Authorizing end-user functions

The end-user functions are:

EXPORT: Retrieves (exports) a previously requested certificate, or retrieves (exports) the PKI Services registration authority (RA) certificate or the certificate authority (CA) certificate.
GENCERT: Generates an auto-approved certificate.
GENRENEW: Generates an auto-approved renewal certificate. (The request submitted is automatically approved.)
QRECOVER: Lists certificates whose key pairs were generated by PKI Services under a requestor’s e-mail address and passphrase.
REQCERT: Requests a certificate that an administrator must approve before it is created.
REQRENEW: Requests certificate renewal. The administrator needs to approve the request before the certificate is renewed.
RESPOND: Invokes the PKI OCSP responder.
REVOKE: Revokes a certificate that was previously issued.
SCEPREQ: Generates a certificate request using Simple Certificate Enrollment Protocol (SCEP).
VERIFY: Confirms that a given user certificate was issued by this certificate authority and, if so, returns the certificate fields.

For end-user functions, FACILITY class resources protect this interface. Access authority is based on the user ID for the application (the user ID from the ACEE associated with the address space). To determine the user ID for the application, the current TCB is checked for an ACEE. If one is found, the authority of that user is checked. If there is no ACEE associated with the current TCB, the ACEE associated with the address space is used to locate the user ID.

The form for the FACILITY class resources is:

IRR.RPKISERV.function[.ca_domain]

function: Specifies one of the end-user function names in the preceding list.
ca_domain: Optionally specifies the PKI Services certificate authority (CA) domain name. Use this when your installation has established multiple PKI Services CAs and the CA_domain parameter is provided with IRRSPX00.
Restriction: If the name of your initial CA domain is longer than 8 characters, you must truncate it to exactly 8 characters when you define the resource name in the FACILITY class.

Example: For the GENCERT function, when the ca_domain is named Customers and the CA_domain parameter is provided with IRRSPX00, then the FACILITY class resource controlling the function is IRR.RPKISERV.GENCERT.CUSTOMER. (The name Customers was truncated to CUSTOMER. See the restriction for the ca_domain parameter.) When the CA_domain parameter is not provided with IRRSPX00, the FACILITY class resource is IRR.RPKISERV.GENCERT.

The access authorities you can assign for these FACILITY class resources have the following effects:

NONE: Access is denied.
READ: Access is permitted based on subsequent access checks against the caller's user ID.
UPDATE: Access is permitted based on subsequent access checks against the application's user ID.
CONTROL (or user ID has RACF SPECIAL): Access is permitted, and no subsequent access checks are made.

Example: If you defined the FACILITY class profile IRR.RPKISERV.GENCERT.CUSTOMER to control access to the GENCERT function on the CA domain named Customers, you can prevent the user ID MYAPP from using the GENCERT function on that CA domain by issuing the command:

PERMIT IRR.RPKISERV.GENCERT.CUSTOMER CLASS(FACILITY) ID(MYAPP) ACCESS(NONE)

For SAF GENCERT and EXPORT requests where the application has READ and UPDATE access, subsequent access checks are performed against the IRR.DIGTCERT.function FACILITY resources. These are identical to the checks the RACDCERT TSO command makes. See z/OS Security Server RACF Command Language Reference for more information.

For PKI Services EXPORT, GENCERT, GENRENEW, QRECOVER, REQCERT, REQRENEW, RESPOND, REVOKE, SCEPREQ, and VERIFY requests in which the application has READ and UPDATE access, subsequent access checks are performed against the IRR.DIGTCERT.function FACILITY resources.

The following table summarizes the access requirements for the user ID whose access is checked.

Table 1. Summary of access authorities required for PKI Services requests
Request	Access
EXPORT	IRR.DIGTCERT.EXPORT READ access if `PassPhrase` is specified or if `CertID` is specified as `PKICACERT`. UPDATE access if the `PassPhrase` parameter is not specified with IRRSPX00. CONTROL access if you want to export a PKCS #7 certificate.
GENCERT	IRR.DIGTCERT.GENCERT — CONTROL access IRR.DIGTCERT.ADD UPDATE access if any hostIdMappings information is specified in the certificate request parameter list or the `UserId` field in the certificate request parameter list indicates the certificate is being requested for another user other than the caller READ access otherwise
GENRENEW	IRR.DIGTCERT.GENRENEW — READ access IRR.DIGTCERT.GENCERT — CONTROL access Note: It is assumed that the calling application has already verified the input certificate using the VERIFY function.
QRECOVER	IRR.DIGTCERT.QRECOVER — READ access
REQCERT	IRR.DIGTCERT.REQCERT — READ access
REQRENEW	IRR.DIGTCERT.REQRENEW — READ access Note: It is assumed that the calling application has already verified the input certificate using the VERIFY function.
RESPOND	IRR.DIGTCERT.RESPOND — READ access
REVOKE	IRR.DIGTCERT.REVOKE — READ access Note: It is assumed that the calling application has already verified the target certificate using the VERIFY function.
SCEPREQ	IRR.DIGTCERT.SCEPREQ — READ access
VERIFY	IRR.DIGTCERT.VERIFY — READ access Note: It is assumed that the calling application has already verified that the end user possesses the private key that correlates to the input certificate.