Before network security services can be provided, authorization to several resources must be defined to the external security manager.
Perform the following steps to authorize access to the appropriate resources:
Issue the following commands:
ADDUSER NSSD DFLTGRP(OMVSGRP) NOPASSWORD OMVS(UID(0) HOME('/'))
RDEFINE STARTED NSSD.* STDATA(USER(NSSD))
SETROPTS RACLIST(STARTED) REFRESH
SETROPTS GENERIC(STARTED) REFRESH
Issue the following command:
PERMIT SYS1.PARMLIB ID(NSSD) ACCESS(READ)
RDEFINE FACILITY IRR.DIGTCERT.ADD UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.ADDRING UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.CONNECT UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.GENCERT UACC(NONE)
RDEFINE FACILITY IRR.DIGTCERT.GENREQ UACC(NONE)
For details about these controls, see z/OS Security Server RACF Command Language Reference.
PERMIT IRR.DIGTCERT.ADD CLASS(FACILITY) ID(userid) ACC(CONTROL)
PERMIT IRR.DIGTCERT.ADDRING CLASS(FACILITY) ID(userid) ACC(UPDATE)
PERMIT IRR.DIGTCERT.CONNECT CLASS(FACILITY) ID(userid) ACC(CONTROL)
PERMIT IRR.DIGTCERT.GENCERT CLASS(FACILITY) ID(userid) ACC(CONTROL)
PERMIT IRR.DIGTCERT.GENREQ CLASS(FACILITY) ID(userid) ACC(CONTROL)
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(userid) ACC(CONTROL)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(userid) ACC(UPDATE)
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(NSSD) ACC(READ)
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(NSSD) ACC(READ)
After you permit access to the various IRR.DIGTCERT resources, update the FACILITY class as follows:
SETROPTS RACLIST(FACILITY) REFRESH
If you decide to use this profile, permit the NSS server user ID to this profile using the following command, where the userid value is the user ID under which the NSS server runs:
PERMIT BPX.DAEMON CLASS(FACILITY) ID(userid) ACCESS(READ)
The secured signon function of RACF is enabled by activating the PTKTDATA class as follows:
SETROPTS CLASSACT(PTKTDATA)
SETROPTS RACLIST(PTKTDATA) REFRESH
Profiles in the PTKTDATA class control the use of the secured signon function by an application. A secured signon application key is associated with each profile. This key is stored in the external security manager's database. When RACF is used as the external security manager, this key is stored in a masked or encrypted state.
With RACF, you can use a secured signon application key that is controlled at the following levels:
The application name NSSD must be used when defining the secured signon keys for the NSS server. The following example shows a RACF command that you can issue to assign a secured signon key that can be used by all NSS clients that are authenticating to the NSS server:
RDEFINE PTKTDATA NSSD SSIGNON(KEYMASKED(E001193519561977)) UACC(NONE)
For specific information about enabling the secured signon function and defining profiles to be used by the single signon function, see z/OS Security Server RACF Security Administrator's Guide.
For details about how to define the IKE daemon as an NSS client, see Using network security services.
Perform the following steps to authorize NSS clients:
An NSS client must present valid credentials to the NSS server before accessing any services. Valid credentials include a user ID and password, or a user ID and PassTicket if secured signon is enabled. A SAF user ID representing an NSS client must be defined to the external security manager.
Issue the following command:
ADDUSER userid DFLTGRP(OMVSGRP) OMVS(UID(x))
PERMIT NSSD CLASS(APPL) ID(userid) ACC(READ)
SETROPTS RACLIST(APPL) REFRESH
To authorize an NSS client to use a network security service, you must create a SERVAUTH resource profile for that service that represents the NSS client. The user ID associated with the NSS client must be permitted READ access to that profile. Table 1 shows the name of the SERVAUTH profile for each service, where sysname is the name of the z/OS system running the NSS server and clientname is the name by which the NSS server knows the NSS client.
Service | SERVAUTH profile name |
---|---|
IPSec certificate service | EZB.NSS.sysname.clientname.IPSEC.CERT |
IPSec remote management service | EZB.NSS.sysname.clientname.IPSEC.NETMGMT |
XMLAppliance certificate service | EZB.NSS.sysname.clientname.XMLAPPLIANCE.CERT |
XMLAppliance private key service | EZB.NSS.sysname.clientname.XMLAPPLIANCE.PRIVKEY |
XMLAppliance SAF access service | EZB.NSS.sysname.clientname.XMLAPPLIANCE.SAFACCESS |
You can authorize the NSS client to a SERVAUTH profile using the following commands:
RDEFINE SERVAUTH profile_name UACC(NONE)
PERMIT profile_name (SERVAUTH) ID(nssclient) ACCESS(READ)
SETROPTS GENERIC(SERVAUTH) REFRESH
SETROPTS RACLIST(SERVAUTH) REFRESH
The name of such a resource profile is EZB.NSSCERT.sysname.mappedlabelname.HOST, where sysname is the name of the z/OS system running the NSS server and mappedlabelname is the mapped name of the certificate's label in the key ring. For details about determining a certificate label's mapped name, see NSS server certificate label naming considerations.
This can be accomplished with the following commands:
RDEFINE SERVAUTH EZB.NSSCERT.sysname.mappedlabelname.HOST UACC(NONE)
PERMIT EZB.NSSCERT.sysname.mappedlabelname.HOST CLASS(SERVAUTH) ID(userid) ACCESS(READ)
SETROPTS GENERIC(SERVAUTH) REFRESH
SETROPTS RACLIST(SERVAUTH) REFRESH
When the digital signature mode of authentication is used, an NSS IPSec client can provide a remote security endpoint with information about certificate authorities that are trusted by the NSS client. The remote security endpoint should use this information as a hint to decide which of its certificates to use when creating its signature.
By default, an NSS IPSec client sends a remote security endpoint information about all the certificate authorities that the NSS IPSec client is authorized to advertise. This can result in an NSS IPSec client sending a large amount of data to a remote security endpoint. Use the CaLabel parameter on the RemoteSecurityEndpoint statement to reduce the amount of data sent to specific remote security endpoints. For details about the RemoteSecurityEndpoint statement, see z/OS Communications Server: IP Configuration Reference.
A SERVAUTH resource profile is used to authorize NSS IPSec clients to use a CA. A SERVAUTH resource profile must be created for each CA certificate that could be used by an NSS IPSec client. The name of such a resource profile is EZB.NSSCERT.sysname.mappedlabelname.CERTAUTH, where sysname is the name of the z/OS system running the NSS server and mappedlabelname is the mapped name of the certificate's label in the key ring. For details about determining a certificate label's mapped name, see NSS server certificate label naming considerations. An NSS IPSec client's user ID must be given access to this profile before it can use the corresponding CA certificate.
This can be accomplished with the following commands:
RDEFINE SERVAUTH EZB.NSSCERT.sysname.mappedlabelname.CERTAUTH UACC(NONE)
PERMIT EZB.NSSCERT.sysname.mappedlabelname.CERTAUTH CLASS(SERVAUTH) ID(userid) ACCESS(READ)
SETROPTS GENERIC(SERVAUTH) REFRESH
SETROPTS RACLIST(SERVAUTH) REFRESH
In contrast to the IPSec discipline, the XMLAppliance discipline does not distinguish between host, site, or certificate authority certificates. For any given certificate request, the NSS server first checks the EZB.NSSCERT.sysname.mappedlabelname.HOST profile. If that check fails, the server then checks the EZB.NSSCERT.sysname.mappedlabelname.CERTAUTH profile. If the NSS XMLAppliance client has read access to either profile, the server permits access to the certificate resource. It is up to the NSS server administrator to allow or deny access to each certificate, and it is up to the XML appliance administrator to determine how each certificate should be used. The user ID of an NSS XMLAppliance client must be given access to one of these profiles before it can use the corresponding certificate. For examples on how to define the required profiles and permit access, see step 7.d and step 7.e, under Steps for authorizing resources for NSS. For details about determining the mapped name of a certificate label, see NSS server certificate label naming considerations.
Use the SERVAUTH resource profile to authorize NSS XMLAppliance clients to retrieve the private key from a certificate, and to locally perform any RSA operations that are based on the private key or to make ICSF calls requesting RSA operations on System z® for ICSF-protected keys. You must create a SERVAUTH resource profile for each private key against which the XMLAppliance client needs to perform operations. The name of such a resource profile is EZB.NSSCERT.sysname.mappedlabelname.PRIVKEY, where sysname is the name of the z/OS system running the NSS server and mappedlabelname is the mapped name of the certificate label in the key ring. Ensure that the user ID of an NSS XMLAppliance client has appropriate access to this profile so that it can retrieve the private key or perform any RSA operations that are based on the private key. This can be accomplished with the following commands:
RDEFINE SERVAUTH EZB.NSSCERT.sysname.mappedlabelname.PRIVKEY UACC(NONE)
PERMIT EZB.NSSCERT.sysname.mappedlabelname.PRIVKEY CLASS(SERVAUTH) ID(userid) ACCESS(READ)
SETROPTS GENERIC(SERVAUTH) REFRESH
SETROPTS RACLIST(SERVAUTH) REFRESH
For details about determining the mapped name of a certificate label, see NSS server certificate label naming considerations.
For more information, see the information about the -z option of the ipsec command in NSS client authorization example. For more details about managing network security, see z/OS Communications Server: IP System Administrator's Commands. For details about the network management interface, see z/OS Communications Server: IP Programmer's Guide and Reference.
ICSF provides cryptography support through various cryptographic hardware features. The cryptographic features that are available to your applications depend on your processor or server model. For information about which features are available on your hardware, see the information about callable service support by hardware configuration in z/OS Cryptographic Services ICSF Overview. For details about configuring ICSF, see z/OS Cryptographic Services ICSF Administrator's Guide.
When using a cryptographic coprocessor, the callable ICSF service names that are used by the XMLAppliance certificate service are as follows:
RDEFINE service-name CLASS(CSFSERV) UACC(NONE)
PERMIT service-name CLASS(CSFSERV) ID(server-name) ACCESS(READ)
SETROPTS CLASSACT(CSFSERV)
SETROPTS RACLIST(CSFSERV) REFRESH
SETOPS CLASSACT(DIGTNMAP)
SETROPTS RACLIST(DIGTNMAP) REFRESH
Create a certificate name filter for each mapping of an X.500 distinguished name to a RACF ID using the following commands:
RACDCERT ID(userid) MAP SDNFILTER('x500dn')
SETROPTS RACLIST(DIGTNMAP) REFRESH
For specific details on enabling RACF certificate name filtering, see z/OS Security Server RACF Security Administrator's Guide.
PERMIT CSF1PKS CLASS(CSFSERV) ID(NSSD) ACCESS(READ)
PERMIT CSF1PKV CLASS(CSFSERV) ID(NSSD) ACCESS(READ)
SETROPTS RACLIST(CSFSERV) REFRESH
See z/OS Cryptographic Services ICSF Administrator's Guide for more information about the CSFSERV general resource.