The end-user functions are:
- EXPORT
- Retrieves (exports) a previously requested certificate, or retrieves
(exports) the PKI Services registration authority (RA) certificate
or the certificate authority (CA) certificate.
- GENCERT
- Generates an auto-approved certificate.
- GENRENEW
- Generates an auto-approved renewal certificate. (The request submitted
is automatically approved.)
- QRECOVER
- Lists certificates whose key pairs were generated by PKI Services
under a requestor’s e-mail address and passphrase.
- REQCERT
- Requests a certificate that an administrator must approve before
it is created.
- REQRENEW
- Requests certificate renewal. The administrator needs to approve
the request before the certificate is renewed.
- RESPOND
- Invokes the PKI OCSP responder.
- REVOKE
- Revokes a certificate that was previously issued.
- SCEPREQ
- Generates a certificate request using Simple Certificate Enrollment
Protocol (SCEP).
- VERIFY
- Confirms that a given user certificate was issued by this certificate
authority and, if so, returns the certificate fields.
For end-user functions, FACILITY class resources protect this interface.
Access authority is based on the user ID for the application (the
user ID from the ACEE associated with the address space). To determine
the user ID for the application, the current TCB is checked for an
ACEE. If one is found, the authority of that user is checked. If there
is no ACEE associated with the current TCB, the ACEE associated with
the address space is used to locate the user ID.
The form for the FACILITY
class resources is:
IRR.RPKISERV.function[.ca_domain]
- function
- Specifies one of the end-user function names in the preceding
list.
- ca_domain
- Optionally specifies the PKI Services certificate authority (CA)
domain name. Use this when your installation has established multiple
PKI Services CAs and the CA_domain parameter is provided
with IRRSPX00.
Restriction: If the name of your initial
CA domain is longer than 8 characters, you must truncate it to exactly
8 characters when you define the resource name in the FACILITY class.
Example: For the GENCERT function, when the ca_domain is
named Customers and the CA_domain parameter
is provided with IRRSPX00, then the FACILITY class resource controlling
the function is IRR.RPKISERV.GENCERT.CUSTOMER. (The name Customers was
truncated to CUSTOMER. See the restriction for the ca_domain parameter.)
When the CA_domain parameter is not provided with
IRRSPX00, the FACILITY class resource is IRR.RPKISERV.GENCERT.
The access authorities you can assign for these FACILITY class
resources have the following effects:
- NONE
- Access is denied.
- READ
- Access is permitted based on subsequent access checks against
the caller's user ID.
- UPDATE
- Access is permitted based on subsequent access checks against
the application's user ID.
- CONTROL (or user ID has RACF SPECIAL)
- Access is permitted, and no subsequent access checks are made.
Example: If you defined the FACILITY class profile IRR.RPKISERV.GENCERT.CUSTOMER
to control access to the GENCERT function on the CA domain named
Customers,
you can prevent the user ID MYAPP from using the GENCERT function
on that CA domain by issuing the command:
PERMIT IRR.RPKISERV.GENCERT.CUSTOMER CLASS(FACILITY) ID(MYAPP) ACCESS(NONE)
For SAF GENCERT and EXPORT requests where the application has READ
and UPDATE access, subsequent access checks are performed against
the IRR.DIGTCERT.function FACILITY
resources. These are identical to the checks the RACDCERT TSO command
makes. See z/OS Security Server RACF Command Language Reference for
more information.
For PKI Services EXPORT, GENCERT, GENRENEW, QRECOVER, REQCERT,
REQRENEW, RESPOND, REVOKE, SCEPREQ, and VERIFY requests in which the
application has READ and UPDATE access, subsequent access checks are
performed against the IRR.DIGTCERT.function FACILITY
resources.
The following table summarizes the access requirements for the
user ID whose access is checked.
Table 1. Summary of access authorities required for PKI Services
requestsRequest |
Access |
---|
EXPORT |
- IRR.DIGTCERT.EXPORT
- READ access if PassPhrase is specified or if CertID is
specified as PKICACERT.
- UPDATE access if the PassPhrase parameter is
not specified with IRRSPX00.
- CONTROL access if you want to export a PKCS #7 certificate.
|
GENCERT |
- IRR.DIGTCERT.GENCERT — CONTROL access
- IRR.DIGTCERT.ADD
- UPDATE access if any hostIdMappings information is specified in
the certificate request parameter list or the UserId field
in the certificate request parameter list indicates the certificate
is being requested for another user other than the caller
- READ access otherwise
|
GENRENEW |
- IRR.DIGTCERT.GENRENEW — READ access
- IRR.DIGTCERT.GENCERT — CONTROL access
Note: It is assumed that the calling application has already
verified the input certificate using the VERIFY function.
|
QRECOVER |
- IRR.DIGTCERT.QRECOVER — READ access
|
REQCERT |
- IRR.DIGTCERT.REQCERT — READ access
|
REQRENEW |
- IRR.DIGTCERT.REQRENEW — READ access
Note: It is assumed that the calling application has already
verified the input certificate using the VERIFY function.
|
RESPOND |
- IRR.DIGTCERT.RESPOND — READ access
|
REVOKE |
- IRR.DIGTCERT.REVOKE — READ access
Note: It is assumed that the calling application has already
verified the target certificate using the VERIFY function.
|
SCEPREQ |
- IRR.DIGTCERT.SCEPREQ — READ access
|
VERIFY |
- IRR.DIGTCERT.VERIFY — READ access
Note: It is assumed that the calling application has already
verified that the end user possesses the private key that correlates
to the input certificate.
|