z/OS Security Server (RACF) support
In addition to supporting profiles for digital certificates, the
RACF database supports the following classes of certificates (in the
OCSF Framework, this is known as "semantic information"). Users
who have the proper authority can issue a series of RACDCERT commands
to create the certificate and key pairs and populate the RACF database
with this information:
- User (server) certificates with optional private keys stored under the owning user ID
- Certificate Authorities (no private keys) that are stored at the system level under a unique user ID
- Site certificates (no private keys) that are stored at the system level under another unique user ID
In addition, RACF supports the concept of "user-defined key rings" (in
the OCSF Framework, these are known as "data stores"). A key
ring is stored under the owning user ID and may contain any of the
preceding types of certificates. Entries in a key ring point to certificate
records and contain additional attributes, such as:
- Default certificate/key
- Ring usage for the certificate/key
For example, the user key may be marked as a trusted root. The certificate record would still exist at the user level but it would be treated as a certificate authority for this key ring only.
- Private key type
This may be an Integrated Cryptographic Services Facility (ICSF) key token label or a non-ICSF key
- Private key bit size
For more information about RACF's support of digital certificates, see the z/OS Security Server RACF Security Administrator's Guide. For information about the RACDCERT command, see z/OS Security Server RACF Command Language Reference.
For more information about ICSF key tokens, see z/OS Cryptographic Services ICSF Application Programmer's Guide and the z/OS Cryptographic Services ICSF System Programmer's Guide.