If your installation needs to operate z/OS PKCS #11 in compliance
with the FIPS 140-2 standard, then the integrity of the cryptographic
functions shipped by IBM must be verified at your installation during
ICSF startup. The load module that contains the software cryptographic
functions is SYS1.SIEALNKE(CSFINPV2), and this load module is digitally
signed when it is shipped from IBM. Using RACF, you can verify that
the module has remained unchanged from the time it was built and installed
on your system. To do this, you create a profile in the PROGRAM class
for the CSFINPV2 module, and use this profile to indicate that signature
verification is required before the module can be loaded.
To require signature verification for ICSF module CSFINPV2:
- Make sure that RACF has been prepared to verify signed programs.
As described in z/OS Security Server RACF Security Administrator’s Guide,
a security administrator prepares RACF to verify signed programs by
creating a key ring for signature verification, and adding the code-signing
CA certificate that is supplied with RACF to the key ring. If RACF
has been prepared to verify signed programs, there will be a key ring
dedicated to signature verification, the code-signing CA certificate
will be attached to the key ring, and the PROGRAM class will be active.
-
If RACF has been prepared to verify signed programs, the discrete
profile IRR.PROGRAM.SIGNATURE.VERIFICATION in the FACILITY class will
specify the name of the signature-verification key ring. To determine
if a signature key ring is already active, enter the command:
RLIST FACILITY IRR.PROGRAM.SIGNATURE.VERIFICATION If
there is no discrete profile with this name, have your security administrator
prepare RACF to verify signed programs using the information in z/OS Security Server RACF Security Administrator’s Guide.
- If the signature verification key ring exists, the RLIST command
will display information for the discrete profile IRR.PROGRAM.SIGNATURE.VERIFICATION
in the FACILITY class. The name of the signature verification key
ring and the name of the key ring owner will be included in the APPLICATION
DATA field of the RLIST command output. Using this information, enter
the RACDCERT LISTRING command to make sure the code-signing
CA certificate is attached to the key ring:
RACDCERT ID(key-ring-owner) LISTRING(key-ring-name) The label of the code-signing
CA certificate is 'STG Code Signing CA'. If this label is
not shown in the RACDCERT LISTRING command output, have your security
administrator prepare RACF to verify signed programs using the information
in z/OS Security Server RACF Security Administrator’s Guide.
- Program control must be active in order for RACF to perform signature
verification processing. To make sure the PROGRAM class is active,
enter the SETROPTS LIST command.
SETROPTS LIST The ACTIVE
CLASSES field of the command output should include the PROGRAM class.
If it does not, have your security administrator prepare RACF to verify
signed programs using the information in z/OS Security Server RACF Security Administrator’s Guide.
- Create a profile for the CSFINPV2 program module in the PROGRAM
class, indicating that the program must be signed. The following command
specifies that the program should fail to load if the signature cannot
be verified for any reason. This command also specifies that all signature
verification failures should be logged.
Note:
Due to space
constraints, this command example appears on two lines. However, the
RDEFINE command should be entered completely on one line.
RDEFINE PROGRAM CSFINPV2 ADDMEM('SYS1.SIEALNKE'//NOPADCHK) UACC(READ)
SIGVER(SIGREQUIRED(YES) FAILLOAD(ANYBAD) SIGAUDIT(ANYBAD)) You
will need to activate your profile changes in the PROGRAM class.
SETROPTS WHEN(PROGRAM) REFRESH
|