z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Steps for enabling a user to sign a program using RACF code-signing certificates

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

Before you begin:
  • Determine your IRR.PROGRAM.SIGNING profile structure for assigning program-signing key rings to users who are authorized program signers.

    The following steps are based on defining the IRR.PROGRAM.SIGNING.userid profile. Therefore, the following examples define a program-signing key ring for each authorized program signer. For details about other options, see Details about defining IRR.PROGRAM.SIGNING profiles.

    Guideline: If you opt instead to define the IRR.PROGRAM.SIGNING profile to assign the same key ring to all authorized signers, you might use a profile in the RDATALIB class instead of the FACILITY class to authorize users to access the program-signing ring. A profile in the RDATALIB class allows you to authorize users to access a specific key ring. For details, see "RACF® Authorization" for R_datalib (IRRSDL00 or IRRSDL64) in z/OS Security Server RACF Callable Services.

  • If you specify the PKDS or PCICC option (in Step 1) to store the private key in the ICSF PKA key data set (PKDS), and the CSFSERV and CSFKEYS classes are active, you might need additional authority in those classes. For information about these resources, see z/OS Cryptographic Services ICSF Administrator's Guide.

Perform the following steps to enable a user to digitally sign a program using code-signing certificates that you create using RACF.

  1. If not already created, create a certificate-authority (CA) certificate that you can use to issue code-signing certificates for users who need to sign programs.

    Guideline: For added security, specify the PKDS option to generate and store the private key in the ICSF PKDS, if available.

    Example:
    RACDCERT CERTAUTH GENCERT 
  SUBJECTSDN(OU('MyCompany Code Signing CA') O('MyCompany') C('US')) 
  SIZE(2048) RSA(PKDS) WITHLABEL('MyCompany Code Signing CA')

    ______________________________________________________________________

  2. For each user, create a code-signing certificate signed by the CA certificate you created in Step 1.

    Rule: Do not specify the PKDS, PCICC, or ICSF option. The private key of the code-signing certificate must reside in the RACF database.

    Example:
    RACDCERT ID(RAMOS) GENCERT 
  SUBJECTSDN(CN('Ramos Code Signing Cert') O('MyCompany') C('US')) 
  SIZE(1024) WITHLABEL('Ramos Code Signing Cert') 
  SIGNWITH(CERTAUTH LABEL('MyCompany Code Signing CA')) 
  KEYUSAGE(HANDSHAKE DOCSIGN)

    ______________________________________________________________________

  3. For each user, create a program-signing key ring to hold the certificates you created in Steps 1 and 2.

    Rule: Specify only uppercase characters in the key ring name. This is because you must specify the ring name in the APPLDATA field of the FACILITY profile you create in Step 5.

    Example:
    RACDCERT ID(RAMOS) ADDRING(RAMOS.CODE.SIGNING.KEYRING)

    ______________________________________________________________________

  4. Add both of the certificates you created in Steps 1 and 2 to the key ring you created in Step 3.

    Rule: The code-signing certificate must be the default certificate in the ring.

    Example:
    RACDCERT ID(RAMOS) CONNECT(CERTAUTH LABEL('MyCompany Code Signing CA')
  RING(RAMOS.CODE.SIGNING.KEYRING))
RACDCERT ID(RAMOS) CONNECT(ID(RAMOS) LABEL('Ramos Code Signing Cert') DEFAULT
  RING(RAMOS.CODE.SIGNING.KEYRING))

    ______________________________________________________________________

  5. For each user, create a FACILITY class profile that specifies the hash algorithm and the name of the key ring to be used whenever the user digitally signs a program module.
    Example:
    RDEFINE FACILITY IRR.PROGRAM.SIGNING.RAMOS
  APPLDATA('SHA256 RAMOS/RAMOS.CODE.SIGNING.KEYRING')

    ______________________________________________________________________

  6. Permit each user, if not already authorized, to access his own key rings by administering a profile in either the FACILITY or the RDATALIB class.
    • When using the FACILITY class:
      RDEFINE FACILITY IRR.DIGTCERT.LISTRING UACC(NONE) 
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(RAMOS) ACCESS(READ)
      • If the FACILITY class is not already active, activate and RACLIST it.
        SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY)
      • If the FACILITY class is already active and RACLISTed, refresh it.
        SETROPTS RACLIST(FACILITY) REFRESH
    • When using the RDATALIB class:
      RDEFINE RDATALIB RAMOS.CODE.SIGNING.KEYRING.LST UACC(NONE)
PERMIT RAMOS.CODE.SIGNING.KEYRING.LST CLASS(RDATALIB) 
    ID(RAMOS) ACCESS(READ)
      • If the RDATALIB class is not already active, activate and RACLIST it.
        SETROPTS CLASSACT(RDATALIB) RACLIST(RDATALIB)
      • If the RDATALIB class is already active and RACLISTed, refresh it.
        SETROPTS RACLIST(RDATALIB) REFRESH

    ______________________________________________________________________

You have now enabled a user to digitally sign a program using code-signing certificates that you created using RACF.
Parent topic: Enabling a user to sign a program

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014