Digital Certificates Management

Transcription

1 Digital Certificates Management Vanguard Integrity Professionals, Inc. Digital Certificate Topics History or Cryptography Cryptographic terms you need to know. What Cryptographic Services are in z/os? Why do we need Cryptography? What are Digital Certificates? RACF RACDCERT Command RACF Profiles for Digital Certificates Administrator and Digital Certificates Advisor and Digital Certificates Vanguard Integrity Professionals, Inc. Page 1

2 History of Cryptography Clay tablets dated near 1500 BC found in Mesopotamia were used to encrypt a craftsman s recipe for pottery glaze Hebrew scholars used simple substitution ciphers around 500 or 600 BC The ancient Greeks and Spartan military used the scytale transposition cipher A Scytale Vanguard Integrity Professionals, Inc. What is Encryption and Decryption A simple Algorithm, Cryptosystem and Cryptanalysis Vanguard Provides Our Security Ydpjxdug Surylghv Rxu Vhftulwb (plaintext) (ciphertext) Simply Shifting the letters by X is used as cryptosystem The number 3 is the secret key A=D, B=E, C=F so on and so forth Cryptography shields the data from casual view Vanguard Integrity Professionals, Inc. Page 2

3 Technology used in Cryptography Manual Cryptography Religious text and Egyptian hieroglyphs Mechanical Cryptography Enigma machine (WWII) 3 alphabetic rotors = keys (26x26x26) Computerized Cryptography Mainframes & PCs How Strong is your Algorithm Vanguard Integrity Professionals, Inc. Cryptographic Terms Common Algorithms Data Encryption Standard (DES) OLD DON T USE Triple DES (Fading away) Advanced Encryption Standard (AES) Rivest-Shamir-Adleman (RSA) Elliptic Curve Digital Signature Algorithm (ECDSA) Hashes Key Types Symmetric Asymmetric Vanguard Integrity Professionals, Inc. Page 3

4 RACF Release History z/os Version 1.n Cryptographic Services Integrated Cryptographic Service Facility (ICSF) Hardware Open Cryptographic Services Facility (OCSF) Software API for PKI Public Key Infrastructures (PKI) Services Software environment facilitating encryption and authentication System Secure Sockets Layers (SSL) Protocol for secure data transmission Vanguard Integrity Professionals, Inc. Why Do We Need Cryptography? Privacy Non-repudiation Accountability Integrity Vanguard Integrity Professionals, Inc. Page 4

5 Security Services Needed for E-Business Authentication Confidentiality Data Integrity Non-Repudiation Access Control Identify and verify user Prevent disclosure of the data Prevent modification of data Proof of participation in transaction Control access to resources Vanguard Integrity Professionals, Inc. What? Me Learn Cryptography? TLS and SSL use three cryptographic operations: Symmetric Key Encryption Asymmetric Key Encryption Cryptographic Hash My boss didn t tell me I had to know crypto to do this job I need a cup of coffee zzz Vanguard Integrity Professionals, Inc. Page 5

6 Sending Credentials User ID Password Internet Vanguard Integrity Professionals, Inc. Symmetric or Secret Key Cryptography Plaintext Welcome to Vanguard Plaintext Welcome to Vanguard Secret Key Encryption/Decryption Key Secret Key Ciphertext Welcome to Vanguard Carol Symmetric encryption is secure and fast AES is now the new standard How do we distribute the secret key? Sue Vanguard Integrity Professionals, Inc. Page 6

7 Asymmetric or Public Key Cryptography Plaintext Welcome to Vanguard Plaintext Welcome to Vanguard Sue s Public Key Sue s Private Key Public Key Algorithm Welcome to Vanguard Carol Asymmetric is secure but slower than symmetric Carol Needs to know Sue s public key How do we find out someone's public key? Sue Vanguard Integrity Professionals, Inc. Private and Public Keys Private and Public keys are numerically related Data encrypted with one can only be decrypted with the other Public Key Algorithm Welcome to Vanguard Vanguard Integrity Professionals, Inc. Page 7

8 Secret Key vs. Public Key Secret Key (Symmetric) Pro Fast Con How to distribute key? Must protect secret key Public Key (Asymmetric) Pro Freely distribute public key Con Slow Must protect private key Trust is the public key really from whom we think it is, or is it from an imposter? Vanguard Integrity Professionals, Inc. Public Key Infrastructure (PKI) Sue s Public Key Sue s Private Key Public Key Algorithm Public Key Algorithm Carol 1. Carol generates a random secret key 2. Carol encrypts the secret key with Sue s public key 3. The secret key is transmitted securely 4. Sue decrypts the encrypted secret key with her private key Sue Vanguard Integrity Professionals, Inc. Page 8

9 Best of Both Worlds Shared Secret Key Shared Secret Key Symmetric Key Algorithm Encrypted message Symmetric Key Algorithm Carol Now, both Carol and Sue possess the secret key 5. Carol encrypts message with the secret key 6. The encrypted message is sent securely 7. Sue decrypts the message with the secret key Sue Vanguard Integrity Professionals, Inc. Cryptographic Hash Function Message Once upon a time, in a land far far away, there was a security administrator who eagerly enrolled in a RACF course. Little did that person realize that the subject of cryptography would be taught in the class.. Hashing Algorithm Message Digest d131dd02c5e6eec4693d9a0698aff95c One-way algorithm Reduces data to a small digest Digest is unique to the data Vanguard Integrity Professionals, Inc. Page 9

10 Digital Signature - 1 I must make sure that this data is not altered during transmission Joe s Private Key Joe Public Key Algorithm Encrypted Message Digest Joe s Message Hashing Algorithm Message Digest Joe s Message Network Vanguard Integrity Professionals, Inc. Digital Signature - 2 Encrypted Message Digest Public Key Algorithm Joe s Public Key Message Digest If both digests are the same, then the message was not altered, and it was signed with Joe s private key. Network Joe s Message Equal? Hashing Algorithm Message Digest Vanguard Integrity Professionals, Inc. Page 10

11 What Is A Digital Certificate? Serial Number of Certificate Distinguished Name of Issuer (CA) Distinguished Name of Subject Subject s Public Key Info - Algorithm Public - Public Key Expiration Date SHA-256 Signature of Certifying Authority Message Digest Encrypt with Private Key of Certifying Authority Vanguard Integrity Professionals, Inc. Purpose of Digital Certificates Trusted validation of parties: by induction, I believe party is who he claims to be Scalability: get public keys only when really needed Transmission and storage of public keys can be insecure: replace storing securely many keys with: store (insecurely) many certificates store securely the root certificate store securely the private key Can provide permissions (Authorizations) Vanguard Integrity Professionals, Inc. Page 11

12 X.509 Digital Certificates A data structure that contains, at minimum, the following fields: The distinguished name of the owner of the public key, also called the subject's name The distinguished name of the issuer of the certificate, also called the issuer's name The subject s public key The time period during which the certificate is valid, also called the validity period The certificate's serial number as designated by the issuer The issuer's digital signature Vanguard Integrity Professionals, Inc. Types of Digital Certificates Certificate-Authority Certificate or Root Certificate Associated with a Certificate Authority Used to verify signatures in other certificates The CA is responsible for: identifying entities before certificate generation, ensuring the quality of its own key pair, keeping its private key secret. Intermediate (Really just a CA) Signed by a trusted Certificate Authority Used to verify signatures in other certificates Responsible for: identifying entities before certificate generation, ensuring the quality of its own key pair, keeping its private key secret Vanguard Integrity Professionals, Inc. Page 12

13 Types of Digital Certificates Site Certificate (Unique to IBM) or Server Certificate Associated with a server or multiple servers Signed by Certificate Authority(CA OR intermediate Used to authenticate a server and enable secure communication Allows sharing of private keys User Certificate Associated with a RACF user Signed by Certificate Authority Used to authenticate a user Vanguard Integrity Professionals, Inc. Certificate Validation 12bc34567aade3dd43 VeriSign Root CA VeriSign Root CA Subject s Public Key Expiration Date Signature of Certifying Authority Trusted 1ae234788aade343 VeriSign Intermediate CA VeriSign Root CA Subject s Public Key Expiration Date Signature of Certifying Authority Trusted aade343 VeriSign Intermediate(CA) Subject s Public Key Expiration Date Signature of Certifying Authority Not Trusted Which ones do I need stored in my browser so I can view a secure web page Vanguard Integrity Professionals, Inc. Page 13

14 Key Rings Collection of certificates that are available to the user Used to determine the trustworthiness of the client or server Virtual key ring: Set of all certificates available for all users Predefined *AUTH* and *SITE* Vanguard Integrity Professionals, Inc. Certificates, CAs, Browsers Many operating systems contain CAs certificates available for all users. RACF Has the equivalent called virtual rings Vanguard Integrity Professionals, Inc. Page 14

15 Certificates, CAs, RACF Trusted Root store (*AUTH*) in RACF Vanguard Integrity Professionals, Inc. TLS for Secure Transaction Client Browser Server 1 Web Browser 2 Web Browser Server sends certificate with public key 3 Web Browser Client authenticates (Validates Trust tree all Intermediate and CA s) server s certificate 4 Web Browser Client sends symmetric key (encrypted with public key, server decrypts with private key) 5 Web Browser..Encrypted Data..Encrypted Data..Encrypted Data.. All information encrypted with symmetric key Vanguard Integrity Professionals, Inc. Page 15

16 The Life Cycle of a Certificate Public Services Import CA Tree Mark As trusted Generate Certificate Generate Request Send to CA for signing Return and Import Attach to Rings Expire Rollover Rekey Private Services Create Self signed CA Mark As trusted Export and Deliver Generate signed Certificates Attach to Rings Expire Rollover Rekey Vanguard Integrity Professionals, Inc. RACDCERT Commands for Digital Certificates Vanguard Integrity Professionals, Inc. Page 16

17 The RACDCERT Command List information about the certificates for a user Add a certificate definition and associate with a user Alter the TRUST or the LABEL name for a certificate Delete a certificate List a certificate in a data set and determine if it is associated with a userid Create, delete, or list a key ring Add or remove a certificate from a key ring Generate a public/private key pair and certificate Write a certificate to a data set Create a certificate request Add, list, modify, or delete a userid mapping RACDCERT RACF RACF Database Vanguard Integrity Professionals, Inc. Using the RACDCERT Command RACDCERT [ID(user) SITE CERTAUTH] command-options ID(user) directed to a User certificate SITE directed to a Site certificate CERTAUTH directed to a CA certificate Vanguard Integrity Professionals, Inc. Page 17

18 Basic Rules for RACDCERT Entity RADCERT Command Issued to ID Type Certificate Key Ring Certificate Filter GENCERT GENREQ ADD LIST ALTER DELET CHECKCERT EXPORT REKEY ROLLOVER ADDRING LISTRING CONNECT REMOVE MAP LISTMAP ALTMAP DELMAP RACF ID ** CERTAUTH ** SITE RACFID RACFID Multiple Mapping ID - MultiID Vanguard Integrity Professionals, Inc. Basic Rules for RACDCERT If no ID is specified, the user who issues the command is used. List my certificates. RACDCERT List(Label( cert1 )) List someone else's certificates. RACDCERT ID(user2) list(label( cert1 )) Labels are for management purposes only they are not part of the certificate. The control of RACDCERT is managed by FACILITY class profiles Vanguard Integrity Professionals, Inc. Page 18

19 Access to the RACDCERT Command FACILITY Class Profiles: IRR.DIGTCERT.ADD IRR.DIGTCERT.ADDRING IRR.DIGTCERT.ALTER IRR.DIGTCERT.CONNECT IRR.DIGTCERT.EXPORT IRR.DIGTCERT.GENCERT IRR.DIGTCERT.LIST IRR.DIGTCERT.LISTRING Add certificate Add key ring Alter certificate Connect cert to key ring Write cert to data set Generate certificate List certificate List key ring Vanguard Integrity Professionals, Inc. Who Can Issue RACDCERT? SPECIAL user - use all functions of RACDCERT FACILITY class profile IRR.DIGTCERT.function READ issue RACDCERT for self UPDATE issue RACDCERT for others CONTROL issue RACDCERT for SITE and CERTAUTH certificates Example Trusted Admins - Add CA certificates and Site certificates Help Desk - List certificates and key rings for anyone End Users Add, delete, and modify contents of their own key rings Add, delete, and alter their own certificates Vanguard Integrity Professionals, Inc. Page 19

20 DIGTCERT CLASS CAUTION owner is not like other profiles classes Ownership does not give access or control in RACF OWNER is who issued the Command Not the Certificate owner UACC does not give ACCESS Causes false Audit findings due to being miss understood. CLASS NAME, , DIGTCERT 0A.OU=SBSVCS DEMO CERTIFICATE AUTHORITY. O=SENERGY BUSINESS SYSTEMS.CUS LEVEL OWNER UNIVERSAL YOUR ACCESS ACCESS WARNING, , 00 TSJC00 ALTER ALTER NO, Vanguard Integrity Professionals, Inc. Resource Classes for Certificates DIGTCERT Contains digital certificates and information related to them. DIGTRING Contains a profile for each key ring and provides information about the digital certificates that are part of each key ring. DIGTNMAP Contains mapping class for certificate name filters. DIGTCRIT Specifies additional criteria for certificate name filters Vanguard Integrity Professionals, Inc. Page 20

21 Real life Example from before Request to secure our webserver Create Self-signed certificate Generate Certificate request to send off to VeriSign Receive signed certificate Replace Existing self signed Import any intermediate certificates if required. Connect to proper key rings Test service Vanguard Integrity Professionals, Inc. RACDCERT Command Examples 1. Create the public/private key pair and self-signed certificate RACDCERT ID(WEBSRV) GENCERT SUBJECTSDN(CN( ) OU( Information Technology Dept ) O( Vanguard Integrity Professionals ) C( USA ) L( Las Vegas ) WITHLABEL( )) 2. Create a certificate request RACDCERT ID(WEBSRV) GENREQ(LABEL( ) DSN( WEB.SERVER.GENREQ )) Vanguard Integrity Professionals, Inc. Page 21

22 What a BASE64 cert looks like 3. Send the certificate request to the Certifying Authority Cut and paste into an and send to certifying authority ********************************* Top of Data ********************************** -----BEGIN NEW CERTIFICATE REQUEST----- MIIC8TCCAdkCAQAwbDELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAm52MQswCQYDVQQH EwJ1czENMAsGA1UEChMEaG9tZTEOMAwGA1UECxMFdmVnYXMxETAPBgNVBAwTCGtk a2rrzgtkmrewdwydvqqdewh0zxn0mtexmtccasiwdqyjkozihvcnaqebbqadggep ADCCAQoCggEBANK27andxtRmilPKXndsUkwI2VCKl9qlqDLYBo3G7OWjkvvyWPYh A40/P3smVbmc4+D6rJ8AA+Y4XnMViI68Ky6/WggxeW8y8NpUxM7SdpHoSZFeqiuK N+Rkyx4syml0HLzOgycdQd4OPL6qi405M95Ft8no9IZEuQ+zAV7hdrs0lo31wvuX jcpdcrgxxfhcjwfqh3ghh8jdxbbjbzwxplek/g+lbfuefd128cycs+hmgiluhpla hx2pun7kr8zhsydylozyyp9lkftsfp4mawil9kkprzzc53yeojbphdnj+tebbqgk /mtd/62iriq/q6qiggulradbdmspj8c428scaweaaabamd4gcsqgsib3dqejdjex MC8wHQYDVR0OBBYEFFOMSraujQu2wX4YZwHw1LM4nlCFMA4GA1UdDwEB/wQEAwIB 9jANBgkqhkiG9w0BAQUFAAOCAQEAN7vwlvEY3NX9qXEBst3OKQxVVF67X5rYsMZU NNgv5uKEkSKGIx3kaN97vO0hC7wmiLRYO9u4ZgJ5m96sk7E9LeZcjvWo48TMPEYf WZMVSWGYeXdgNwdAA1/DjTuP4sqBV49qPmY71ASmaC359kr7qlPIgs27J65uAcJI jf5ovqjrh/vv/p3uu972hsplafbhvsievdplyykqvgybmttj7/n98xufhwj038yp V9YX/3XnDbVmc3xwrEKc7j5P5J3JajTSb5cdkgyNRLQMFjCA+Z+JuQiC+FoCRJ5c JF8PPz0yPChiJ2kVcq4ShnKYBBwIWu0qLlYxckU0xOLLXJYSQw== -----END NEW CERTIFICATE REQUEST----- ******************************** Bottom of Data ******************************** Vanguard Integrity Professionals, Inc. RACDCERT Command Examples 4. Certifying Authority validates certificate, approves, signs and sends the SIGNED certificate back to requestor 5. Requestor receives the certificate into a data set 6. Replace the self-signed certificate with the certificate signed by CA RACDCERT ID(WEBSRV) ADD( ITSERVER.CERT ) WITHLABEL( ) Vanguard Integrity Professionals, Inc. Page 22

23 RACDCERT Command Examples 7. Define a RACF KEYRING for a server RACDCERT ID(WEBSRV) ADD RING(WEBRING) 8. Connect certificate to server s key ring and mark as default certificate RACDCERT ID(WEBSRV) CONNECT(LABEL( ) - RING(WEBRING) DEFAULT)) When in doubt connect ID(USERID) or SITE as default. Some services such as CICS do not have the ability to select a cert by Label name and must use the DEFAULT keyword. Do Not connect CERTAUTH as Default Vanguard Integrity Professionals, Inc. RACF Commands for Digital Certificates Vanguard Integrity Professionals, Inc. Page 23

24 RACDCERT (Commands) Working with Certificates GENCERT (Generate certificate) GENREQ (Generate request) ADD (Add certificate) ALTER (Alter certificate) REKEY (Rekey certificate) ROLLOVER (Rollover certificate) DELETE (Delete certificate) CHECKCERT (Check certificate) EXPORT (Export certificate package) IMPORT (Import certificate) LIST (List certificate) Vanguard Integrity Professionals, Inc. RACDCERT (Commands) Working with Rings LISTRING (List key ring) ADDRING (Add key ring DELRING (Delete key ring) CONNECT (Connect a certificate to key ring) REMOVE (Remove certificate from key ring) Working with Mapping MAP (Create mapping) ALTMAP (Alter mapping) DELMAP (Delete mapping) LISTMAP (List mapping) Vanguard Integrity Professionals, Inc. Page 24

25 RACDCERT GENCERT RACDCERT GENCERT [ (request-data-set-name) ] [ ID(certificate-owner) SITE CERTAUTH ] [ SUBJECTSDN( [ CN('common-name') ] [ T('title') ] [ OU('organizational-unit-name1, 'organizational-unit-name2',...) [ O('organization-name') ] [ L('locality') ] [ SP('state-or-province') ] [ C('country') ] ) ] [ NOTBEFORE( [ DATE(yyyy-mm-dd) ] [ TIME(hh:mm:ss) ] ) ] [ NOTAFTER( [ DATE(yyyy-mm-dd) ] [ TIME(hh:mm:ss) ] ) ] [ WITHLABEL('label-name') ] [ SIGNWITH( [ CERTAUTH SITE ] LABEL('label-name') ) ] [ SIZE(key-size) ] [ {PCICC [ (pkds-label * ) ] ICSF [ (pkds-label * ) ] DSA NISTECC BPECC FROMICSF(pkds-label)} ] [ KEYUSAGE( [ CERTSIGN ] [ DATAENCRYPT ] [ DOCSIGN ] [ HANDSHAKE ] [ KEYAGREE ] ) ] [ ALTNAME( IP(numeric-IP-address) DOMAIN('internet-domain-name') (' -address') URI('universal-resource-identifier') ) ] Vanguard Integrity Professionals, Inc. GenCert examples Certificate of Authority Certificate : RACDCERT GENCERT CERTAUTH SUBJECTSDN( - OU( Vanguard DEMO CERTIFICATE AUTHORITY') - O( Vanguard Demo Systems') C('US')) - WITHLABEL( Local RACF PKI CA') - NOTAFTER(DATE(2020/01/01)) Server Certificate : RACDCERT GENCERT ID(FTPD) SUBJECTSDN(CN ( ) O( Vanguard Integrity Professionals ) C( US )) SIZE(1024) WITHLABEL( FTP_Cert ) SIGNWITH(CERTAUTH LABEL( Local RACF PKI CA )) Site Certificate : RACDCERT GENCERT SITE SUBJECTSDN(CN ( Vanguard.Demo.Systems.Com ) O( Vanguard Integrity Professionals ) C( US )) SIZE(1024) WITHLABEL( FTP_Cert ) SIGNWITH(CERTAUTH LABEL( Local RACF PKI CA )) Vanguard Integrity Professionals, Inc. Page 25

26 RACDCERT GENREQ RACDCERT GENREQ(LABEL( WEBSRV_Server_Cert )) ID(WEBSRV)) DSN( WEBSRV.SERVER.GENREQ ) *********************** Top of Data **************************** -----BEGIN NEW CERTIFICATE REQUEST----- MIIC8TCCAdkCAQAwbDELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAm52MQswCQYDVQQH EwJ1czENMAsGA1UEChMEaG9tZTEOMAwGA1UECxMFdmVnYXMxETAPBgNVBAwTCGtk a2rrzgtkmrewdwydvqqdewh0zxn0mtexmtccasiwdqyjkozihvcnaqebbqadggep ADCCAQoCggEBANK27andxtRmilPKXndsUkwI2VCKl9qlqDLYBo3G7OWjkvvyWPYh A40/P3smVbmc4+D6rJ8AA+Y4XnMViI68Ky6/WggxeW8y8NpUxM7SdpHoSZFeqiuK N+Rkyx4syml0HLzOgycdQd4OPL6qi405M95Ft8no9IZEuQ+zAV7hdrs0lo31wvuX jcpdcrgxxfhcjwfqh3ghh8jdxbbjbzwxplek/g+lbfuefd128cycs+hmgiluhpla hx2pun7kr8zhsydylozyyp9lkftsfp4mawil9kkprzzc53yeojbphdnj+tebbqgk /mtd/62iriq/q6qiggulradbdmspj8c428scaweaaabamd4gcsqgsib3dqejdjex MC8wHQYDVR0OBBYEFFOMSraujQu2wX4YZwHw1LM4nlCFMA4GA1UdDwEB/wQEAwIB 9jANBgkqhkiG9w0BAQUFAAOCAQEAN7vwlvEY3NX9qXEBst3OKQxVVF67X5rYsMZU NNgv5uKEkSKGIx3kaN97vO0hC7wmiLRYO9u4ZgJ5m96sk7E9LeZcjvWo48TMPEYf WZMVSWGYeXdgNwdAA1/DjTuP4sqBV49qPmY71ASmaC359kr7qlPIgs27J65uAcJI jf5ovqjrh/vv/p3uu972hsplafbhvsievdplyykqvgybmttj7/n98xufhwj038yp V9YX/3XnDbVmc3xwrEKc7j5P5J3JajTSb5cdkgyNRLQMFjCA+Z+JuQiC+FoCRJ5c JF8PPz0yPChiJ2kVcq4ShnKYBBwIWu0qLlYxckU0xOLLXJYSQw== -----END NEW CERTIFICATE REQUEST----- ************** Bottom of Data ******************************** Vanguard Integrity Professionals, Inc. RACDCERT ADD Certifying Authority validates certificate, approves, signs and sends the certificate back to requestor Requestor receives the certificate into a data set WEBSRV.SERVER.CERT Replace the self-signed certificate with the certificate signed by CA RACDCERT ADD( WEBSRV.SERVER.CERT ) ID(WEBSRV) WITHLABEL( WEBSRV_Server_Cert ) Vanguard Integrity Professionals, Inc. Page 26

27 RACDCERT LIST examples RACDCERT <Identifier> LIST <options> List All Certificates owned by USER1 RACDCERT ID(USER1) list List All CA s RACDERT CERTAUTH LIST List all SITE Certificates RACDCERT SITE LIST List CA with label Certificates RACDERT CERTAUTH LIST(LABEL('RSA Secure Server CA')) Note: Only one Identifier USERID, SITE or CERTAUTH may be used Vanguard Integrity Professionals, Inc. RACDERT ALTER RACDCERT <Identifier> ALTER( <options>) option() Change a CA trust status RACDERT CERTAUTH ALTER(LABEL('RSA Secure Server CA')) TRUST Note: CA s Delivered by IBM are not marked as trusted. To all use they must be marked trusted and connected to a KEYRING. Change an existing label RACDERT ID(WEBSERV) ALTER(LABEL( NEWLABEL( label ) Note: Labels are for ease of administration Note: Only one Identifier USERID, SITE or CERTAUTH may be used Vanguard Integrity Professionals, Inc. Page 27

28 RACDERT DELETE RACDCERT DELETE [ ID(certificate-owner) SITE CERTAUTH ] [ (LABEL('label-name')) ] [ (SERIALNUMBER(serial-number) [ ISSUERSDN('issuer's-dn') ] ) ] RACDCERT CERTAUTH DELETE(LABEL('Verisign Class 3 Primary CA'-)) Note: must specify ID can specify SERIALNUMBER or LABEL. All must be correct. CASE and Numbers exactly Vanguard Integrity Professionals, Inc. RACDCERT CHECKCERT RACDCERT CHECKCERT(data-set-name) [PASSWORD('pkcs12-password')] RACDCERT CHECKCERT( TSJC00.GTE.ROOT ) Note: Password for certs with Keys, or packages typically Start Date: 1998/08/12 16:29:00 End Date: 2018/08/13 15:59:00 Serial Number: >01A5< Issuer's Name: >CN=GTE CyberTrust Global Root.OU=GTE CyberTrust Solutions, Inc..O=GTE< > Corporation.C=US< Subject's Name: >CN=GTE CyberTrust Global Root.OU=GTE CyberTrust Solutions, Inc..O=GTE< > Corporation.C=US< Key Type: RSA Key Size: Vanguard Integrity Professionals, Inc. Page 28

29 RACDCERT EXPORT Export the Local Certificate to a data set RACDCERT EXPORT(LABEL( Local_RACF_CA )) CERTAUTH DSN( TSJC00.Local.RACF.CA ) Caution if you use passwords you must remember them. Hint CER/DER for Certauth Vanguard Integrity Professionals, Inc. RACDCERT REKEY RACDCERT REKEY(LABEL('existing-label-name')) [ID(certificate-owner) SITE CERTAUTH] [SIZE(key-size)] [NOTBEFORE([DATE(yyyy-mm-dd)] [TIME(hh:mm:ss)])] [NOTAFTER([DATE(yyyy-mm-dd)] [TIME(hh:mm:ss)])] [{PCICC[(pkds-label * )] ICSF[(pkds-label * )] NISTECC BPECC}] [WITHLABEL('to-be-created-label-name')] A lot like GENCERT isn t it Vanguard Integrity Professionals, Inc. Page 29

30 RACDCERT ROLLOVER RACDCERT ROLLOVER(LABEL('old-label-name')) [ ID(certificate-owner) SITE CERTAUTH ] NEWLABEL('new-label-name') [ FORCE ] RACDCERT ROLLOVER (LABEL( Local_RACF_CA )) CERTAUTH NEWLABEL( Local.RACF.CA.NEW ) What would you do next?? Vanguard Integrity Professionals, Inc. RACF Commands for Digital Certificates Rings Vanguard Integrity Professionals, Inc. Page 30

31 RACDCERT ADDRING Define a RACF keyring for ID TN3270 RACDCERT ADDRING(TSORING) ID(TN3270) Remember you must define(add) the ring prior to using the ring Do not ADDRING for CERAUTH or SITE!!! RACF has two Virtual Rings that are always available *AUTH* *SITE* Vanguard Integrity Professionals, Inc. RACDCERT CONNECT RACDCERT [ID(ring-owner)] CONNECT( [ID(certificate-owner) SITE CERTAUTH] LABEL('label-name') RING(ring-name) [DEFAULT] [USAGE(PERSONAL SITE CERTAUTH)] ) When In doubt use DEFAULT for PERSONAL Vanguard Integrity Professionals, Inc. Page 31

32 RACDERT LISTRING RACDCERT ID(FTPD) LISTRING(RINGNAME) RACDCERT ID(FTPD) LISTRING(*) Cannot LISTRING SITE or CERTAUTH IRRD120I Incorrect use of SITE. A Site Certificate cannot own a key ring. They are VIRTUIAL and always exist Vanguard Integrity Professionals, Inc. RACDCERT REMOVE RACDCERT REMOVE([ID(certificate-owner) SITE CERTAUTH] LABEL('label-name') RING(ring-name) ) [ ID(ring-owner) ] RACDCERT ID(TN3270) REMOVE(LABEL( TN370_CERT ) RING(TSORING) RACDCERT ID(TN3270) REMOVE(CERTAUTH LABEL( LOCAL_RACF_PKI_CERT ) RING(TSORING) Vanguard Integrity Professionals, Inc. Page 32

33 Vanguard Administrator and Digital Certificates Vanguard Integrity Professionals, Inc. Administrator and Digital Certificates Vanguard Integrity Professionals, Inc. Page 33

34 Set Defaults Vanguard Integrity Professionals, Inc. Default uses VDMOPT00 in VANOPTS Vanguard Integrity Professionals, Inc. Page 34

35 VDMOPT00 in VANOPTS Vanguard Integrity Professionals, Inc. Customized for Individual User Vanguard Integrity Professionals, Inc. Page 35

36 Customized for Individual User Vanguard Integrity Professionals, Inc. View Certificates Vanguard Integrity Professionals, Inc. Page 36

37 View User and Site Certificates No RACDCERT Command Parameter available to get this report Vanguard Integrity Professionals, Inc. Use of CMD Column Commands Vanguard Integrity Professionals, Inc. Page 37

38 List User Profile Certificate Information Vanguard Integrity Professionals, Inc. Profile Certificate Information Vanguard Integrity Professionals, Inc. Page 38

39 View Ring Information Vanguard Integrity Professionals, Inc. View Rings with Certificates No RACDCERT Command Parameter available to get this report Vanguard Integrity Professionals, Inc. Page 39

40 1 Ring with 2 Certificates Vanguard Integrity Professionals, Inc. Switch to Live for Additional Options Vanguard Integrity Professionals, Inc. Page 40

41 Create a User Certificate Vanguard Integrity Professionals, Inc. Create a User Certificate Vanguard Integrity Professionals, Inc. Page 41

42 Create a User Certificate Vanguard Integrity Professionals, Inc. Create a User Certificate Vanguard Integrity Professionals, Inc. Page 42

43 Create a Keyring for a Server Vanguard Integrity Professionals, Inc. Create a Keyring for a Server Comparable RACF Command RACDCERT ID(itserver) ADDRING(itring) Vanguard Integrity Professionals, Inc. Page 43

44 Create a Keyring for a Server Vanguard Integrity Professionals, Inc. Create a Server Certificate Vanguard Integrity Professionals, Inc. Page 44

45 Create a Server Certificate Vanguard Integrity Professionals, Inc. Create a Server Certificate Comparable RACF Command RACDCERT ID(ITSERVER) GENCERT SUBJECTSDN(CN( go2vanguard.com ) OU( Information Technology Dept ) O( Vanguard Integrity Professionals ) C( USA )) WITHLABEL( IT_Server_Cert ) Vanguard Integrity Professionals, Inc. Page 45

46 Create a Server Certificate Vanguard Integrity Professionals, Inc. Create a Certificate Request Vanguard Integrity Professionals, Inc. Page 46

47 Create a Certificate Request Vanguard Integrity Professionals, Inc. Create a Certificate Request Vanguard Integrity Professionals, Inc. Page 47

48 Create a Certificate Request Vanguard Integrity Professionals, Inc. Create a Certificate Request Comparable RACF Command RACDCERT ID(JOHNC) GENCERT GENREQ(LABEL( test ) DSN( JOHNC.GENREQ )) Vanguard Integrity Professionals, Inc. Page 48

49 Create a Certificate Request Vanguard Integrity Professionals, Inc. Create a Certificate Request Vanguard Integrity Professionals, Inc. Page 49

50 Importing the Signed Cert Vanguard Integrity Professionals, Inc. Create CA Signed Certificate Comparable RACF Command RACDCERT ID(ITSERVER) WITHLABEL( IT_Server_Cert ) DSN( ITSERVER.GENREQ ) Vanguard Integrity Professionals, Inc. Page 50

51 Connect CA Signed Certificate to Ring Vanguard Integrity Professionals, Inc. Connect CA Signed Certificate to Ring Vanguard Integrity Professionals, Inc. Page 51

52 Connect CA Signed Certificate to Ring Vanguard Integrity Professionals, Inc. Connect CA Signed Certificate to Ring Comparable RACF Command RACDCERT ID(ITSERVER) CONNECT(LABEL( IT_Server_CA_Cert ) RING(itring) DEFAULT)) Vanguard Integrity Professionals, Inc. Page 52

53 Export the non-ca ITSERVER Certificate Vanguard Integrity Professionals, Inc. Export the ITSERVER Certificate Comparable RACF Command RACDCERT EXPORT(LABEL( IT_Server_Cert )) DSN( ITSERVER.CERT ) FORMAT(PKCS12DER) Vanguard Integrity Professionals, Inc. Page 53

54 Evaluate a Certificate on a Data Set Vanguard Integrity Professionals, Inc. Evaluate a Certificate on a Data Set Comparable RACF Command RACDCERT CHECKCERT( ITSERVER.CERT) PASSWORD( DANDYDON ) Vanguard Integrity Professionals, Inc. Page 54

55 Evaluate a Certificate on a Data Set Vanguard Integrity Professionals, Inc. Delete the non-ca Certificate Vanguard Integrity Professionals, Inc. Page 55

56 Delete the non-ca Certificate Comparable RACF Command RACDCERT DELETE( LABEL( IT_Server_Cert )) Vanguard Integrity Professionals, Inc. Vanguard Advisor and Digital Certificates Vanguard Integrity Professionals, Inc. Page 56

57 Advisor Reporting for Digital Certificates Vanguard Integrity Professionals, Inc. RACF Command Summary Report Vanguard Integrity Professionals, Inc. Page 57

58 RACF Commands by Userid Report Vanguard Integrity Professionals, Inc. Advisor RACDCERT Command Vanguard Integrity Professionals, Inc. Page 58

59 RACF Command Detail Report Vanguard Integrity Professionals, Inc. RACF Command Detail Report Vanguard Integrity Professionals, Inc. Page 59

60 RACF Command Detail Report Vanguard Integrity Professionals, Inc. RACF Command Detail Report Vanguard Integrity Professionals, Inc. Page 60

61 RACF Command Detail Report Vanguard Integrity Professionals, Inc. RACF Command Detail Report Vanguard Integrity Professionals, Inc. Page 61

62 Resource Access Summary Report Vanguard Integrity Professionals, Inc. Resource Access Summary Report Vanguard Integrity Professionals, Inc. Page 62

63 Resource Access Summary Report Vanguard Integrity Professionals, Inc. Resource Access Summary Report Vanguard Integrity Professionals, Inc. Page 63

64 Resource Access Detail Report Vanguard Integrity Professionals, Inc. Resource Access Detail Report Vanguard Integrity Professionals, Inc. Page 64

65 Resource Access Summary Report Vanguard Integrity Professionals, Inc. Resource Access Detail Report Vanguard Integrity Professionals, Inc. Page 65

66 Resource Access Detail Report Vanguard Integrity Professionals, Inc. Resources Security Server RACF Security Administrator s Guide Chapter titled RACF and Digital Certificates Security Server RACF Command Language Reference See RACDCERT command Implementing PKI Services on z/os (Redbook - SG ) RACF Home Page Vanguard Integrity Professionals, Inc. Page 66