z/OS Security Server RACF Security Administrator's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Steps for preparing RACF to verify signed programs (one-time setup)

z/OS Security Server RACF Security Administrator's Guide
SA23-2289-00

By performing these steps, you prepare RACF® to verify signatures. However, RACF does not begin verifying the signatures of your programs until you complete Steps for verifying a signed program.

Before you begin: You will need assistance from your system programmer to complete Step 8.

Perform the following steps to prepare RACF to verify signed programs. Complete these steps one time only.

  1. Create a key ring for your installation to use for signature verification. Specify the ring name of your choice.
    Example:
    RACDCERT ID(RACFADM) ADDRING(CODE.SIGNATURE.VERIFICATION.KEYRING)

    Rule: Specify only uppercase characters in the key ring name. This is because you must specify the ring name in the APPLDATA field of the FACILITY profile you create in Step 4.

    Guideline: Do not skip this step so that you can use the virtual CERTAUTH key ring. For best performance, define your signature verification ring by issuing a RACDCERT ADDRING command.

    ______________________________________________________________________

  2. Add the TRUST attribute to the code-signing CA certificate that is supplied with RACF.
    Example:
    RACDCERT CERTAUTH ALTER(LABEL('STG Code Signing CA')) TRUST
    If the DIGTCERT class is RACLISTed, refresh the in-storage profiles:
    SETR RACLIST(DIGTCERT) REFRESH

    ______________________________________________________________________

  3. Add the code-signing CA certificate that is supplied with RACF to the key ring you created in Step 1.
    Example:
    RACDCERT ID(RACFADM) CONNECT(CERTAUTH LABEL('STG Code Signing CA')
  RING(CODE.SIGNATURE.VERIFICATION.KEYRING))

    ______________________________________________________________________

  4. Create a FACILITY class profile that specifies the name of the key ring you created in Step 1.
    Example:
    RDEFINE FACILITY IRR.PROGRAM.SIGNATURE.VERIFICATION
  APPLDATA('RACFADM/CODE.SIGNATURE.VERIFICATION.KEYRING')

    ______________________________________________________________________

  5. Activate your profile changes in the FACILITY class, as follows.
    • If the FACILITY class is not already active, activate and RACLIST the FACILITY class.
      Example:
      SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY)
    • If the FACILITY class is already active and RACLISTed, refresh the FACILITY class.
      Example:
      SETROPTS RACLIST(FACILITY) REFRESH

    ______________________________________________________________________

  6. Create a PROGRAM class profile to control the program verification module called IRRPVERS and specify the signature verification options.
    Example:
    RDEFINE PROGRAM IRRPVERS ADDMEM('SYS1.SIEALNKE'//NOPADCHK) UACC(READ) 
  SIGVER(SIGREQUIRED(YES) FAILLOAD(ANYBAD) SIGAUDIT(ANYBAD))

    ______________________________________________________________________

  7. Activate your profile changes in the PROGRAM class, as follows.
    • If the PROGRAM class is not already active, activate the PROGRAM class.
      Example:
      SETROPTS WHEN(PROGRAM)
    • If the PROGRAM class is already active, refresh the PROGRAM class.
      Example:
      SETROPTS WHEN(PROGRAM) REFRESH

    ______________________________________________________________________

  8. Contact your system programmer to complete this step.
    1. Notify your system programmer to initialize program signature verification by running the IRRVERLD program. The IRRVERLD program loads and verifies the program verification module (IRRPVERS) and must be run on all systems in a sysplex.

      For programming information, see "Initializing RACF verification of signed programs (IRRVERLD)" in z/OS Security Server RACF System Programmer's Guide.

    2. Check with your system programmer to ensure that IRRVERLD successfully completed. If it did not, work with your system programmer to resolve error messages and then rerun.
    3. (Optional) Ensure that your system programmer enables caching for program signature verification using the virtual lookaside facility (VLF) and restarts VLF. This avoids increasing load times for signed programs.

      For programming information, see "VLF considerations for program signature verification" in z/OS Security Server RACF System Programmer's Guide.

    ______________________________________________________________________

When the IRRVERLD program successfully executes, you have completed the one-time setup to prepare RACF to verify signed programs. To begin verifying one of your own signed programs, proceed to Steps for verifying a signed program.

Parent topic: Enabling RACF to verify signed programs

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014