z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Encrypting the secured signon application key

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

You can encrypt the secured signon application keys when a common cryptographic architecture (CCA) cryptographic product is installed on the systems where the secured signon function is installed.

Using a cryptographic product ensures the maximum possible security for the secured signon application keys.

With a cryptographic product, RACF® can store the keys on the RACF database in a form in which they are encrypted under the cryptographic product's master key. RACF uses the functions of the cryptographic product to ensure that the encrypted keys do not exist in clear-text form within system main storage for RACF processing, except when they are being defined. Therefore, if a system storage dump occurs, they are not exposed in the dump.

If you are sharing a RACF database:
  • If you want to encrypt the secured signon application keys when a cryptographic product is installed on one or more of the systems that share a RACF database, but is not installed on all of the systems, you must ensure that the applications requiring the encrypted keys run only on the systems on which the cryptographic product is installed.
  • If there is a possibility that an application might run on a system that does not have a cryptographic product installed, you must mask the secured signon application keys.
When using the secured signon facilities with encryption, the following Integrated Cryptographic Service Facility (ICSF) modules must be installed as follows so they can be accessed by RACF.
  • The CSNBENC module must reside in the link pack area (LPA) if not already there. It can be dynamically loaded, or added to PLPA or MLPA with the respective PARMLIB members.
  • The following modules must reside in APF-authorized link-listed data sets:
    • CSNBCKI
    • CSNBDEC
    • CSNBKRC
    • CSNBKRD
    • CSNBKRW
Depending on the release of ICSF, some of these modules might not exist. RACF checks ICSF and uses only existing modules.

To encrypt the secured signon application key when you define or alter it, use the SSIGNON operand and KEYENCRYPTED value with the RDEFINE or RALTER command.

Parent topic: Protecting the secured signon application keys

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014