Perform the following steps for each signed program you
want RACF to verify.
- Add the root CA certificate of the code signer to RACF as a trusted CA.
Skip this
step if you created the root CA of the code signer (in Step 1 of Steps for enabling a user to sign a program using RACF code-signing certificates), or if you obtained the root CA of the
code signer from an external CA and added it to RACF (in Step 1 of Steps for enabling a user to sign a program using external code-signing certificates).
- If you obtained the root CA certificate of the code signer from
a software vendor, add it to RACF,
specifying the name of the data set where it is stored.
Example:
RACDCERT CERTAUTH ADD(VENDOR.CA.CERT.DSN)
WITHLABEL('Vendor Code Signing CA')
TRUST
- If the vendor's root CA certificate is already added to RACF, add the TRUST attribute if
it is not already trusted.
Example:
RACDCERT CERTAUTH ALTER(LABEL('Vendor Code Signing CA')) TRUST
______________________________________________________________________
- Add the root CA certificate to the key ring that your installation
uses for signature verification. This is the ring you created in Step 1 of Steps for preparing RACF to verify signed programs (one-time setup).
Examples:
RACDCERT ID(RACFADM) CONNECT(CERTAUTH LABEL('Vendor Code Signing CA')
RING(CODE.SIGNATURE.VERIFICATION.KEYRING))
-or-
RACDCERT ID(RACFADM) CONNECT(CERTAUTH LABEL('MyCompany Code Signing CA')
RING(CODE.SIGNATURE.VERIFICATION.KEYRING))
______________________________________________________________________
- Create or modify the PROGRAM class profile that
controls the signed program and specify the signature verification
options.
The following examples specify that the load of program
MYPROG14 should fail if the signature cannot be verified for any reason
and that only failures should be logged.
Examples:
RDEFINE PROGRAM MYPROG14 ADDMEM('SYS1.TEST.LOADDLL'//NOPADCHK) UACC(READ)
SIGVER(SIGREQUIRED(YES) FAILLOAD(ANYBAD) SIGAUDIT(ANYBAD))
-or-
RALTER PROGRAM MYPROG14
SIGVER(SIGREQUIRED(YES) FAILLOAD(ANYBAD) SIGAUDIT(ANYBAD))
If
you want to delegate authority to perform this step to a user who
does not have the SPECIAL attribute, see Delegating the authority for specifying signature verification options.
______________________________________________________________________
- Activate your profile changes in the PROGRAM class.
Example:
SETROPTS WHEN(PROGRAM) REFRESH
______________________________________________________________________
You have now enabled RACF to
verify a signed program. If you specified the signature verification
options shown in the example in Step
3,
the program will fail to load if RACF cannot
verify the signature for any reason. If the program is part of a critical
business application, be prepared to invoke a recovery procedure to
minimize the business impact.