With ACF2, how can Digital Certificates With ICSF Keys be migrated to another system?

Document ID : KB000126475
Last Modified Date : 11/02/2019
Show Technical Document Details
Question:
With ACF2, how can Digital Certificates With ICSF Keys be migrated to another system?
Answer:

This document discusses how to migrate Digital Certificates whose private key is stored in ICSF when using CA ACF2 as the External Security Manager.


Migrating an ICSF private key from one system to another Private keys generated by ICSF on behalf of CA ACF2 or stored into ICSF's PKA data set (PKDS) by CA ACF2 are always encrypted and cannot be recovered in a clear form. Therefore, certificates with such keys cannot be exported from CA ACF2 in PKCS #12 format. In general, this restricts your ability to migrate certificates and their private keys from one system to another and share them among multiple systems. However, you can migrate a certificate and its ICSF private key when both the source and target systems are z/OS systems configured to use ICSF and both share the same ICSF PKA master key. The systems need not share the same CA ACF2 database nor share the same ICSF PKDS.

Using the following steps, you can generate a new certificate with a private ICSF key on system A (the source system) and replicate the same certificate and key on system B (the target system). In the ACF2 GENCERT command examples shown, the certificate you are migrating is associated with the user ID SYSMAN and has the CA ACF2 certificate label 'SECURE.KEY'. The ICSF private key has the PKDS key label 'SECURE.KEY' and is generated by the PCI cryptographic coprocessor. On the target system, 'MIGRATED.KEY' will be the value used for the CA ACF2 certificate and PKDS key labels. (Note, they could have the same value as the source system if desired.)
Steps for migrating a certificate and its ICSF private key
Before you begin:

  • Both source and target system must be configured to use ICSF and share the same ICSF PKA master key.
  • A PCI-class cryptographic coprocessor must be operational and configured with the PKDS on both the source and target systems when you specify the PCICC keyword. Otherwise, specify the ICSF keyword.
  • To extract ICSF private keys, you will need a non-CA ACF2 utility, such as KEYXFER. To download the KEYXFER utility, go to the following Web page and follow the instructions:
          Steps for migrating a certificate and its ICSF private key in the PKDS

Perform the following steps to generate a CA ACF2 certificate and its ICSF public/private key pair on system A (the source system), and migrate them to system B (the target system).
  1. Generate the certificate and its public/private key pair on system A.

    GENCERT SYSMAN.CERT SUBJ(CN=‘SecureKey’ OU=‘MyCo’ C=US)
      LABEL(SECURE.KEY) PCICC
                                                                                                                 
  2. Extract the certificate from CA ACF2 and store it in an MVS data set called 'my.cert.dataset'. (The ICSF private key is not extracted in this step.)

    SET PROFILE(USER) DIV(CERTDATA)
    EXPORT SYSMAN.CERT DSN(my.cert.dataset) FORMAT(CERTDER)
                                       
  3. Extract the encrypted private key from ICSF using a non-CA ACF2 utility, such as KEYXFER.
  4. Transmit both the key and certificate data sets to system B. This step completes the work required on system A.
  5. Receive both the key and certificate data sets on system B.
  6. Add the encrypted private key to ICSF using a non-CA ACF2 utility, such as KEYXFER, specifying the desired PKDS label for the key on system B, 'MIGRATED.KEY'
  7. Add the certificate to CA ACF2 giving it the same CA ACF2 and PKDS label value as in step 6, 'MIGRATED.KEY'.

    SET PROFILE(USER) DIV(CERTDATA)
    INSERT SYSMAN.CERT LABEL('MIGRATED.KEY) DSN(my.cert.dataset) PCICC
                   
  8. List the certificate to verify that CA ACF2 found the private key and assigned it to the certificate.

    SET PROFILE(USER) DIV(CERTDATA)
    LIST(SYSMAN.CERT)

    Private Key Type        should be PCICC
    Label                           should be MIGRATED.KEY

    You have now generated a certificate and its ICSF public/private key pair on system A and migrated them to system B. System A and system B can now use the same certificate and key pair.