Certificate Authority (CA) validation

Part of the certificate validation process includes checking that the certificate was signed by a Certificate Authority (CA) you trust. In order to do so, RSE daemon must have access to a certificate that identifies the CA.

When using a SAF key ring, you must add the CA certificate to your security database as a CERTAUTH certificate with the TRUST or HIGHTRUST attribute, as shown in this sample RACF® command:

RACDCERT CERTAUTH ADD(dsn) HIGHTRUST WITHLABEL('label')

Note that most security products already have the certificates for well known CA’s available in their database with a NOTRUST status. Use the following sample RACF commands to list the existing CA certificates and mark one as trusted based on the label assigned to it.

RACDCERT CERTAUTH LIST
RACDCERT CERTAUTH ALTER(LABEL('HighTrust CA')) HIGHTRUST

Note: The HIGHTRUST status is required if you rely on RACF authenticating the user based upon the HostIdMappings extension in the certificate. Refer to Authentication by your security software for more information.

Once the CA certificate is added to your security database, it must be connected to the RSE key ring, as shown in this sample RACF command:

RACDCERT ID(stcrse) CONNECT(CERTAUTH LABEL('HighTrust CA') RING(keyring.racf))

Note: RSE cannot access the virtual CA keyring (*AUTH*/*). You must add the CA certificates to the RSE keyring.

Refer to Security Server RACF Command Language Reference (SA22-7687) for more information on the RACDCERT command.

Attention: If you rely on RSE daemon instead of your security software to authenticate a user you must be cautious not to mix CAs with a TRUST and HIGHTRUST status in your SAF keyring. RSE daemon is not able to differentiate between the two, so certificates signed by a CA with TRUST status will be valid for user ID authentication purposes.

RSE uses the configuration file /etc/zexpl/ssl.properties to determine the keyring for accessing the CA certificate and even if the communication is encrypted with AT-TLS. For X.509 authentication, the ssl.properties variables daemon_keydb_file and server_keystore_type must be configured.

Certificates with the HostIdMappings extension have user ID and target host name embedded in the certificate itself. To use this feature, you must mark the CA certificate as HIGHTRUST and the RSE daemon user ID requires read access to the IRR.HOST.hostname profile in the SERVAUTH class. Refer to Authentication by your security software for more information.

RDEFINE SERVAUTH IRR.HOST.CDFMVS08.RALEIGH.IBM.COM UACC(NONE)
PERMIT IRR.HOST.CDFMVS08.RALEIGH.IBM.COM CLASS(SERVAUTH) ACCESS(READ) ID(stcrse)
SETROPTS CLASSACT(SERVAUTH) RACLIST(SERVAUTH)
SETROPTS RACLIST(SERVAUTH) REFRESH