Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Protecting end-user functions z/OS Cryptographic Services PKI Services Guide and Reference SA23-2286-00 |
|||||||||||||||
You must first determine who your end-users are and how they will
be using their certificates. In general there are two categories of
end-users:
When PKI Services is called, the unit of work has some identity (user ID) associated with it. For external customers, a surrogate user ID is necessary. Guideline: Although under certain circumstances it might be beneficial for internal clients to access PKI Services under their own identities, your implementation will be simpler if you use surrogate user IDs for internal clients as well. Use the RACF® ADDUSER command to create the surrogate user ID (PKISERV). Give it an OMVS segment because it needs access to z/OS UNIX. Guideline: Define the surrogate user ID with the PROTECTED and RESTRICTED attributes. The R_PKIServ SAF callable service is protected by FACILITY class resources of the form IRR.RPKISERV.function[.ca_domain], where function is one of the following and ca_domain specifies an optional CA domain name. (Specify ca_domain when your installation has established multiple PKI Services CAs.) The R_PKIServ functions are:
Create these resources and give the PKISERV user ID either READ or CONTROL access to them. CONTROL bypasses subsequent resource checks. Additional FACILITY class resources of the form IRR.DIGTCERT.function protect the actual certificate generation and retrieval functions. If subsequent resource checks are not being bypassed, define these resources and their access. There are two ways to handle certificate approval:
Finally, because the Web server will be switching identities to PKISERV, you must give it surrogate permission. This is done by creating another resource in the SURROGAT class (BPX.SRV.PKISERV) and giving the Web server daemon user ID READ access to it. |
Copyright IBM Corporation 1990, 2014
|