Protecting end-user functions
- Internal clients, such as employees who have SAF user IDs on the host system and who might be using their certificates to access resources on the host
- External clients, who have no access to the host system.
When PKI Services is called, the unit of work has some identity (user ID) associated with it. For external customers, a surrogate user ID is necessary.
Guideline: Although under certain circumstances it might be beneficial for internal clients to access PKI Services under their own identities, your implementation is simpler if you use surrogate user IDs for internal clients also.
Use the RACF® ADDUSER command to create the surrogate user ID (PKISERV). Give it an OMVS segment because it needs access to z/OS® UNIX. Guideline: Define the surrogate user ID with the PROTECTED and RESTRICTED attributes.
The R_PKIServ SAF callable service is protected by FACILITY class resources of the form IRR.RPKISERV.function[.ca_domain], where function is one of the following and ca_domain specifies an optional CA domain name. (Specify ca_domain when your installation has established multiple PKI Services CAs.)
- EXPORT
- Retrieves (exports) a previously requested certificate, or retrieves (exports) the PKI Services registration authority (RA) certificate or the certificate authority (CA) certificate.
- GENCERT
- Generates an auto-approved certificate.
- GENRENEW
- Generates an auto-approved renewal certificate. (The request submitted is automatically approved.)
- QRECOVER
- Lists certificates whose key pairs were generated by PKI Services under a requestor’s email address and passphrase.
- REQCERT
- Requests a certificate that an administrator must approve before it is created.
- REQRENEW
- Requests certificate renewal. The administrator needs to approve the request before the certificate is renewed.
- RESPOND
- Invokes the PKI OCSP responder.
- REVOKE
- Revokes a certificate that was previously issued.
- SCEPREQ
- Generates a certificate request using Simple Certificate Enrollment Protocol (SCEP).
- VERIFY
- Confirms that a given user certificate was issued by this certificate authority and, if so, returns the certificate fields.
Create these resources and give the PKISERV user ID either READ or CONTROL access to them. CONTROL bypasses subsequent resource checks.
Additional FACILITY class resources of the form IRR.DIGTCERT.function protect the actual certificate generation and retrieval functions. If subsequent resource checks are not being bypassed, define these resources and their access.
- An administrator can review certificate requests
- Requests can be auto-approved without administrator action (this should probably be reserved for internal clients only).
Resource | Access |
---|---|
IRR.DIGTCERT.REQCERT | READ |
IRR.DIGTCERT.REQRENEW | READ |
Resource | Access |
---|---|
IRR.DIGTCERT.ADD | UPDATE |
IRR.DIGTCERT.GENCERT | CONTROL |
IRR.DIGTCERT.GENRENEW | READ |
Finally, because the web server is switching identities to PKISERV, you must give it surrogate permission. This is done by creating another resource in the SURROGAT class (BPX.SRV.PKISERV) and giving the web server daemon user ID READ access to it.