts. The certificates are added under the CERTAUTH logonid with a suffix 
* of AUTOxxx. You can use the LIST LIKE(CERTAUTH.AUTO-) command to determine 
* the exact suffix of the certificate you want to use. For example:
* 
ACF
SET PROFILE(USER) DIV(CERTDATA)
list like(certauth.auto-)
*
* CERTDATA / CERTAUTH.AUTO004 LAST CHANGED BY ACF2 ON 06/25/10-16:41           
*                 CERTNSER(0000000000000001) ISSUERDN(CN=STG Code Signing C
*                 A.OU=IBM Code Signing.O=IBM Corporation.C=US)           
*                 LABEL(STG Code Signing CA) SERIAL#(00) SUBJDN(CN=STG Code
*                  Signing CA.OU=IBM Code Signing.O=IBM Corporation.C=US) 
*
* Issue the following command to set the TRUST status:
*
CHANGE certauth.auto00x TRUST
* Create a Keyring and Keyring owner to hold the STG Code Signing CA  
* certificate and connect the certificate to the keyring.
*
ACF
INSERT ACFADM NAME(SECADMIN Code Signer) SECURITY
*
SET PROFILE(USER) DIVISION(KEYRING)
INSERT ACFADM.ring RINGNAME(CODE.SIGNATURE.VERIFICATION.KEYRING) 
CONNECT CERTDATA(certauth.yoursfx) KEYRING(ACFADM.keyring) USAGE(CERTAUTH) * * Create the FACILITY class profile that tells security the keyring to use for * module signature verification if it is not already defined. * ACF set profile(program) division(signver) PROFILE INSERT ACFADM RINGNAME(CODE.SIGNATURE.VERIFICATION.KEYRING) USER(ACFADM) * * Activate PROGRAM control, if not already active. * * Program control is covered in the r15 CA ACF2 for z/OS Administration Guide * (Seventh Edition) in Chapter 23: Controlling Access to the Hierarchical * File System section 'Program Control in the UNIX Environment' page 1069. * * Create the PROGRAM class profile that protects the program verification * module IRRPVERS and specify its signature verification options. * ACF Set control(gso) Insert sigver.IRRPVERS sigreq failload(anybad) audit(anybad) - Lib(SYS1.SIEALNKE) SIGREQ * ACF F ACF2,REFRESH(SIGVER) * * NOTE: * Create the PROGRAM class profiles to indicate the System SSL modules must * be signed. The load should fail if the signature cannot be verified and * auditing should occur for failure only. * ACF Set control(gso) Insert sigver.GSKSSL sigreq failload(anybad) audit(anybad) - Lib(SYS1.SIEALNKE) SIGREQ Insert sigver.GSKSSL64 sigreq failload(anybad) audit(anybad) - Lib(SYS1.SIEALNKE) SIGREQ Insert sigver.GSKS31F sigreq failload(anybad) audit(anybad) - Lib(SYS1.SIEALNKE) SIGREQ Insert sigver.GSKS64F sigreq failload(anybad) audit(anybad) - Lib(SYS1.SIEALNKE) SIGREQ Insert sigver.GSKCMS31 sigreq failload(anybad) audit(anybad) - Lib(SYS1.SIEALNKE) SIGREQ Insert sigver.GSKCMS64 sigreq failload(anybad) audit(anybad) - Lib(SYS1.SIEALNKE) SIGREQ Insert sigver.GSKC31F sigreq failload(anybad) audit(anybad) - Lib(SYS1.SIEALNKE) SIGREQ Insert sigver.GSKC64F sigreq failload(anybad) audit(anybad) - Lib(SYS1.SIEALNKE) SIGREQ Insert sigver.GSKSRVR sigreq failload(anybad) audit(anybad) - Lib(SYS1.SIEALNKE) SIGREQ Insert sigver.GSKKYMAN sigreq failload(anybad) audit(anybad) - Lib(SYS1.SIEALNKE) SIGREQ Insert sigver.GSKSRBRD sigreq failload(anybad) audit(anybad) - Lib(SYS1.SIEALNKE) SIGREQ Insert sigver.GSKSRBWT sigreq failload(anybad) audit(anybad) - Lib(SYS1.SIEALNKE) SIGREQ * F ACF2,REFRESH(SIGVER)

Additional Information: 

Details on the ACF2 SIGVER GSO record can be found in the CA ACF2 for z/OS Administration Guide, Chapter 14: Maintaining Global System Options Records, section 'Signature Verification (SIGVER)'.

Details on the ACF2 SIGNVER Profile Data Record can be found in the CA ACF2 for z/OS Administration Guide, Chapter 16: Maintaining Profile Records, section 'SIGNVER Profile Data Records'.