PKI Authorization / RACF to Top Secret

Document ID : KB000012251
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

What are the PKI Authorization RACF to Top Secret commands?

Answer:

PKI Authorization / RACF to Top Secret: 

Creating users and groups ...
ADDUSER  PKISRVD name('PKI Srvs Daemon')  nopassword  omvs(uid(554)  assize(256000000)  threads(512)) 

TSS CREATE(PKISRVD) TYPE(USER) NAME('PKI Srvs DAEMON') DEPT(dept) - 
PASS(password,0)
TSS ADD(PKISRVD) UID(554) ASSIZE(256000000) THREADS(512) 

ADDUSER  PKISERV nopassword   omvs(uid(555))  name('PKI Srvs Surrogate') 

TSS CREATE(PKISERV) TYPE(USER) NAME(''PKI Srvs Surrogate') PASS(passoword,0)
TSS ADD(PKISERV) UID(555) 

ADDGROUP  PKIGRP OMVS(GID(655)) 

TSS CREATE(PKIGRP) TYPE(GROUP) NAME('PKI GROUP') GID(655)
TSS ADD(PKISRVD) GROUP(PKIGRP) DFLTGRP(PKIGRP)
TSS ADD(PKISERV) GROUP(PKIGRP) DFLTGRP(PKIGRP) 

SETROPTS EGN GENERIC(DATASET)
ADDSD 'PKISRVD.**' UACC(NONE)
PERMIT 'PKISRVD.**' ID(PKISRVD) ACCESS(ALTER)
Allowing administrators to access PKI VSAM databases ...
PERMIT 'PKISRVD.**' ID(PKIGRP) ACCESS(CONTROL)
SETROPTS GENERIC(DATASET) REFRESH 

TSS ADD(dept) DSN(PKISRVD.)
TSS PERMIT(PKISRVD) DSN(PKISRVD) ACCESS(ALL)
TSS PERMIT(PKISERV) DSN(PKISRVD) ACCESS(CONTROL) 

Creating the CA certificate ...
RACDCERT GENCERT CERTAUTH SUBJECTSDN(OU('ROOTCA ITSO PKI Red Book') O('IBM') C('US'))  WITHLABEL('ROOTCA PKI CA') NOTAFTER(DATE(2035/11/17))  SIZE(2048) 

TSS GENCERT(CERTAUTH) DIGICERT(PKIROOT) - 
SUBJECTN('O="IBM" OU="ROOTCA ITSO PKI Red Book" - C="US" ') -
LABLCERT('ROOTCA PKI CA') NADATE(11/17/35) KEYSIZE(2048) HITRUST 

Backing up the CA certificate ...
RACDCERT CERTAUTH EXPORT(LABEL('ROOTCA PKI CA'))  DSN('PKISRVD.ROOTCA.KEY.BACKUP.P12BIN') FORMAT(PKCS12DER)  PASSWORD('******') 

TSS EXPORT(CERTAUTH) DIGICERT(PKIROOT) DCDSN(datset.name) FORMAT(PKCS12DER) -
PKCSPASS(password) 

Marking CA certificate as HIGHTRUST ...
RACDCERT CERTAUTH ALTER(LABEL('ROOTCA PKI CA')) HIGHTRUST

**Done** 

Saving the CA certificate to a data set ...
RACDCERT CERTAUTH EXPORT(LABEL('ROOTCA PKI CA'))  DSN('PKISRVD.ROOTCA.CACERT.DERBIN') FORMAT(CERTDER)

**This is the same as Backing Up the certificate.** 

Creating the RA certificate ...
RACDCERT ID(PKISRVD) GENCERT SUBJECTSDN(CN('Registration Authority') OU('ROOTCA ITSO PKI Red Book') O('IBM') C('US')) KEYUSAGE(HANDSHAKE) SIGNWITH(CERTAUTH LABEL('ROOTCA PKI CA'))  NOTAFTER(DATE(2035/11/17)) WITHLABEL('ROOTCA PKI RA') 

TSS GENCERT(PKISRVD) DIGICERT(PKIRA) - 
SUBJECTN('CN="Registration Authority" O="IBM" OU="ROOTCA ITSO PKI Red Book" - 
C="US" ') LABLCERT('ROOTCA PKI RA') NADATE(11/17/35) KEYSIZE(2048) -
KEYUSAGE(HANDSHAKE) SIGNWITH(CERTAUTH,PKIROOT) TRUST 

Backing up RA certificate ...
RACDCERT ID(PKISRVD) EXPORT(LABEL('ROOTCA PKI RA'))  DSN('PKISRVD.ROOTCA.RAKEY.BACKUP.P12BIN') FORMAT(PKCS12DER) PASSWORD('******') 

TSS EXPORT(PKISRVD) DIGICERT(PKIRA) DCDSN(dataset.name) FORMAT(PKCS12DER) -
PKCSPASS(password)

Creating the PKI Services keyring ...
RACDCERT ADDRING(CAring.ROOTCA) ID(PKISRVD)
RACDCERT ID(PKISRVD) CONNECT(CERTAUTH  LABEL('ROOTCA PKI CA')  RING(CAring.ROOTCA) USAGE(PERSONAL) DEFAULT)
RACDCERT ID(PKISRVD) CONNECT(LABEL('ROOTCA PKI RA')  RING(CAring.ROOTCA) USAGE(PERSONAL)) 

TSS ADD(PKISRVD) KEYRING(PKIRING) LABLRING('CAring.ROOTCA')
TSS ADD(PKISRVD) KEYRING(PKIRING) RINGDATA(CERTAUTH,PKIROOT) -
USAGE(PERSONAL) DEFAULT
TSS ADD(PKISRVD) KEYRING(PKIRING) RINGDATA(PKISRVD,PKIRA) USAGE(PERSONAL)

**Note: The CA certificate PKIROOT is marked with Usage(Personal) and Default.**
**This is not what is normally done.  The CA certificate would be marked **
**Usage(Certauth) and would not have default.  The personal certificate **
**PKIRA would normally be the Default**
**Add the IBMFAC permits to allow the acid to read the certificates on the keyring**

TSS ADD(department) IBMFAC(IRR.) 
TSS PER(PKISRVD) IBMFAC(IRR.DIGTCERT.LISTRING) ACC(UPDATE)
TSS PER(PKISRVD) IBMFAC(IRR.DIGTCERT.LIST) ACC(UPDATE)   

Creating the Webserver SSL certificate and keyring ...
RACDCERT GENCERT ID(WEBSRV) SIGNWITH(CERTAUTH  LABEL('ROOTCA PKI CA'))  WITHLABEL('SSL Cert') SUBJECTSDN(CN('wtscnet.itso.ibm.com') O('IBM') L('Poughkeepsie') SP('New York') C('US'))  NOTAFTER(DATE(2020/11/17))

**This assumes that you already have an acid WEBSRV.   If not you need to create one.** 

TSS GENCERT(WEBSRV) DIGICERT(SSLCERT) - 
SUBJECTN('CN="wtscnet.itso.ibm.com" O="IBM" L="Poughkeepsie" C="US"  -
SP="New York" ') LABLCERT('SSL Cert') NADATE(11/17/20) KEYSIZE(2048) -
KEYUSAGE(HANDSHAKE) SIGNWITH(CERTAUTH,PKIROOT) TRUST 

RACDCERT ADDRING(SSLring) ID(WEBSRV)
RACDCERT  ID(WEBSRV) CONNECT(ID(WEBSRV)  LABEL('SSL Cert') RING(SSLring) USAGE(PERSONAL) DEFAULT)
RACDCERT  ID(WEBSRV) CONNECT(CERTAUTH  LABEL('ROOTCA PKI CA') RING(SSLring))

TSS ADD(WEBSRV) KEYRING(SSLring) LABLRING('SSLring')
TSS ADD(WEBSRV) KEYRING(SSLring) RINGDATA(WEBSRV,SSLCERT) - 
USAGE(PERSONAL) DEFAULT
TSS ADD(WEBSRV) KEYRING(SSLring) RINGDATA(CERTAUTH,PKIROOT) -
USAGE(CERTAUTH)

**Add the IBMFAC permits to allow the acid to read the certificates on the keyring**
TSS PER(WEBSRV) IBMFAC(IRR.DIGTCERT.LISTRING) ACC(UPDATE)
TSS PER(WEBSRV) IBMFAC(IRR.DIGTCERT.LIST) ACC(UPDATE)   

Saving the webserver's root CA certificate to a  data set for OPUT ...
RACDCERT CERTAUTH EXPORT(LABEL('ROOTCA PKI CA'))  DSN('PKISRVD.ROOTCA.WEBROOT.DERBIN') FORMAT(CERTDER)

**This certificate is already in a dataset.** 

Giving PKISRVD access to BPX.SERVER ...
RDEFINE FACILITY BPX.SERVER
PERMIT BPX.SERVER CLASS(FACILITY)  ID(PKISRVD) ACCESS(READ) 

TSS ADD(dept) IBMFAC(BPX.)
TSS PERMIT(PKISRVD) IBMFAC(BPX.SERVER) ACCESS(READ) 

Allowing the PKI Services daemon to act as a CA ...
RDEFINE FACILITY IRR.DIGTCERT.GENCERT
RDEFINE FACILITY IRR.DIGTCERT.LISTRING
PERMIT IRR.DIGTCERT.GENCERT CLASS(FACILITY)  ID(PKISRVD) ACCESS(CONTROL)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY)  ID(PKISRVD) ACCESS(READ)

**Some commands are already done.**
TSS PERMIT(PKISRVD) IBMFAC(IRR.DIGTCERT.GENCERT) ACCESS(CONTROL) 

Allowing the Webserver to access its keyring ...
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY)  ID(WEBSRV) ACCESS(READ)

**DONE** 

Allowing the Webserver to switch identity to PKISERV ...
SETROPTS CLASSACT(SURROGAT)
RDEFINE SURROGAT BPX.SRV.PKISERV
PERMIT BPX.SRV.PKISERV CLASS(SURROGAT)  ID(WEBSRV) ACCESS(READ)
SETROPTS RACLIST(SURROGAT) REFRESH 

TSS ADD(Dept) SURROGAT(BPX.)
TSS PERMIT(WEBSRV) SURROGAT(BPX.SRV.PKISERV) ACCESS(READ) 

Allowing the PKI Services daemon to use ICSF ...
SETROPTS  GENERIC(CSFKEYS CSFSERV)
SETROPTS  GENERIC(CSFKEYS CSFSERV) REFRESH
RDEFINE CSFKEYS IRR.DIGTCERT.CERTIFAUTH.* UACC(NONE)
PERMIT IRR.DIGTCERT.CERTIFAUTH.* CLASS(CSFKEYS)  ID(PKISRVD) ACCESS(READ)
SETROPTS CLASSACT(CSFKEYS) RACLIST(CSFKEYS)
SETROPTS RACLIST(CSFKEYS) REFRESH 

TSS ADD(dept) CSFKEYS(IRR.)
TSS PERMIT(PKISRVD) CSFKEYS(IRR.DIGTCERT.CERTIFAUTH.) ACCESS(READ) 

Creating the STARTED class profile for the daemon ...
RDEFINE STARTED PKISERVD.* STDATA(USER(PKISRVD))
SETROPTS CLASSACT(STARTED) RACLIST(STARTED)
SETROPTS RACLIST(STARTED) REFRESH 

TSS ADD(STC) PROCNAME(PKISERVD) ACID(PKISRVD) 

Allowing PKISERV to request certificate functions ...
SETR GENERIC(FACILITY)
RDEFINE FACILITY IRR.RPKISERV.*.ROOTCA
PERMIT IRR.RPKISERV.*.ROOTCA CLASS(FACILITY)  ID(PKISERV) ACCESS(CONTROL) 

TSS PERMIT(PKISERV) IBMFAC(IRR.RPKISERV.) ACCESS(CONTROL) 

Creating the profile to protect PKI Admin functions ...
RDEFINE FACILITY IRR.RPKISERV.PKIADMIN.ROOTCA
PERMIT IRR.RPKISERV.PKIADMIN.ROOTCA CLASS(FACILITY)  ID(PKIGRP) ACCESS(UPDATE)
PERMIT IRR.RPKISERV.PKIADMIN.ROOTCA CLASS(FACILITY)  ID(PKISERV) ACCESS(NONE)
SETROPTS RACLIST(FACILITY) REFRESH 

TSS PERMIT(PKISRVD) IBMFAC(IRR.RPKISERV.PKIADMIN.ROOTCA) ACCESS(UPDATE)

**Notes:  IBMFAC Does not allow masking.**
**You cannot permit resources to IBM Groups.  Any resource permits to a Group can **
**either be put in a profile and given to all acids that have that group, or as in this **
**case where there were only a few resource permits, the permits were given to each **
**acid's user record. **