Implementing z/OSMF Security Looks Unclear About Digital Certification And Keyring Definition.

Document ID : KB000048103
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

z/OSMF security is implemented thru a REXX which contains RACF commands.

Some of these commands need to be clarified.

Solution:

Here are the CA Top Secret commands:


=========================================================================== 
/* Define the FACILITY profile for working with digital certificates */     
RDEFINE FACILITY IRR.DIGTCERT.LIST UACC(NONE)                               
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)                           
                                                                           
TSS ADD(#dept) IBMFAC(IRR.)                                                 
                                                                           
/* started task USERID access */                                            
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(IZUSVR) ACCESS(READ)            
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(IZUSVR) ACCESS(READ)        
                                                                           
TSS PER(IZUSVR) IBMFAC(IRR.DIGTCERT.LIST)                                   
TSS PER(IZUSVR) IBMFAC(IRR.DIGTCERT.LISTRING)                               
                                                                           
/* CA certificate for the z/OSMF server */                                  
RACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('z/OSMF CertAuth for Security Domai 
n') OU('IZUDFLT')) WITHLABEL('zOSMFCA')  TRUST NOTAFTER(DRACDCERT ADDRING(I 
ZUKeyring.IZUDFLT) ID(IZUSVR)                                               
                                                                           
TSS GENCERT(CERTAUTH) DIGICERT(ZOSMFCA)                                     
   SUBJECTN('CN="z/OSMF CertAuth for Security Domain"                      
   OU="IZUDFLT"')                                                          
   KEYUSAGE(CERTSIGN) KEYSIZE(2048)                                        
   LABLCERT('zOSMFCA')                                                     
   NADATE(10/10/21)                                                        
 
TSS ADD(IZUSVR) KEYRING(KIZUSVR)                                            
   LABLRING('IZUKeyring.IZUDFLT')                                          
                                                                           
/* server certificate for the z/OSMF server */                              
RACDCERT ID( IZUSVR ) GENCERT SUBJECTSDN(CN('sysz3.dcs.citicorp.com') O('IB 
M') OU('IZUDFLT')) WITHLABEL('DefaultzOSMFCert.IZUDFLT') AUTH LABEL('zOSMFC 
A')) NOTAFTER(DATE(2021/10/10))                                             
RACDCERT ALTER(LABEL('DefaultzOSMFCert.IZUDFLT')) ID(IZUSVR) TRUST          
RACDCERT ID( IZUSVR ) CONNECT (LABEL('DefaultzOSMFCert.IZUDFLT') RING(IZUKe 
yring.IZUDFLT) DEFAULT)                                                     
RACDCERT ID( IZUSVR ) CONNECT (LABEL('zOSMFCA') RING(IZUKeyring.IZUDFLT) CE 
RTAUTH)                                                                     
=========================================================================== 
                                                                           
TSS GENCERT(IZUSVR) DIGICERT(DCIZUSVR)                                      
   SUBJECTN('CN="sysz3.dcs.citicorp.com"                                   
   O="IBM" OU="IZUDFLT"')                                                  
   LABLCERT('DefaultzOSMFCert.IZUDFLT')                                    
   SIGNWITH(CERTAUTH,ZOSMFCA)                                              
   NADATE(10/10/21)                                                        
                                                                           
TSS REP(IZUSVR) DIGICERT(DCIZUSVR) TRUST                                    
                                                                           
TSS ADD(IZUSVR) KEYRING(KIZUSVR)                               
   RINGDATA(IZUSVR,DCIZUSVR) DEFAULT USAGE(PERSONAL)                       
                                                                           
TSS ADD(IZUSVR) KEYRING(KIZUSVR)                                            
   RINGDATA(CERTAUTH,ZOSMFCA) USAGE(CERTAUTH)  

Acid IZUSVR must exist before using these commands.

#dept is an existing or new department at customer site.

The TSS ADD IBMFAC(IRR.) may already be done. If it has, then this command will fail, but that is ok.