By performing these steps, you prepare RACF® to verify signatures. However, RACF does not begin verifying the
signatures of your programs until you complete Steps for verifying a signed program.
Before you begin: You will need assistance from your system
programmer to complete Step 8.
Perform the following steps to prepare RACF to verify signed programs. Complete these
steps one time only.
- Create a key ring for your installation to use for
signature verification. Specify the ring name of your choice.
Example:
RACDCERT ID(RACFADM) ADDRING(CODE.SIGNATURE.VERIFICATION.KEYRING)
Rule: Specify
only uppercase characters in the key ring name. This is because you
must specify the ring name in the APPLDATA field of the FACILITY profile
you create in Step 4.
Guideline: Do
not skip this step so that you can use the virtual CERTAUTH key ring.
For best performance, define your signature verification ring by issuing
a RACDCERT ADDRING command.
______________________________________________________________________
- Add the TRUST attribute to the code-signing CA certificate that
is supplied with RACF.
Example:
RACDCERT CERTAUTH ALTER(LABEL('STG Code Signing CA')) TRUST
If the DIGTCERT class is RACLISTed, refresh the in-storage
profiles:
SETR RACLIST(DIGTCERT) REFRESH
______________________________________________________________________
- Add the code-signing CA certificate that is supplied with RACF to the key ring you created
in Step 1.
Example:
RACDCERT ID(RACFADM) CONNECT(CERTAUTH LABEL('STG Code Signing CA')
RING(CODE.SIGNATURE.VERIFICATION.KEYRING))
______________________________________________________________________
- Create a FACILITY class profile that specifies the
name of the key ring you created in Step 1.
Example:
RDEFINE FACILITY IRR.PROGRAM.SIGNATURE.VERIFICATION
APPLDATA('RACFADM/CODE.SIGNATURE.VERIFICATION.KEYRING')
______________________________________________________________________
- Activate your profile changes in the FACILITY class, as follows.
- If the FACILITY class is not already active, activate and RACLIST
the FACILITY class.
Example:
SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY)
- If the FACILITY class is already active and RACLISTed, refresh
the FACILITY class.
Example:
SETROPTS RACLIST(FACILITY) REFRESH
______________________________________________________________________
- Create a PROGRAM class profile to control the program verification
module called IRRPVERS and specify the signature verification options.
Example:
RDEFINE PROGRAM IRRPVERS ADDMEM('SYS1.SIEALNKE'//NOPADCHK) UACC(READ)
SIGVER(SIGREQUIRED(YES) FAILLOAD(ANYBAD) SIGAUDIT(ANYBAD))
______________________________________________________________________
- Activate your profile changes in the PROGRAM class, as follows.
- If the PROGRAM class is not already active, activate the PROGRAM
class.
Example:
SETROPTS WHEN(PROGRAM)
- If the PROGRAM class is already active, refresh the PROGRAM class.
Example:
SETROPTS WHEN(PROGRAM) REFRESH
______________________________________________________________________
- Contact your system programmer to complete this step.
- Notify your system programmer to initialize program signature
verification by running the IRRVERLD program. The IRRVERLD program
loads and verifies the program verification module (IRRPVERS) and
must be run on all systems in a sysplex.
For programming information,
see "Initializing RACF verification
of signed programs (IRRVERLD)" in z/OS Security Server RACF System Programmer's Guide.
- Check with your system programmer to ensure that IRRVERLD successfully
completed. If it did not, work with your system programmer to resolve
error messages and then rerun.
- (Optional) Ensure that your system programmer enables caching
for program signature verification using the virtual lookaside facility
(VLF) and restarts VLF. This avoids increasing load times for signed
programs.
For programming information, see "VLF considerations for program
signature verification" in z/OS Security Server RACF System Programmer's Guide.
______________________________________________________________________
When the IRRVERLD program successfully executes, you have completed
the one-time setup to prepare RACF to
verify signed programs. To begin verifying one of your own signed
programs, proceed to Steps for verifying a signed program.