Configuring encryption support
Content Manager OnDemand for z/OS® depends on the z/OS Cryptographic Services Integrated Cryptographic Service Facility (ICSF) for cryptographic support. ICSF is an included element of z/OS that provides cryptographic services for the operating system.
- Application programming interfaces (APIs) for applications that need to perform cryptographic functions such as encryption and decryption of data, digital signatures, Message Authentication Codes (MACs), and key generation
- Basic key management
- Keystores for cryptographic key material
- Providing access to Hardware Cryptographic Coprocessors, Cryptographic Accelerators, and the CP Assist for Cryptographic Function
- Support for FIPS 140-2 mode
ICSF can interface with the System Authorization Facility (SAF, sometimes referred to as RACF) to restrict access to specific key labels in the Cryptographic Key Data Set (CKDS), ensuring that users cannot access the keys belonging to other users. Additionally, SAF can be used to restrict access to specific ICSF APIs. This prevents the misuse of any crypto hardware by unauthorized users. Detailed instructions for enabling these capabilities are documented in IBM Documentation in the z/OS Cryptographic Services Integrated Cryptographic Service Facility Administrator's Guide.
The keystores are shared by all applications that use ICSF, and because of that, the necessary backup and recovery of the Content Manager OnDemand keys will be satisfied by the existing installation procedures for protecting the keystores.
Content Manager OnDemand for z/OS stores its master key (MK) in the CKDS keystore provided by ICSF. To allow Content Manager OnDemand to store its MK in the CKDS, ICSF requires the CKDS to be in a more recent variable format, either LRECL=1024 or LRECL=2048. If the CKDS is currently using the older fixed format CKDS, ICSF provides instructions to convert to variable format.
arssockd -I instancename -d "keystore_location=CKDS,keystore_mkl=*"
where
instancename
is the name of your Content Manager OnDemand
instance.ONDEMAND.instancename.dbowner.yyyy.mm.dd.hh.mm.ss.tttttt
where
instancename
is the name of your Content Manager OnDemand
instance.This allows SAF profiles to be created of the form ONDEMAND.instancename.dbowner.**, restricting different instances to specific sets of key labels, and preventing other users from accessing those keys.
If using SAF to control access to ICSF APIs, the Content Manager OnDemand server needs READ access to the CSFKRW, CSFKRD, CSFKRC, CSFKRR, and CSFRNGL resources in the CSFSERV class.
All Content Manager OnDemand servers for a given instance must be using the same CKDS. If running in a sysplex environment, the CKDS must be shared among sysplex members running a Content Manager OnDemand server. See the IBM Documentation topic titled CKDS management in a sysplex in the z/OS Cryptographic Services Integrated Cryptographic Service Facility Administrator's Guide for considerations about sharing the CKDS.
The Cryptographic Services ICSF: System Programmer's Guide in IBM Documentation provides information on how to initialize, customize, operate, and diagnose the z/OS Integrated Cryptographic Service Facility (ICSF).
These steps should only be done on the Content Manager OnDemand library server. Content Manager OnDemand object servers do not need the same CKDS, since they communicate with the library server directly.
The steps to configure encryption for an instance are now complete. No encryption will be performed until it is enabled in a Content Manager OnDemand application group.