How do I setup EKM TAPE DATA ENCRYPTION DIGITAL CERTIFICATES with CA-ACF2?

Document ID : KB000027269
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:  

 

How do I setup EKM TAPE DATA ENCRYPTION DIGITAL CERTIFICATES with CA-ACF2?

Answer: 

This informational solution consists of two sections related to the setup of digital certificates for EKM Tape Data Encryption, Section A. for Local Certificate Authority Certificate and Section B. for Third Party Certificate Provider.

This informational solution consists of two sections related to the setup of digital certificates for EKM Tape Data Encryption, Section A. for Local Certificate Authority Certificate and Section B. for Third Party Certificate Provider.

Section A.

Setting up EKM Tape Data Encryption using a Local Certificate

This example is for setting up certificates using a local certificate authority certificate.

EKM requires a z/OS user ID that identifies the EKM process as a started task on z/OS. In this example, the LOGONID of EKMSERV is used.

Setting up EKM digital certificates for the data encryption key protection used by EKM tape write operations.

  1. Generate a self signed certificate as a local authority certificate using the GENCERT command. Sample GENCERT commands follow.
    ACFGENCERT CERTAUTH.localca SUBJ(CN='MyLocalzOSCA' -OU='Auditing Department' O='Company Name' C=US) -LABEL(LocalACF CA) SIZE(1024) EXPIRE(12/31/2012)
    Note 1: Parameters specified in lower or mixed case are examples and should be set to meet site standards.

    Note 2: Be sure you specify an EXPIRE date if you are creating your own CA. It should be 5-10 years in the future ensure it will extend beyond the EXPIRE date of any certificates signed by it.

  2. Generate a RSA key pair and certificate for the EKM server instance on z/OS using the GENCERT command. A sample GENCERT command follows. The certificate generated is signed with the CERTAUTH certificate generated in step 1.
    ACFGENCERT EKMSRV.CERT SUBJ(CN='ITOperations' OU='MyCo' C=US) -LABEL(EKMServer) SIZE(1024) SIGNWITH(CERTAUTH.localca)
    Note 1: Parameters specified in lower or mixed case are examples and should be set to meet site standards.

  3. Create a FACILITY class resource rule to allow the EKM server read from its key ring.
    ACFSET RESOURCE(FAC)COMPILE * STORE$KEY(IRR) TYPE(FAC)DIGTCERT.LIST UID(UID for EKMSERV logonid) SERVICE(READ) ALLOWDIGTCERT.LISTRING UID(UID for EKMSERV logonid) SERVICE(READ) ALLOW
  4. Create the EKM Keyring and connect the CERTAUTH and EKMSRV certificates.
    ACFSET PROFILE(USER) DIV(KEYRING)INSERT EKMSERV.RING RINGNAME(EKMRing)
    CONNECT CERTDATA(CERTAUTH.LOCALCA) KEYRING(EKMSERV.RING) -USAGE(CERTAUTH)CONNECT CERTDATA(EKMSERV.CERT) KEYRING(EKMSERV.RING) -USAGE(PERSONAL) DEFAULT
    NOTE 1: This example sets the ring name to "EKMRing". The ring name that you assign must match the Keyring named specified in the EKM configuration file as shown in step 6 below.

  5. The EKM server name and the KEYRING name used in steps 1, 2 and 4 above should correspond to the EKM configuration file:
    Admin.ssl.keystore.name = safkeyring://EKMSERV/EKMRingAdmin.ssl.truststore.name = safkeyring://EKMSERV/EKMRingconfig.keystore.file = safkeyring://EKMSERV/EKMRingTransportListener.ssl.keystore.name = safkeyring://EKMSERV/EKMRingTransportListener.ssl.truststore.name = safkeyring://EKMSERV/EKMRing
  6. Before attempting to use the defined KEYRING and CERTDATA records, you will need to issue these operator commands to activate them:
    F ACF2,REBUILD(USR),CLASS(P)F ACF2,OMVS or F ACF2,OMVS(CERTDATA)F ACF2,REBUILD(FAC)

Section B.

Setting up EKM Tape Data Encryption using a Third Party Certificate Provider

This example is for setting up certificates using a third party certificate provider.

Setting up EKM digital certificates for the data encryption key protection used by EKM tape write operations.

  1. Generate the certificate for the EKM server on z/OS using the GENCERT command. Then issue the GENREQ command to generate a certificate request to be sent to a Certification Authority. The GENREQ extracts the subjects distinguished name and the public key from the certificate and puts it in a dataset from which the request is sent to the Certification Authority:
    ACFGENCERT EKMSERV.CERT SUBJ(CN='ITOperations' OU='MyCo' C=US) -LABEL(EKMServer) SIZE(1024)
    GENREQ EKMSERV.CERT DSN('hlq.EKMSERV.CERT.REQUEST')
    Note 1: Parameters specified in lower or mixed case are examples and should be set to meet site standards.

  2. Submit the GENREQ request dataset (hlq.EKMSERV.CERT.REQUEST) to a Third Party Certification Authority, which will create a new certificate with the same distinguished name and public key, but issued and signed by the Third Party Certification Authority. This example assumes the returned certificate that you have received from the Third Party Certification Authority now resides in the dataset 'THIRD.PARTY.CERT' on z/OS. This dataset will be INSERTed into the the ACF2 database.
    ACFSET PROFILE(USER) DIV(CERTDATA)INSERT EKMSERV.CERT DSN('THIRD.PARTY.CERT') LABEL(EKMServer)
    Note 1: The DSN(data set) must be defined as physical sequential (DSORG=PS), variable-blocked (RECFM=VB), (LRECL=255) and must be catalogued.

  3. When using certificates signed by a CA, the CA's root certificate must be obtained and inserted as a CERTAUTH CERTDATA profile record.

    If the CA is external you should be able to get its root certificate from the CA's website, put it in a dataset, and insert it as follows:
    ACFSET PROFILE(USER) DIV(CERTDATA)INSERT CERTAUTH.3rdPartyCA DSN('THIRD.PARTY.CA.CERT') TRUST
  4. Create a FACILITY class resource rule to allow the EKM server read from its key ring.
    ACFSET RESOURCE(FAC)COMPILE * STORE$KEY(IRR) TYPE(FAC)DIGTCERT.LIST UID(UID for EKMSERV logonid) SERVICE(READ) ALLOWDIGTCERT.LISTRING UID(UID for EKMSERV logonid) SERVICE(READ) ALLOW
  5. Create the EKM Keyring and connect the CERTAUTH and EKMSERV certificates.
    ACFSET PROFILE(USER) DIV(KEYRING)INSERT EKMSERV.RING RINGNAME(EKMRing)CONNECT CERTDATA(CERTAUTH.3rdPartyCA) KEYRING(EKMSERV.RING) -USAGE(CERTAUTH)CONNECT CERTDATA(EKMSERV.CERT) KEYRING(EKMSERV.RING)USAGE(PERSONAL) DEFAULT
    NOTE 1: This example sets the ring name to "EKMRing". The ring name that you assign must match the Keyring name specified in the EKM configuration file as shown in step 6 below.

  6. The EKM server name and the KEYRIMG name used in steps 1, 2 and 5 above should correspond to the EKM configuration file:
    Admin.ssl.keystore.name = safkeyring://EKMSERV/EKMRingAdmin.ssl.truststore.name = safkeyring://EKMSERV/EKMRingconfig.keystore.file = safkeyring://EKMSERV/EKMRingTransportListener.ssl.keystore.name = safkeyring://EKMSERV/EKMRingTransportListener.ssl.truststore.name = safkeyring://EKMSERV/EKMRing
  7. Before attempting to use the defined KEYRING and CERTDATA records, you will need to issue these operator commands to activate them:
    F ACF2,REBUILD(USR),CLASS(P)F ACF2,OMVS or F ACF2,OMVS(CERTDATA)F ACF2,REBUILD(FAC)