Exploit z/OS LDAP RemoteCryptoPKCS#11
HuiWang 270006B74X Visits (2342)
The remote crypto plug-in in the z/OS LDAP server provides access to PKCS#11 and CCA services for applications on open platform via tcp/ip protocal. PKCS #11 is one of the cryptographic standards of Public Key Cryptographic Standards (PKCS) that defines a set of plat
To exploit this function, an exploiter providing crypto API to client application in distributed system is required. It acts as a channel between client application and LDAP server in z/OS. We have a test programs which provides a command-line interface to users to exploit the RemoteCryptoPKCS#11 functions. The following examples demonstrate how we tested RemoteCryptoPKCS#11 through the test program.
To enable Remo
# Plug-in specific CONFIGURATION SETTINGS
plugin clientOperation NULL/GLDRCP64 rcrypto_init
We then modified the LDAP server started procedure in system PROCLIB as below to make it run in 64 bit mode because this plugin supports 64bit.
//GO EXEC PGM=
We then started the LDAP server and it started successfully with the following message displayed:
GLD9112I The remote crypto plug-in is enabled. CCA enabled: yes. PKCS#11 enabled: yes
We then asked our ICSF administrators to grant READ access to LDAP group LDAPGRP for all ICSF PKCS#11 services profiles in CSFSERV class so the users in group LDAPGRP would have access to the ICSF callable services.
We also needed to grant access to the token profile in CRYPTOZ class. We created a token used specially for our test whose name is LDAP
RDEFINE CRYPTOZ USER
Once the setup steps were completed, we tested the RemoteCryptoPKCS#11 functions using the test program installed on our zBX windows server:
1. We tested the function of listing all the objects in the TOKEN LDAP
It listed all the objects in the token. The test program does not support DSA type so the DSA type keys show as No label.
2. Then we tested the function of listing a specified object which is an RSA key pair with label TLS12CLIENT in the TOKEN LDAP
3. The test program provided a test suite which tested most of encr
4. Then we tested the function of importing keys into the token. We tested 4 key types (DES, AES, RSA, GEN).
5. At last we ran the test suite using existing keys imported above. A test report is generated to show the result of different combinations of Mechanism and function. The results are expected. The only results not expected were a result of the program not supporting the function. Following example is the result for key type AES.