I am setting up digital certificates and KEYRINGs with ACF2. What is the FACILITY CLASS resource IRR.DIGTCERT.LISTRING and how should ACF2 resource rules be coded? If access is given to the resource, will the user be allowed to access all KEYRINGs?

Document ID : KB000026248
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:  

I am setting up digital certificates and KEYRINGs with ACF2. What is the FACILITY CLASS resource IRR.DIGTCERT.LISTRING and how should ACF2 resource rules be coded? If access is given to the resource, will the user be allowed to access all KEYRINGs?

Answer: 

The FACILITY class IRR.DIGTCERT.LISTRING resource validation is used to validate a user's access to their own KEYRING as well as access to another user's KEYRING. If a user has access to another user's KEYRING, access is allowed to all KEYRINGs.

Ownership of a KEYRING is based on the RECID of the ACF2 PROFILE(USER) DIV(KEYRING) record. In the following example the RECID is "userid.suffix" and the owner of the keyring is "userid":

SET PROFILE(USER) DIV(KEYRING)
INSERT userid.suffix RINGNAME(ringname)

Ownership of a certificate is based on the RECID of the ACF2 PROFILE(USER) DIV(CERTDATA) record. In the following example the RECID is "userid.suffix" and the owner of the certificate is "userid":

SET PROFILE(USER) DIV(CERTDATA)
INSERT userid.suffix  dsn('mycert.dataset')

The user must have IRR.DIGTCERT.LISTRING resource READ access in the FACILITY class when using a KEYRING owned by that user.

The user must have IRR.DIGTCERT.LISTRING resource UPDATE access in the FACILITY class when using a KEYRING owned by another user. If a user has access to another user's KEYRING, access is allowed to all KEYRINGs. Note that the user would only be allowed access to the private key of a certificate in a KEYRING for which they are the certificate owner.

For example:

 

$KEY(IRR.DIGTCERT.LISTRING) TYPE(FAC)                        
 UID(ring owner uid) SERVICE(READ) ALLOW    <-gives access to the ring owner    
 UID(other) SERVICE(UPDATE) ALLOW           <-gives access to another user's ring

 

Additional Information:

Details regarding the creation (INSERT) of digital certificates and keyrings can be found in the CA ACF2 for z/OS Administration Guide in Chapter 3: Maintaining Logonid Records section 'USER Profile Records' sub-sections 'CERTDATA Profile Data Records' and 'KEYRING Profile Data Records'.