Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
RACDCERT (Manage RACF digital certificates) z/OS Security Server RACF Command Language Reference SA23-2292-00 |
|||||||||||||||||||||||||||||||||||||||
The RACDCERT command has numerous functions. Each function of the RACDCERT command is documented in a separate topic that contains its purpose, authorization required, syntax, and other specific information. For
details about each RACDCERT function, see the following topics:
PurposeUse the RACDCERT command to install and maintain digital certificates, key rings, and digital certificate mappings in RACF®. RACDCERT should be used for all maintenance of profiles in the DIGTCERT, DIGTRING, and DIGTNMAP classes. The RACDCERT command is a RACF TSO command used to:
RACF supports RSA, DSA, and ECC keys. The key value can reside in the RACF database in a DER encoded format, or in the ICSF PKA key data set or ICSF token key data set (TKDS). If the key is in ICSF, its location, not the value, is stored in the RACF database. RACF signs its certificates using a set of secure hash algorithms based on the SHA-1 or SHA-2 hash functions. For increased security and performance of signature verifications, RACF uses an exponent value of 65537 for each key it generates with the RSA algorithm. Authorization requiredTo issue the RACDCERT command, you must have sufficient authority for the specific RACDCERT function. This authority may include one or all of the following, depending on the command function.
For authorization details about each RACDCERT function, see the "Authorization required" topic for the RACDCERT function. Controlling the use of RACDCERT: Effective use of RACDCERT requires that its privileges be carefully controlled. However, end users and application administrators should be allowed some flexibility in defining their security characteristics. Guidelines:
Example: ich2a400-obj2.htm#ich2a400-gen2__rdauth1 lists sample commands to implement one method of controlling RACDCERT access according to these guidelines. In the example shown, the system administrators (who are the only ones to add, alter, or delete certificate-authority certificates or site certificates) are in the WEBADMIN group and the help desk personnel are in the HELPDESK group. SyntaxFor details about syntax and parameters for each RACDCERT function, see the "Syntax" and "Parameters" subtopics of each RACDCERT function. If you specify more than one RACDCERT function, only the last specified function is processed. Extraneous keywords that are not related to the function being performed are ignored. If you do not specify a RACDCERT function, LIST is the default function. UTF-8 and BMP character restrictionsYou
can include UTF-8 and BMP characters in certificate names with the
following restrictions:
DEBUG keywordAdd the DEBUG keyword when you issue the RACDCERT command to obtain additional diagnostic messages for failures related to encryption calls, and RACF-invoked ICHEINTY ALTER, RACROUTE REQUEST=EXTRACT, and RACROUTE REQUEST=DEFINE calls. The content of these additional diagnostic messages are not documented in the RACF publication library. If you report a problem to the IBM® Support Center, use the DEBUG keyword to gather diagnostic information. ICSF considerationsRACDCERT processing makes use of ICSF services. When your installation controls access to ICSF services and the CSFSERV class is active, issuers of certain RACDCERT command functions might require additional access to CSFSERV resources. For complete details, see the "Authorization required" topic of each RACF command function. Restriction: When
ICSF is operating in FIPS mode, the following RACDCERT functions do
not support Brainpool ECC keys:
If your installation has established access control over
keys stored in ICSF, the issuers of the RACDCERT command must have
READ access authority to ICSF keys by label. Because the specific
label values might be difficult to determine, generic profiles are
suggested according to Table 1, based
on the issued RACDCERT function and the attributes of the ICSF key.
Additionally, the user ID assigned to an application, such as System SSL, that uses certificates stored in RACF key rings also needs READ authority to ICSF keys by label. Because the specific label values might be difficult to determine, generic profiles are suggested according to Table 2, based on the CONNECT attributes of the ICSF key.
Sufficient ICSF authority for the following command
functions is controlled using resources in the CRYPTOZ class. If the
CSFSERV class is active, sufficient ICSF authority for the following
command functions might also be required. For authorization details,
see z/OS Cryptographic Services ICSF Administrator's Guide.
Hardware requirementsThe following
hardware features are required on the system when you issue the ADD,
GENCERT, IMPORT, or REKEY functions to store a key in the ICSF PKA key data set (PKDS) or in the ICSF token data set (TKDS). These features
are also required on any system where a user or SSL application accesses
the key.
PKDS label considerationsWhen you specify the PKDS, ICSF, or PCICC keyword with the ADD, GENCERT, IMPORT, or REKEY function, RACF stores the key in the ICSF PKA key data set (PKDS). Setting a PKDS label for the key is optional. You can specify a label or you can specify an asterisk (*) to use the certificate label from the WITHLABEL keyword as the PKDS label for the key. If you specify an asterisk (*), you must specify the WITHLABEL keyword. Whether specified or taken from the WITHLABEL keyword, the PKDS label must be unique and conform to ICSF syntax requirements. That is, allowed characters are alphanumeric, national (@, #, $), or period (.). Blank characters are not allowed. The first character must be alphabetic or national. The label must be 1 - 64 characters and is translated to uppercase (not case-sensitive). If the specified PKDS label, or the certificate label (when you specify an asterisk), does not conform to ICSF syntax requirements, it cannot be used as the PKDS label and the command fails. When you do
not specify a PKDS label and you do not specify an asterisk (*), RACF generates a default label
in the format IRR.DIGTCERT.certificate-owner.cvtsname.ebcdic-stck-value,
where certificate-owner is the owning user
ID, cvtsname is the system name (taken from
the CVT), and ebcdic-stck-value is an EBCDIC
version of the current store-clock value. RACF does not generate a PKDS label for a public
key.
Note: When the key is associated with a certificate-authority
certificate, the owning user ID is set to CERTIFAUTH. When the key
is associated with a site certificate, then the owning user ID is
set to SITECERTIF.
ExamplesFigure 1. Controlling access to RACDCERT functions
|
Copyright IBM Corporation 1990, 2014
|