z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Considerations when using an external CA

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

When you must use an external CA, there are two possible approaches. The first approach is to request only an intermediate CA certificate from the external CA and then use it to sign only an individual server certificate for each RRSF node. This approach is similar to the approach described in Using an internal CA to sign a server certificate for each RRSF node.

The second approach when using an external CA is to generate a request for a server certificate for each RRSF node and send those requests to the external CA. When returned, add each server certificate and CA certificate to the key ring for each RRSF node. If the CA is well known, the CA certificate might already reside in the RACF® database. If so, connect it to the key ring of each node and mark it as trusted. Remember that any server presenting a certificate signed by this CA certificate will be accepted as a valid RACF node. Therefore, the following guidelines for increased security apply to the second approach when you lack exclusive use of the signing CA certificate:

Guidelines:
  • Ensure that the SAFCheck level of client authentication is specified in the Communication Server AT-TLS policy for RRSF. This level requires that you map each RRSF server certificate to a RACF user ID. To do this, you can use the hostIdMapping certificate extension if it is available from your external CA or if you use PKI Services. Otherwise, you can add a certificate name filter on each node for every other node or add each server certificate to the RACF database of every other node. If your installation propagates digital certificate information using an existing RRSF APPC connection, the task of adding each server certificate to the RACF database of every other node can be automatically performed for you. (For important RRSF considerations, see Before you begin.) If propagation is not available, using certificate name filters requires the least administrative effort. (For details, see Certificate name filtering.)
  • If your external CA might issue other certificates using the same CA certificate used to issue your server certificates, implement a one-to-one certificate filter for each server certificate. This ensures that no other issued certificate will match your filter's distinguished name (DN). If you are confident that the external CA will not issue other certificates with the same DN, you can reduce administrative effort by implementing a single many-to-one filter on each node based on the naming convention used for the distinguished names of your RRSF servers.
  • Protect a resource named IRR.RRSF.CONNECT in the RRSFDATA class. Be sure to give the mapped user ID at least READ access to it even if the user ID has the TRUSTED or PRIVILEGED attribute. This RRSFDATA profile can also be used to create a RACF audit trail that logs the establishment of inbound RRSF connections to the local system.
Parent topic: Implementing an RRSF trust policy

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014