Examples of controlling the use of the RACDCERT command using the RDATALIB class
By using the granular control (enabled by defining the profile IRR.RACDCERT.GRANULAR in the
RDATALIB class), you can enforce a naming convention for the certificates and the key rings in your
system and segregate the administration of them. For example:
- To enforce the rule that the label for a certificate used for tcpip must start with the string
TCPIP,you can use:
RDEFINE RDATALIB IRR.DIGTCERT.*.TCPIP*.UPD.GENCERT UACC(NONE)for all certificate owners with all certificate names that start with the string TCPIP- or
RDEFINE RDATALIB IRR.DIGTCERT.certificate_owner.TCPIP_SYS1.UPD.GENCERT UACC(NONE)for a specific certificate owner with all certificate name TCPIP_SYS1.
- To enforce the rule that the name for a key ring used for servers must start with the string
SERVER, you can use:
RDEFINE RDATALIB.*.SERVER*.UPD.ADDRING UACC(NONE)for all ring owners with all ring names that start with the string SERVER- or
RDEFINE RDATALIB.ring_owner.SERVERABC.UPD.ADDRING UACC(NONE)for a specific ring owner with all ring names that start with the string SERVER.
- To allow system administrators to create certificates with labels that start with
TCPIP and create key rings with names that start with
SERVER:
PERMIT IRR.DIGTCERT.*.TCPIP*.*.GENCERT CLASS(RDATALIB) ID(SYSADMIN) ACCESS(READ)PERMIT *.SERVER*.UPD.ADDRING CLASS(RDATALIB) ID(SYSADMIN) ACCESS(READ)
- To allow web server administrators to connect the TCPIP_TEST certificate to
the SERVERABC key ring:
PERMIT IRR.DIGTCERT.*.TCPIP*.*.CONNECT CLASS(RDATALIB) ID(WEBADMIN) ACCESS(READ)PERMIT *.SERVER*.UPD.CONNECT CLASS(RDATALIB) ID(WEBADMIN) ACCESS(READ)
- To enforce the CA certificate of PKI Services (label LOCAL_PKI_CA) can only
be used by the PKI daemon PKISRVD, but not by any administrators to sign other
certificates:
RDEFINE RDATALIB IRR.DIGTCERT.CERTIFAUTH.LOCAL_PKI_CA.UPD.GENCERT UACC(NONE)PERMIT IRR.DIGTCERT.CERTIFAUTH.LOCAL_PKI_CA.UPD.GENCERT CLASS(RDATALIB) ID(PKISRVD) ACCESS(READ)