Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Authorizing administrative functions z/OS Cryptographic Services PKI Services Guide and Reference SA23-2286-00 |
|
The administrative functions are:
There are two ways that you can control access to these
functions:
Using the FACILITY class to control access to administrative functionsFor
the all administrative functions, the following single FACILITY class
resource protects this interface.
Example: For administrative
functions, when the ca_domain is named Customers and
the CA_domain parameter is provided with IRRSPX00,
the FACILITY class resource controlling this interface is IRR.RPKISERV.PKIADMIN.CUSTOMER.
(The name Customers was truncated to CUSTOMER. See
the restriction for the ca_domain value.)
When the CA_domain parameter is not provided with
IRRSPX00, IRR.RPKISERV.PKIADMIN is the name of the FACILITY class
resource.
To determine the appropriate access level of the caller, the current TCB is checked for an ACEE. If one is found, the authority of that user is checked. If there is no ACEE associated with the current TCB, the ACEE associated with the address space is used to locate the user ID. Attention: UPDATE access to the IRR.RPKISERV.PKIADMIN[.ca_domain]
resource also controls who can act as PKI Services administrators.
PKI Services administrators play a very powerful role in your organization.
The decisions they make when managing certificates and certificate
requests determine who will access your computer systems and what
privileges they will have when doing so.
Guideline: Give UPDATE authority to only highly
trusted individuals, but avoid allowing these same individuals to
have direct access to the end-user functions of the R_PKIServ callable
service described in Authorizing end-user functions. This
helps to maintain a secure separation of duties.
Using the PKISERV class to control access to administrative functionsYou can use profiles in the PKISERV class to control access to R_PKIServ administrative functions on a more granular level than you can with profiles in the FACILITY class. If the AdminGranularControl switch in the pkiserv.conf configuration file is set to T, profiles in the PKISERV class are checked in addition to profiles in the FACILITY class to determine authorization to these functions. If no profile is found protecting a function, authorization to the function fails. In order to use the PKISERV class,
you need to take the following steps:
For
the query functions (QUERYREQS, QUERYCERTS, REQDETAILS, and CERTDETAILS),
the resources in the PKISERV class are of the form:
where
Example: An
administrator has either READ or UPDATE access to the FACILITY class
profile IRR.RPKISERV.PKIADMIN.MYDOMAIN and also has
READ access to the PKISERV class profiles MYDOMAIN.QUERYREQS.1YBSSL and MYDOMAIN.QUERYCERTS.1YBSSL.
That administrator can perform QUERYREQS and QUERYCERTS functions
on the requests and certificates created with the template '1-Year
PKI SSL Browser Certificate' in the domain MYDOMAIN. If that same
administrator does not have READ or UPDATE access to the PKISERV class
profile MYDOMAIN.QUERYREQS.5YSSSL, that administrator
would not be able to perform QUERYREQS functions on requests created
with the template '5-Year PKI SSL Server Certificate' in the same
domain.
For the update functions (MODIFYREQS, MODIFYCERTS,
and PREREGISTER), the resources in the PKISERV class are of the form:
where
Examples:
|
Copyright IBM Corporation 1990, 2014
|