Before you begin:
- Determine your IRR.PROGRAM.SIGNING profile structure for assigning
program-signing key rings to users who are authorized program signers.
The
following steps are based on defining the IRR.PROGRAM.SIGNING.userid profile.
Therefore, the following examples define a program-signing key ring
for each authorized program signer. For details about other options,
see Details about defining IRR.PROGRAM.SIGNING profiles.
Guideline: If
you opt instead to define the IRR.PROGRAM.SIGNING profile to assign
the same key ring to all authorized signers, you might use a profile
in the RDATALIB class instead of the FACILITY class to authorize users
to access the program-signing ring. A profile in the RDATALIB class
allows you to authorize users to access a specific key ring. For details,
see "RACF® Authorization" for R_datalib (IRRSDL00
or IRRSDL64) in z/OS Security Server RACF Callable Services.
- If you specify the PKDS or PCICC option (in Step 1) to store the private key in the ICSF PKA key data set (PKDS), and the
CSFSERV and CSFKEYS classes are active, you might need additional
authority in those classes. For information about these resources,
see z/OS Cryptographic Services ICSF Administrator's Guide.
Perform the following steps to enable a user to digitally sign
a program using code-signing certificates that you create using RACF.
- If not already created, create a certificate-authority
(CA) certificate that you can use to issue code-signing certificates
for users who need to sign programs.
Guideline: For added
security, specify the PKDS option to generate and store the private
key in the ICSF PKDS, if available.
Example:
RACDCERT CERTAUTH GENCERT
SUBJECTSDN(OU('MyCompany Code Signing CA') O('MyCompany') C('US'))
SIZE(2048) RSA(PKDS) WITHLABEL('MyCompany Code Signing CA')
______________________________________________________________________
- For each user, create a code-signing certificate signed
by the CA certificate you created in Step 1.
Rule: Do
not specify the PKDS, PCICC, or ICSF option. The private key of the
code-signing certificate must reside in the RACF database.
Example:
RACDCERT ID(RAMOS) GENCERT
SUBJECTSDN(CN('Ramos Code Signing Cert') O('MyCompany') C('US'))
SIZE(1024) WITHLABEL('Ramos Code Signing Cert')
SIGNWITH(CERTAUTH LABEL('MyCompany Code Signing CA'))
KEYUSAGE(HANDSHAKE DOCSIGN)
______________________________________________________________________
- For each user, create a program-signing key ring to
hold the certificates you created in Steps 1 and 2.
Rule: Specify only uppercase
characters in the key ring name. This is because you must specify
the ring name in the APPLDATA field of the FACILITY profile you create
in Step 5.
Example:
RACDCERT ID(RAMOS) ADDRING(RAMOS.CODE.SIGNING.KEYRING)
______________________________________________________________________
- Add both of the certificates you created in Steps 1 and 2 to
the key ring you created in Step 3.
Rule: The
code-signing certificate must be the default certificate in the ring.
Example:
RACDCERT ID(RAMOS) CONNECT(CERTAUTH LABEL('MyCompany Code Signing CA')
RING(RAMOS.CODE.SIGNING.KEYRING))
RACDCERT ID(RAMOS) CONNECT(ID(RAMOS) LABEL('Ramos Code Signing Cert') DEFAULT
RING(RAMOS.CODE.SIGNING.KEYRING))
______________________________________________________________________
- For each user, create a FACILITY class profile that
specifies the hash algorithm and the name of the key ring to be used
whenever the user digitally signs a program module.
Example:
RDEFINE FACILITY IRR.PROGRAM.SIGNING.RAMOS
APPLDATA('SHA256 RAMOS/RAMOS.CODE.SIGNING.KEYRING')
______________________________________________________________________
- Permit each user, if not already authorized, to
access his own key rings by administering a profile in either the
FACILITY or the RDATALIB class.
- When using the FACILITY class:
RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(RAMOS) ACCESS(READ)
- When using the RDATALIB class:
RDEFINE RDATALIB RAMOS.CODE.SIGNING.KEYRING.LST UACC(NONE)
PERMIT RAMOS.CODE.SIGNING.KEYRING.LST CLASS(RDATALIB)
ID(RAMOS) ACCESS(READ)
______________________________________________________________________
You have now enabled a user to digitally sign a program using
code-signing certificates that you created using RACF.