Digital Certificates Management 1 2012 Vanguard Integrity Professionals, Inc. Digital Certificate Topics History or Cryptography Cryptographic terms you need to know. What Cryptographic Services are in z/os? Why do we need Cryptography? What are Digital Certificates? RACF RACDCERT Command RACF Profiles for Digital Certificates Administrator and Digital Certificates Advisor and Digital Certificates 2 2012 Vanguard Integrity Professionals, Inc. Page 1
History of Cryptography Clay tablets dated near 1500 BC found in Mesopotamia were used to encrypt a craftsman s recipe for pottery glaze Hebrew scholars used simple substitution ciphers around 500 or 600 BC The ancient Greeks and Spartan military used the scytale transposition cipher A Scytale 3 2012 Vanguard Integrity Professionals, Inc. What is Encryption and Decryption A simple Algorithm, Cryptosystem and Cryptanalysis Vanguard Provides Our Security Ydpjxdug Surylghv Rxu Vhftulwb (plaintext) (ciphertext) Simply Shifting the letters by X is used as cryptosystem The number 3 is the secret key A=D, B=E, C=F so on and so forth Cryptography shields the data from casual view 4 2012 Vanguard Integrity Professionals, Inc. Page 2
Technology used in Cryptography Manual Cryptography Religious text and Egyptian hieroglyphs Mechanical Cryptography Enigma machine (WWII) 3 alphabetic rotors = 17576 keys (26x26x26) Computerized Cryptography Mainframes & PCs How Strong is your Algorithm 5 2012 Vanguard Integrity Professionals, Inc. Cryptographic Terms Common Algorithms Data Encryption Standard (DES) OLD DON T USE Triple DES (Fading away) Advanced Encryption Standard (AES) Rivest-Shamir-Adleman (RSA) Elliptic Curve Digital Signature Algorithm (ECDSA) Hashes Key Types Symmetric Asymmetric 6 2012 Vanguard Integrity Professionals, Inc. Page 3
RACF Release History z/os Version 1.n Cryptographic Services Integrated Cryptographic Service Facility (ICSF) Hardware Open Cryptographic Services Facility (OCSF) Software API for PKI Public Key Infrastructures (PKI) Services Software environment facilitating encryption and authentication System Secure Sockets Layers (SSL) Protocol for secure data transmission 7 2012 Vanguard Integrity Professionals, Inc. Why Do We Need Cryptography? Privacy Non-repudiation Accountability Integrity 8 2012 Vanguard Integrity Professionals, Inc. Page 4
Security Services Needed for E-Business Authentication Confidentiality Data Integrity Non-Repudiation Access Control Identify and verify user Prevent disclosure of the data Prevent modification of data Proof of participation in transaction Control access to resources 9 2012 Vanguard Integrity Professionals, Inc. What? Me Learn Cryptography? TLS and SSL use three cryptographic operations: Symmetric Key Encryption Asymmetric Key Encryption Cryptographic Hash My boss didn t tell me I had to know crypto to do this job I need a cup of coffee zzz 10 2012 Vanguard Integrity Professionals, Inc. Page 5
Sending Credentials User ID Password Internet 11 2012 Vanguard Integrity Professionals, Inc. Symmetric or Secret Key Cryptography Plaintext Welcome to Vanguard Plaintext Welcome to Vanguard Secret Key Encryption/Decryption Key 10101010101010101 Secret Key Ciphertext Welcome to Vanguard 110010101011100111011 Carol Symmetric encryption is secure and fast AES is now the new standard How do we distribute the secret key? Sue 12 2012 Vanguard Integrity Professionals, Inc. Page 6
Asymmetric or Public Key Cryptography Plaintext Welcome to Vanguard Plaintext Welcome to Vanguard Sue s Public Key Sue s Private Key Public Key Algorithm Welcome to Vanguard 110010101011100111011 Carol Asymmetric is secure but slower than symmetric Carol Needs to know Sue s public key How do we find out someone's public key? Sue 13 2012 Vanguard Integrity Professionals, Inc. Private and Public Keys Private and Public keys are numerically related Data encrypted with one can only be decrypted with the other Public Key Algorithm Welcome to Vanguard 110010101011100111011 14 2012 Vanguard Integrity Professionals, Inc. Page 7
Secret Key vs. Public Key Secret Key (Symmetric) Pro Fast Con How to distribute key? Must protect secret key Public Key (Asymmetric) Pro Freely distribute public key Con Slow Must protect private key Trust is the public key really from whom we think it is, or is it from an imposter? 15 2012 Vanguard Integrity Professionals, Inc. Public Key Infrastructure (PKI) Sue s Public Key Sue s Private Key 1 2 3 4 Public Key Algorithm Public Key Algorithm Carol 1. Carol generates a random secret key 2. Carol encrypts the secret key with Sue s public key 3. The secret key is transmitted securely 4. Sue decrypts the encrypted secret key with her private key Sue 16 2012 Vanguard Integrity Professionals, Inc. Page 8
Best of Both Worlds Shared Secret Key Shared Secret Key 5 6 7 Symmetric Key Algorithm Encrypted message Symmetric Key Algorithm Carol Now, both Carol and Sue possess the secret key 5. Carol encrypts message with the secret key 6. The encrypted message is sent securely 7. Sue decrypts the message with the secret key Sue 17 2012 Vanguard Integrity Professionals, Inc. Cryptographic Hash Function Message Once upon a time, in a land far far away, there was a security administrator who eagerly enrolled in a RACF course. Little did that person realize that the subject of cryptography would be taught in the class.. Hashing Algorithm Message Digest d131dd02c5e6eec4693d9a0698aff95c One-way algorithm Reduces data to a small digest Digest is unique to the data 18 2012 Vanguard Integrity Professionals, Inc. Page 9
Digital Signature - 1 I must make sure that this data is not altered during transmission Joe s Private Key Joe Public Key Algorithm Encrypted Message Digest Joe s Message Hashing Algorithm Message Digest Joe s Message Network 19 2012 Vanguard Integrity Professionals, Inc. Digital Signature - 2 Encrypted Message Digest Public Key Algorithm Joe s Public Key Message Digest If both digests are the same, then the message was not altered, and it was signed with Joe s private key. Network Joe s Message Equal? Hashing Algorithm Message Digest 20 2012 Vanguard Integrity Professionals, Inc. Page 10
What Is A Digital Certificate? Serial Number of Certificate Distinguished Name of Issuer (CA) Distinguished Name of Subject Subject s Public Key Info - Algorithm Public - Public Key Expiration Date SHA-256 Signature of Certifying Authority Message Digest Encrypt with Private Key of Certifying Authority 21 2012 Vanguard Integrity Professionals, Inc. Purpose of Digital Certificates Trusted validation of parties: by induction, I believe party is who he claims to be Scalability: get public keys only when really needed Transmission and storage of public keys can be insecure: replace storing securely many keys with: store (insecurely) many certificates store securely the root certificate store securely the private key Can provide permissions (Authorizations) 22 2012 Vanguard Integrity Professionals, Inc. Page 11
X.509 Digital Certificates A data structure that contains, at minimum, the following fields: The distinguished name of the owner of the public key, also called the subject's name The distinguished name of the issuer of the certificate, also called the issuer's name The subject s public key The time period during which the certificate is valid, also called the validity period The certificate's serial number as designated by the issuer The issuer's digital signature 23 2012 Vanguard Integrity Professionals, Inc. Types of Digital Certificates Certificate-Authority Certificate or Root Certificate Associated with a Certificate Authority Used to verify signatures in other certificates The CA is responsible for: identifying entities before certificate generation, ensuring the quality of its own key pair, keeping its private key secret. Intermediate (Really just a CA) Signed by a trusted Certificate Authority Used to verify signatures in other certificates Responsible for: identifying entities before certificate generation, ensuring the quality of its own key pair, keeping its private key secret. 24 2012 Vanguard Integrity Professionals, Inc. Page 12
Types of Digital Certificates Site Certificate (Unique to IBM) or Server Certificate Associated with a server or multiple servers Signed by Certificate Authority(CA OR intermediate Used to authenticate a server and enable secure communication Allows sharing of private keys User Certificate Associated with a RACF user Signed by Certificate Authority Used to authenticate a user 25 2012 Vanguard Integrity Professionals, Inc. Certificate Validation 12bc34567aade3dd43 VeriSign Root CA VeriSign Root CA Subject s Public Key Expiration Date Signature of Certifying Authority Trusted 1ae234788aade343 VeriSign Intermediate CA VeriSign Root CA Subject s Public Key Expiration Date Signature of Certifying Authority Trusted 123245769aade343 VeriSign Intermediate(CA) www.go2vanguard.com Subject s Public Key Expiration Date Signature of Certifying Authority Not Trusted Which ones do I need stored in my browser so I can view a secure web page. 26 2012 Vanguard Integrity Professionals, Inc. Page 13
Key Rings Collection of certificates that are available to the user Used to determine the trustworthiness of the client or server Virtual key ring: Set of all certificates available for all users Predefined *AUTH* and *SITE* 27 2012 Vanguard Integrity Professionals, Inc. Certificates, CAs, Browsers Many operating systems contain CAs certificates available for all users. RACF Has the equivalent called virtual rings. 28 2012 Vanguard Integrity Professionals, Inc. Page 14
Certificates, CAs, RACF Trusted Root store (*AUTH*) in RACF 29 2012 Vanguard Integrity Professionals, Inc. TLS for Secure Transaction Client Browser Server 1 Web Browser https://www.medserver.org/medicaldata.html 2 Web Browser Server sends certificate with public key 3 Web Browser Client authenticates (Validates Trust tree all Intermediate and CA s) server s certificate 4 Web Browser Client sends symmetric key (encrypted with public key, server decrypts with private key) 5 Web Browser..Encrypted Data..Encrypted Data..Encrypted Data.. All information encrypted with symmetric key 30 2012 Vanguard Integrity Professionals, Inc. Page 15
The Life Cycle of a Certificate Public Services Import CA Tree Mark As trusted Generate Certificate Generate Request Send to CA for signing Return and Import Attach to Rings Expire Rollover Rekey Private Services Create Self signed CA Mark As trusted Export and Deliver Generate signed Certificates Attach to Rings Expire Rollover Rekey 31 2012 Vanguard Integrity Professionals, Inc. RACDCERT Commands for Digital Certificates 32 2012 Vanguard Integrity Professionals, Inc. Page 16
The RACDCERT Command List information about the certificates for a user Add a certificate definition and associate with a user Alter the TRUST or the LABEL name for a certificate Delete a certificate List a certificate in a data set and determine if it is associated with a userid Create, delete, or list a key ring Add or remove a certificate from a key ring Generate a public/private key pair and certificate Write a certificate to a data set Create a certificate request Add, list, modify, or delete a userid mapping RACDCERT RACF RACF Database 33 2012 Vanguard Integrity Professionals, Inc. Using the RACDCERT Command RACDCERT [ID(user) SITE CERTAUTH] command-options ID(user) directed to a User certificate SITE directed to a Site certificate CERTAUTH directed to a CA certificate 34 2012 Vanguard Integrity Professionals, Inc. Page 17
Basic Rules for RACDCERT Entity RADCERT Command Issued to ID Type Certificate Key Ring Certificate Filter GENCERT GENREQ ADD LIST ALTER DELET CHECKCERT EXPORT REKEY ROLLOVER ADDRING LISTRING CONNECT REMOVE MAP LISTMAP ALTMAP DELMAP RACF ID ** CERTAUTH ** SITE RACFID RACFID Multiple Mapping ID - MultiID 35 2012 Vanguard Integrity Professionals, Inc. Basic Rules for RACDCERT If no ID is specified, the user who issues the command is used. List my certificates. RACDCERT List(Label( cert1 )) List someone else's certificates. RACDCERT ID(user2) list(label( cert1 )) Labels are for management purposes only they are not part of the certificate. The control of RACDCERT is managed by FACILITY class profiles. 36 2012 Vanguard Integrity Professionals, Inc. Page 18
Access to the RACDCERT Command FACILITY Class Profiles: IRR.DIGTCERT.ADD IRR.DIGTCERT.ADDRING IRR.DIGTCERT.ALTER IRR.DIGTCERT.CONNECT IRR.DIGTCERT.EXPORT IRR.DIGTCERT.GENCERT IRR.DIGTCERT.LIST IRR.DIGTCERT.LISTRING Add certificate Add key ring Alter certificate Connect cert to key ring Write cert to data set Generate certificate List certificate List key ring 37 2012 Vanguard Integrity Professionals, Inc. Who Can Issue RACDCERT? SPECIAL user - use all functions of RACDCERT FACILITY class profile IRR.DIGTCERT.function READ issue RACDCERT for self UPDATE issue RACDCERT for others CONTROL issue RACDCERT for SITE and CERTAUTH certificates Example Trusted Admins - Add CA certificates and Site certificates Help Desk - List certificates and key rings for anyone End Users Add, delete, and modify contents of their own key rings Add, delete, and alter their own certificates 38 2012 Vanguard Integrity Professionals, Inc. Page 19
DIGTCERT CLASS CAUTION owner is not like other profiles classes Ownership does not give access or control in RACF OWNER is who issued the Command Not the Certificate owner UACC does not give ACCESS Causes false Audit findings due to being miss understood. CLASS NAME, ----- -------------------------------------------------------------------------, DIGTCERT 0A.OU=SBSVCS DEMO CERTIFICATE AUTHORITY. O=SENERGY BUSINESS SYSTEMS.CUS LEVEL OWNER UNIVERSAL YOUR ACCESS ACCESS WARNING, ----- -------- ---------------- ----------- -------, 00 TSJC00 ALTER ALTER NO, 39 2012 Vanguard Integrity Professionals, Inc. Resource Classes for Certificates DIGTCERT Contains digital certificates and information related to them. DIGTRING Contains a profile for each key ring and provides information about the digital certificates that are part of each key ring. DIGTNMAP Contains mapping class for certificate name filters. DIGTCRIT Specifies additional criteria for certificate name filters. 40 2012 Vanguard Integrity Professionals, Inc. Page 20
Real life Example from before Request to secure our webserver www.go2vanguard.com Create Self-signed certificate Generate Certificate request to send off to VeriSign Receive signed certificate Replace Existing self signed Import any intermediate certificates if required. Connect to proper key rings Test service 41 2012 Vanguard Integrity Professionals, Inc. RACDCERT Command Examples 1. Create the public/private key pair and self-signed certificate RACDCERT ID(WEBSRV) GENCERT SUBJECTSDN(CN( www.go2vanguard.com ) OU( Information Technology Dept ) O( Vanguard Integrity Professionals ) C( USA ) L( Las Vegas ) WITHLABEL( www.gowvangaurd.com )) 2. Create a certificate request RACDCERT ID(WEBSRV) GENREQ(LABEL( www.gowvangaurd.com ) DSN( WEB.SERVER.GENREQ )) 42 2012 Vanguard Integrity Professionals, Inc. Page 21
What a BASE64 cert looks like 3. Send the certificate request to the Certifying Authority Cut and paste into an email and send to certifying authority ********************************* Top of Data ********************************** -----BEGIN NEW CERTIFICATE REQUEST----- MIIC8TCCAdkCAQAwbDELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAm52MQswCQYDVQQH EwJ1czENMAsGA1UEChMEaG9tZTEOMAwGA1UECxMFdmVnYXMxETAPBgNVBAwTCGtk a2rrzgtkmrewdwydvqqdewh0zxn0mtexmtccasiwdqyjkozihvcnaqebbqadggep ADCCAQoCggEBANK27andxtRmilPKXndsUkwI2VCKl9qlqDLYBo3G7OWjkvvyWPYh A40/P3smVbmc4+D6rJ8AA+Y4XnMViI68Ky6/WggxeW8y8NpUxM7SdpHoSZFeqiuK N+Rkyx4syml0HLzOgycdQd4OPL6qi405M95Ft8no9IZEuQ+zAV7hdrs0lo31wvuX jcpdcrgxxfhcjwfqh3ghh8jdxbbjbzwxplek/g+lbfuefd128cycs+hmgiluhpla hx2pun7kr8zhsydylozyyp9lkftsfp4mawil9kkprzzc53yeojbphdnj+tebbqgk /mtd/62iriq/q6qiggulradbdmspj8c428scaweaaabamd4gcsqgsib3dqejdjex MC8wHQYDVR0OBBYEFFOMSraujQu2wX4YZwHw1LM4nlCFMA4GA1UdDwEB/wQEAwIB 9jANBgkqhkiG9w0BAQUFAAOCAQEAN7vwlvEY3NX9qXEBst3OKQxVVF67X5rYsMZU NNgv5uKEkSKGIx3kaN97vO0hC7wmiLRYO9u4ZgJ5m96sk7E9LeZcjvWo48TMPEYf WZMVSWGYeXdgNwdAA1/DjTuP4sqBV49qPmY71ASmaC359kr7qlPIgs27J65uAcJI jf5ovqjrh/vv/p3uu972hsplafbhvsievdplyykqvgybmttj7/n98xufhwj038yp V9YX/3XnDbVmc3xwrEKc7j5P5J3JajTSb5cdkgyNRLQMFjCA+Z+JuQiC+FoCRJ5c JF8PPz0yPChiJ2kVcq4ShnKYBBwIWu0qLlYxckU0xOLLXJYSQw== -----END NEW CERTIFICATE REQUEST----- ******************************** Bottom of Data ******************************** 43 2012 Vanguard Integrity Professionals, Inc. RACDCERT Command Examples 4. Certifying Authority validates certificate, approves, signs and sends the SIGNED certificate back to requestor 5. Requestor receives the certificate into a data set WWW.SERVER.CERT 6. Replace the self-signed certificate with the certificate signed by CA RACDCERT ID(WEBSRV) ADD( ITSERVER.CERT ) WITHLABEL( www.gowvangaurd.com ) 44 2012 Vanguard Integrity Professionals, Inc. Page 22
RACDCERT Command Examples 7. Define a RACF KEYRING for a server RACDCERT ID(WEBSRV) ADD RING(WEBRING) 8. Connect certificate to server s key ring and mark as default certificate RACDCERT ID(WEBSRV) CONNECT(LABEL( www.gowvangaurd.com ) - RING(WEBRING) DEFAULT)) When in doubt connect ID(USERID) or SITE as default. Some services such as CICS do not have the ability to select a cert by Label name and must use the DEFAULT keyword. Do Not connect CERTAUTH as Default 45 2012 Vanguard Integrity Professionals, Inc. RACF Commands for Digital Certificates 46 2012 Vanguard Integrity Professionals, Inc. Page 23
RACDCERT (Commands) Working with Certificates GENCERT (Generate certificate) GENREQ (Generate request) ADD (Add certificate) ALTER (Alter certificate) REKEY (Rekey certificate) ROLLOVER (Rollover certificate) DELETE (Delete certificate) CHECKCERT (Check certificate) EXPORT (Export certificate package) IMPORT (Import certificate) LIST (List certificate) 47 2012 Vanguard Integrity Professionals, Inc. RACDCERT (Commands) Working with Rings LISTRING (List key ring) ADDRING (Add key ring DELRING (Delete key ring) CONNECT (Connect a certificate to key ring) REMOVE (Remove certificate from key ring) Working with Mapping MAP (Create mapping) ALTMAP (Alter mapping) DELMAP (Delete mapping) LISTMAP (List mapping) 48 2012 Vanguard Integrity Professionals, Inc. Page 24
RACDCERT GENCERT RACDCERT GENCERT [ (request-data-set-name) ] [ ID(certificate-owner) SITE CERTAUTH ] [ SUBJECTSDN( [ CN('common-name') ] [ T('title') ] [ OU('organizational-unit-name1, 'organizational-unit-name2',...) [ O('organization-name') ] [ L('locality') ] [ SP('state-or-province') ] [ C('country') ] ) ] [ NOTBEFORE( [ DATE(yyyy-mm-dd) ] [ TIME(hh:mm:ss) ] ) ] [ NOTAFTER( [ DATE(yyyy-mm-dd) ] [ TIME(hh:mm:ss) ] ) ] [ WITHLABEL('label-name') ] [ SIGNWITH( [ CERTAUTH SITE ] LABEL('label-name') ) ] [ SIZE(key-size) ] [ {PCICC [ (pkds-label * ) ] ICSF [ (pkds-label * ) ] DSA NISTECC BPECC FROMICSF(pkds-label)} ] [ KEYUSAGE( [ CERTSIGN ] [ DATAENCRYPT ] [ DOCSIGN ] [ HANDSHAKE ] [ KEYAGREE ] ) ] [ ALTNAME( IP(numeric-IP-address) DOMAIN('internet-domain-name') EMAIL('email-address') URI('universal-resource-identifier') ) ] 49 2012 Vanguard Integrity Professionals, Inc. GenCert examples Certificate of Authority Certificate : RACDCERT GENCERT CERTAUTH SUBJECTSDN( - OU( Vanguard DEMO CERTIFICATE AUTHORITY') - O( Vanguard Demo Systems') C('US')) - WITHLABEL( Local RACF PKI CA') - NOTAFTER(DATE(2020/01/01)) Server Certificate : RACDCERT GENCERT ID(FTPD) SUBJECTSDN(CN ( 172.16.20.121 ) O( Vanguard Integrity Professionals ) C( US )) SIZE(1024) WITHLABEL( FTP_Cert ) SIGNWITH(CERTAUTH LABEL( Local RACF PKI CA )) Site Certificate : RACDCERT GENCERT SITE SUBJECTSDN(CN ( Vanguard.Demo.Systems.Com ) O( Vanguard Integrity Professionals ) C( US )) SIZE(1024) WITHLABEL( FTP_Cert ) SIGNWITH(CERTAUTH LABEL( Local RACF PKI CA )) 50 2012 Vanguard Integrity Professionals, Inc. Page 25
RACDCERT GENREQ RACDCERT GENREQ(LABEL( WEBSRV_Server_Cert )) ID(WEBSRV)) DSN( WEBSRV.SERVER.GENREQ ) *********************** Top of Data **************************** -----BEGIN NEW CERTIFICATE REQUEST----- MIIC8TCCAdkCAQAwbDELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAm52MQswCQYDVQQH EwJ1czENMAsGA1UEChMEaG9tZTEOMAwGA1UECxMFdmVnYXMxETAPBgNVBAwTCGtk a2rrzgtkmrewdwydvqqdewh0zxn0mtexmtccasiwdqyjkozihvcnaqebbqadggep ADCCAQoCggEBANK27andxtRmilPKXndsUkwI2VCKl9qlqDLYBo3G7OWjkvvyWPYh A40/P3smVbmc4+D6rJ8AA+Y4XnMViI68Ky6/WggxeW8y8NpUxM7SdpHoSZFeqiuK N+Rkyx4syml0HLzOgycdQd4OPL6qi405M95Ft8no9IZEuQ+zAV7hdrs0lo31wvuX jcpdcrgxxfhcjwfqh3ghh8jdxbbjbzwxplek/g+lbfuefd128cycs+hmgiluhpla hx2pun7kr8zhsydylozyyp9lkftsfp4mawil9kkprzzc53yeojbphdnj+tebbqgk /mtd/62iriq/q6qiggulradbdmspj8c428scaweaaabamd4gcsqgsib3dqejdjex MC8wHQYDVR0OBBYEFFOMSraujQu2wX4YZwHw1LM4nlCFMA4GA1UdDwEB/wQEAwIB 9jANBgkqhkiG9w0BAQUFAAOCAQEAN7vwlvEY3NX9qXEBst3OKQxVVF67X5rYsMZU NNgv5uKEkSKGIx3kaN97vO0hC7wmiLRYO9u4ZgJ5m96sk7E9LeZcjvWo48TMPEYf WZMVSWGYeXdgNwdAA1/DjTuP4sqBV49qPmY71ASmaC359kr7qlPIgs27J65uAcJI jf5ovqjrh/vv/p3uu972hsplafbhvsievdplyykqvgybmttj7/n98xufhwj038yp V9YX/3XnDbVmc3xwrEKc7j5P5J3JajTSb5cdkgyNRLQMFjCA+Z+JuQiC+FoCRJ5c JF8PPz0yPChiJ2kVcq4ShnKYBBwIWu0qLlYxckU0xOLLXJYSQw== -----END NEW CERTIFICATE REQUEST----- ************** Bottom of Data ******************************** 51 2012 Vanguard Integrity Professionals, Inc. RACDCERT ADD Certifying Authority validates certificate, approves, signs and sends the certificate back to requestor Requestor receives the certificate into a data set WEBSRV.SERVER.CERT Replace the self-signed certificate with the certificate signed by CA RACDCERT ADD( WEBSRV.SERVER.CERT ) ID(WEBSRV) WITHLABEL( WEBSRV_Server_Cert ) 52 2012 Vanguard Integrity Professionals, Inc. Page 26
RACDCERT LIST examples RACDCERT <Identifier> LIST <options> List All Certificates owned by USER1 RACDCERT ID(USER1) list List All CA s RACDERT CERTAUTH LIST List all SITE Certificates RACDCERT SITE LIST List CA with label Certificates RACDERT CERTAUTH LIST(LABEL('RSA Secure Server CA')) Note: Only one Identifier USERID, SITE or CERTAUTH may be used. 53 2012 Vanguard Integrity Professionals, Inc. RACDERT ALTER RACDCERT <Identifier> ALTER( <options>) option() Change a CA trust status RACDERT CERTAUTH ALTER(LABEL('RSA Secure Server CA')) TRUST Note: CA s Delivered by IBM are not marked as trusted. To all use they must be marked trusted and connected to a KEYRING. Change an existing label RACDERT ID(WEBSERV) ALTER(LABEL(www.go2vanguard.com')) NEWLABEL( label ) Note: Labels are for ease of administration Note: Only one Identifier USERID, SITE or CERTAUTH may be used. 54 2012 Vanguard Integrity Professionals, Inc. Page 27
RACDERT DELETE RACDCERT DELETE [ ID(certificate-owner) SITE CERTAUTH ] [ (LABEL('label-name')) ] [ (SERIALNUMBER(serial-number) [ ISSUERSDN('issuer's-dn') ] ) ] RACDCERT CERTAUTH DELETE(LABEL('Verisign Class 3 Primary CA'-)) Note: must specify ID can specify SERIALNUMBER or LABEL. All must be correct. CASE and Numbers exactly. 55 2012 Vanguard Integrity Professionals, Inc. RACDCERT CHECKCERT RACDCERT CHECKCERT(data-set-name) [PASSWORD('pkcs12-password')] RACDCERT CHECKCERT( TSJC00.GTE.ROOT ) Note: Password for certs with Keys, or packages typically Start Date: 1998/08/12 16:29:00 End Date: 2018/08/13 15:59:00 Serial Number: >01A5< Issuer's Name: >CN=GTE CyberTrust Global Root.OU=GTE CyberTrust Solutions, Inc..O=GTE< > Corporation.C=US< Subject's Name: >CN=GTE CyberTrust Global Root.OU=GTE CyberTrust Solutions, Inc..O=GTE< > Corporation.C=US< Key Type: RSA Key Size: 1024 56 2012 Vanguard Integrity Professionals, Inc. Page 28
RACDCERT EXPORT Export the Local Certificate to a data set RACDCERT EXPORT(LABEL( Local_RACF_CA )) CERTAUTH DSN( TSJC00.Local.RACF.CA ) Caution if you use passwords you must remember them. Hint CER/DER for Certauth. 57 2012 Vanguard Integrity Professionals, Inc. RACDCERT REKEY RACDCERT REKEY(LABEL('existing-label-name')) [ID(certificate-owner) SITE CERTAUTH] [SIZE(key-size)] [NOTBEFORE([DATE(yyyy-mm-dd)] [TIME(hh:mm:ss)])] [NOTAFTER([DATE(yyyy-mm-dd)] [TIME(hh:mm:ss)])] [{PCICC[(pkds-label * )] ICSF[(pkds-label * )] NISTECC BPECC}] [WITHLABEL('to-be-created-label-name')] A lot like GENCERT isn t it 58 2012 Vanguard Integrity Professionals, Inc. Page 29
RACDCERT ROLLOVER RACDCERT ROLLOVER(LABEL('old-label-name')) [ ID(certificate-owner) SITE CERTAUTH ] NEWLABEL('new-label-name') [ FORCE ] RACDCERT ROLLOVER (LABEL( Local_RACF_CA )) CERTAUTH NEWLABEL( Local.RACF.CA.NEW ) What would you do next?? 59 2012 Vanguard Integrity Professionals, Inc. RACF Commands for Digital Certificates Rings 60 2012 Vanguard Integrity Professionals, Inc. Page 30
RACDCERT ADDRING Define a RACF keyring for ID TN3270 RACDCERT ADDRING(TSORING) ID(TN3270) Remember you must define(add) the ring prior to using the ring Do not ADDRING for CERAUTH or SITE!!! RACF has two Virtual Rings that are always available *AUTH* *SITE* 61 2012 Vanguard Integrity Professionals, Inc. RACDCERT CONNECT RACDCERT [ID(ring-owner)] CONNECT( [ID(certificate-owner) SITE CERTAUTH] LABEL('label-name') RING(ring-name) [DEFAULT] [USAGE(PERSONAL SITE CERTAUTH)] ) When In doubt use DEFAULT for PERSONAL 62 2012 Vanguard Integrity Professionals, Inc. Page 31
RACDERT LISTRING RACDCERT ID(FTPD) LISTRING(RINGNAME) RACDCERT ID(FTPD) LISTRING(*) Cannot LISTRING SITE or CERTAUTH IRRD120I Incorrect use of SITE. A Site Certificate cannot own a key ring. They are VIRTUIAL and always exist. 63 2012 Vanguard Integrity Professionals, Inc. RACDCERT REMOVE RACDCERT REMOVE([ID(certificate-owner) SITE CERTAUTH] LABEL('label-name') RING(ring-name) ) [ ID(ring-owner) ] RACDCERT ID(TN3270) REMOVE(LABEL( TN370_CERT ) RING(TSORING) RACDCERT ID(TN3270) REMOVE(CERTAUTH LABEL( LOCAL_RACF_PKI_CERT ) RING(TSORING) 64 2012 Vanguard Integrity Professionals, Inc. Page 32
Vanguard Administrator and Digital Certificates 72 2012 Vanguard Integrity Professionals, Inc. Administrator and Digital Certificates 73 2012 Vanguard Integrity Professionals, Inc. Page 33
Set Defaults 74 2012 Vanguard Integrity Professionals, Inc. Default uses VDMOPT00 in VANOPTS 75 2012 Vanguard Integrity Professionals, Inc. Page 34
VDMOPT00 in VANOPTS 76 2012 Vanguard Integrity Professionals, Inc. Customized for Individual User 77 2012 Vanguard Integrity Professionals, Inc. Page 35
Customized for Individual User 78 2012 Vanguard Integrity Professionals, Inc. View Certificates 79 2012 Vanguard Integrity Professionals, Inc. Page 36
View User and Site Certificates No RACDCERT Command Parameter available to get this report. 80 2012 Vanguard Integrity Professionals, Inc. Use of CMD Column Commands 81 2012 Vanguard Integrity Professionals, Inc. Page 37
List User Profile Certificate Information 82 2012 Vanguard Integrity Professionals, Inc. Profile Certificate Information 83 2012 Vanguard Integrity Professionals, Inc. Page 38
View Ring Information 84 2012 Vanguard Integrity Professionals, Inc. View Rings with Certificates No RACDCERT Command Parameter available to get this report. 85 2012 Vanguard Integrity Professionals, Inc. Page 39
1 Ring with 2 Certificates 86 2012 Vanguard Integrity Professionals, Inc. Switch to Live for Additional Options 87 2012 Vanguard Integrity Professionals, Inc. Page 40
Create a User Certificate 88 2012 Vanguard Integrity Professionals, Inc. Create a User Certificate 89 2012 Vanguard Integrity Professionals, Inc. Page 41
Create a User Certificate 90 2012 Vanguard Integrity Professionals, Inc. Create a User Certificate 91 2012 Vanguard Integrity Professionals, Inc. Page 42
Create a Keyring for a Server 92 2012 Vanguard Integrity Professionals, Inc. Create a Keyring for a Server Comparable RACF Command RACDCERT ID(itserver) ADDRING(itring) 93 2012 Vanguard Integrity Professionals, Inc. Page 43
Create a Keyring for a Server 94 2012 Vanguard Integrity Professionals, Inc. Create a Server Certificate 95 2012 Vanguard Integrity Professionals, Inc. Page 44
Create a Server Certificate 96 2012 Vanguard Integrity Professionals, Inc. Create a Server Certificate Comparable RACF Command RACDCERT ID(ITSERVER) GENCERT SUBJECTSDN(CN( go2vanguard.com ) OU( Information Technology Dept ) O( Vanguard Integrity Professionals ) C( USA )) WITHLABEL( IT_Server_Cert ) 97 2012 Vanguard Integrity Professionals, Inc. Page 45
Create a Server Certificate 98 2012 Vanguard Integrity Professionals, Inc. Create a Certificate Request 99 2012 Vanguard Integrity Professionals, Inc. Page 46
Create a Certificate Request 100 2012 Vanguard Integrity Professionals, Inc. Create a Certificate Request 101 2012 Vanguard Integrity Professionals, Inc. Page 47
Create a Certificate Request 102 2012 Vanguard Integrity Professionals, Inc. Create a Certificate Request Comparable RACF Command RACDCERT ID(JOHNC) GENCERT GENREQ(LABEL( test ) DSN( JOHNC.GENREQ )) 103 2012 Vanguard Integrity Professionals, Inc. Page 48
Create a Certificate Request 104 2012 Vanguard Integrity Professionals, Inc. Create a Certificate Request 105 2012 Vanguard Integrity Professionals, Inc. Page 49
Importing the Signed Cert 106 2012 Vanguard Integrity Professionals, Inc. Create CA Signed Certificate Comparable RACF Command RACDCERT ID(ITSERVER) WITHLABEL( IT_Server_Cert ) DSN( ITSERVER.GENREQ ) 107 2012 Vanguard Integrity Professionals, Inc. Page 50
Connect CA Signed Certificate to Ring 108 2012 Vanguard Integrity Professionals, Inc. Connect CA Signed Certificate to Ring 109 2012 Vanguard Integrity Professionals, Inc. Page 51
Connect CA Signed Certificate to Ring 110 2012 Vanguard Integrity Professionals, Inc. Connect CA Signed Certificate to Ring Comparable RACF Command RACDCERT ID(ITSERVER) CONNECT(LABEL( IT_Server_CA_Cert ) RING(itring) DEFAULT)) 111 2012 Vanguard Integrity Professionals, Inc. Page 52
Export the non-ca ITSERVER Certificate 112 2012 Vanguard Integrity Professionals, Inc. Export the ITSERVER Certificate Comparable RACF Command RACDCERT EXPORT(LABEL( IT_Server_Cert )) DSN( ITSERVER.CERT ) FORMAT(PKCS12DER) 113 2012 Vanguard Integrity Professionals, Inc. Page 53
Evaluate a Certificate on a Data Set 114 2012 Vanguard Integrity Professionals, Inc. Evaluate a Certificate on a Data Set Comparable RACF Command RACDCERT CHECKCERT( ITSERVER.CERT) PASSWORD( DANDYDON ) 115 2012 Vanguard Integrity Professionals, Inc. Page 54
Evaluate a Certificate on a Data Set 116 2012 Vanguard Integrity Professionals, Inc. Delete the non-ca Certificate 117 2012 Vanguard Integrity Professionals, Inc. Page 55
Delete the non-ca Certificate Comparable RACF Command RACDCERT DELETE( LABEL( IT_Server_Cert )) 118 2012 Vanguard Integrity Professionals, Inc. Vanguard Advisor and Digital Certificates 119 2012 Vanguard Integrity Professionals, Inc. Page 56
Advisor Reporting for Digital Certificates 120 2012 Vanguard Integrity Professionals, Inc. RACF Command Summary Report 121 2012 Vanguard Integrity Professionals, Inc. Page 57
RACF Commands by Userid Report 122 2012 Vanguard Integrity Professionals, Inc. Advisor RACDCERT Command 123 2012 Vanguard Integrity Professionals, Inc. Page 58
RACF Command Detail Report 124 2012 Vanguard Integrity Professionals, Inc. RACF Command Detail Report 125 2012 Vanguard Integrity Professionals, Inc. Page 59
RACF Command Detail Report 126 2012 Vanguard Integrity Professionals, Inc. RACF Command Detail Report 127 2012 Vanguard Integrity Professionals, Inc. Page 60
RACF Command Detail Report 128 2012 Vanguard Integrity Professionals, Inc. RACF Command Detail Report 129 2012 Vanguard Integrity Professionals, Inc. Page 61
Resource Access Summary Report 130 2012 Vanguard Integrity Professionals, Inc. Resource Access Summary Report 131 2012 Vanguard Integrity Professionals, Inc. Page 62
Resource Access Summary Report 132 2012 Vanguard Integrity Professionals, Inc. Resource Access Summary Report 133 2012 Vanguard Integrity Professionals, Inc. Page 63
Resource Access Detail Report 134 2012 Vanguard Integrity Professionals, Inc. Resource Access Detail Report 135 2012 Vanguard Integrity Professionals, Inc. Page 64
Resource Access Summary Report 136 2012 Vanguard Integrity Professionals, Inc. Resource Access Detail Report 137 2012 Vanguard Integrity Professionals, Inc. Page 65
Resource Access Detail Report 138 2012 Vanguard Integrity Professionals, Inc. Resources Security Server RACF Security Administrator s Guide Chapter titled RACF and Digital Certificates Security Server RACF Command Language Reference See RACDCERT command Implementing PKI Services on z/os (Redbook - SG24-6968) http://www.redbooks.ibm.com/abstracts/sg246968.html?open RACF Home Page http://www-03.ibm.com/systems/z/os/zos/features/racf/ 139 2012 Vanguard Integrity Professionals, Inc. Page 66