OCEP trust policy
In the OCSF Framework, a trust policy (TP) service provider module implements policies that are defined by Certificate Authorities (CAs) and institutions. These policies define the level of trust that is required before certain actions can be performed. When a TP function has determined the trustworthiness of performing an action, the TP function may invoke other functions in a certificate library and a data storage library service provider module to carry out the mechanics of the approved action.
The OCEP Trust Policy service provider module implements the trust policy that is defined by a specific RACF key ring. (The OCEP Trust Policy service provider module, however, does not provide Certificate Revocation List support, as defined by OCSF.) It determines the validity of a certificate group (also called a "chain") by checking if the chain originated from a trusted certificate authority or if the first entity in the chain is connected to the key ring as a SITE certificate. A SITE certificate is one that the RACF administrator has explicitly defined and added as a trusted certificate.
For each digital certificate in the chain, the OCEP Trust Policy service provider module checks the signatures and ensures that the certificate has not been marked as not trusted by RACF. When a certificate is defined, it is marked as being trusted or not trusted by specifying the TRUST or NOTRUST operand, respectively, on the RACDCERT command. When a certificate is trusted, it indicates that the certificate is valid for the user, site, or the issuing certificate authority. It also indicates that the private key to this certificate has not been compromised.
The chain must originate from a certificate authority that is trusted. You do not have to use the RACDCERT command to add each digital certificate in that chain to RACF. However, if an individual certificate has been added to RACF, it must be marked as trusted; if not, the verification will fail and RACF will not use it to map to a user ID.
- IBM Software Cryptographic Service Provider, Version 1
- IBM Software Cryptographic Service Provider 2, Version 1
- IBM Weak Software Cryptographic Service Provider, Version 1
- IBM Weak Software Cryptographic Service Provider 2, Version 1
For more information about the OCEP Trust Policy service provider module and the supported API, see Using the Trust Policy services. For information about the certificate library and cryptographic service provider modules that are provided in OCSF, see z/OS Open Cryptographic Services Facility Application Programming.