Previous topic |
Next topic |
Contents |
Index |
Contact z/OS |
Library |
PDF
Sharing a user certificate among multiple user IDs SMP/E for z/OS User's Guide SA23-2277-01 |
|
It is possible for multiple users to share a single user certificate
obtained from ShopzSeries. To do so, you must first create a key ring,
enable the CA certificate, and add the user certificate to your RACF® data base as explained in
the preceding topics. Assume that user ID USER1 is associated with
the key ring and is the owner of the user certificate. In order to
allow user ID USER2 to share the user certificate, you must give USER2
permission to read other users’ key rings and certificates. You can
use the following RACF commands:
Permitting USER2 UPDATE access to the IRR.DIGTCERT.LISTRING FACILITY class is not a security exposure. It is true that USER2 will have the ability to read anyone’s key ring. However, that only allows the ability to extract and use the certificates from the key ring. It does not allow use of the private keys associated with those certificates. Therefore, USER2 cannot masquerade as another user ID. After USER2 has the appropriate permission, in order for USER2
to use the certificate for the SMP/E RECEIVE ORDER command, you must
ensure SMP/E finds the certificate in the correct key ring when running
the command. To do this, USER2 must specify not only the key ring
name, but also the user ID associated with the key ring, USER1, on
the keyring attribute in the ORDERSERVER
data set for the RECEIVE ORDER command as follows:
See Defining the ORDERSERVER input for RECEIVE ORDER for further information about the keyring attribute and the ORDERSERVER data set. |
Copyright IBM Corporation 1990, 2014
|