The RACF® authorization mechanism
for this callable service varies depending on the type of function
requested (end user versus administrative) and the requested provider
(SAF versus PKI Services).
For the end user functions, this interface is protected by FACILITY
class profiles (resources) of the form IRR.RPKISERV.(function)[.ca-domain],
where (function) is one of the end user
function names described under Function_code below. If the CA_domain
parameter supplied on the R_PKIServ call is not null (has a length
greater than 0), the profile is qualified with the CA domain name.
If the CA_domain parameter supplied on the R_PKIServ call is null,
the qualifier is not used. For example, if the function name is GENCERT
and the CA_domain parameter is “Customers”, the FACILITY class resource
is IRR.RPKISERV.GENCERT.CUSTOMER. However, if the CA_domain parameter
is null, the FACILITY class resource is IRR.RPKISERV.GENCERT.
The user ID (from the ACEE associated with the address space)
for the application is used to determine access:
- NONE
- Access is denied.
- READ
- Access is permitted based on subsequent access checks against
the caller's user ID. To determine the caller, the current TCB is
checked for an ACEE. If one is found, the authority of that user is
checked. If there is no ACEE associated with the current TCB, the
ACEE associated with the address space is used to locate the user
ID.
- UPDATE
- Access is permitted based on subsequent access checks against
the application's user ID.
- ALTER OR CONTROL (or user ID is RACF SPECIAL)
- Access is permitted with no subsequent access checks made.
For SAF GENCERT and EXPORT requests where the application has READ
and UPDATE access, subsequent access checks are performed against
the IRR.DIGTCERT.(function) FACILITY profiles. These are identical
to the checks made by the RACDCERT TSO command. See z/OS Security Server RACF Command Language Reference and z/OS Security Server RACF Security Administrator's Guide for
more information.
For PKI Services GENCERT, REQCERT, EXPORT, VERIFY, REVOKE, GENRENEW,
REQRENEW, RESPOND, SCEPREQ and QRECOVER requests where the application
has READ and UPDATE access, subsequent access checks are performed
against the IRR.DIGTCERT.function FACILITY profiles
as follows:
- GENCERT — This function is used to request an auto-approved certificate.
The access check user ID needs to have CONTROL access to IRR.DIGTCERT.GENCERT.
The access check user ID also needs appropriate access to IRR.DIGTCERT.ADD,
UPDATE access if any HostIdMapping information is specified in the
certificate request parameter list or the Userid field in the certificate
request parameter list indicates that the certificate is being requested
for another user other than the caller, otherwise READ access.
- REQCERT — This function is used to request a certificate that
must be approved by an administrator before being created. The access
check user ID needs to have READ access to IRR.DIGTCERT.REQCERT
- EXPORT — This function is used to retrieve (export) a certificate
that was requested previously or the PKI Services RA/CA certificate.
The access check user ID needs to have appropriate access to IRR.DIGTCERT.EXPORT,
UPDATE access if no pass phrase is specified on the call, READ access
if a pass phrase is specified or the Cert ID is "PKICACERT".
- VERIFY — This function is used to confirm that a given user certificate
was issued by this CA and if so, return the certificate fields. The
access check user ID needs to have READ access to IRR.DIGTCERT.VERIFY.
It is assumed that the calling application has already verified that
the end user possesses the private key that correlates to the input
certificate.
- REVOKE — This function is used to revoke a certificate that was
previously issued. The access check user ID needs to have READ access
to IRR.DIGTCERT.REVOKE. It is assumed that the calling application
has already verified the target certificate using the VERIFY function.
- GENRENEW — This function is used to generate a renewal certificate.
The request submitted is automatically approved. The access check
user ID needs to have READ access to IRR.DIGTCERT.GENRENEW and CONTROL
access to IRR.DIGTCERT.GENCERT. It is assumed that the calling application
has already verified the input certificate using the VERIFY function.
- REQRENEW — This function is used to request certificate renewal.
The request submitted needs to be approved by the administrator before
the certificate is renewed. The access check user ID needs to have
READ access to IRR.DIGTCERT.REQRENEW. It is assumed that the calling
application has already verified the input certificate using the VERIFY
function.
- RESPOND — This function is used to get an Online Certificate Status
Protocol (OCSP) response from the PKI Services responder. The access
check user ID needs to have READ access to IRR.RPKISERV.RESPOND and
IRR.DIGTCERT.RESPOND.
- SCEPREQ — This function is used to request a certificate using
SCEP. The access check user ID needs to have READ access to IRR.DIGTCERT.SCEPREQ
- QRECOVER — This function is used to get a list of certificates
whose key pairs were generated by PKI Services under a particular
email address and pass phrase. The access check user ID needs READ
access to IRR.DIGTCERT.QRECOVER.
For the administrative functions, this interface is protected by
a single FACILITY class profile (resource), IRR.RPKISERV.PKIADMIN[.ca-domain].
If the CA_domain parameter supplied on the R_PKIServ call is not null
(has a length greater than 0), the profile is qualified with the CA
domain name. If the CA_domain parameter supplied on the R_PKIServ
call is null, the qualifier is not used. For example, if the CA_domain
parameter is “Customers”, the FACILITY class resource is IRR.RPKISERV.PKIADMIN.CUSTOMER.
However, if the CA_domain parameter is null, the FACILITY class resource
is IRR.RPKISERV.PKIADMIN.
If the caller is not RACF SPECIAL,
the caller will need READ access to perform read operations (QUERYREQS,
QUERYCERTS, REQDETAILS, and CERTDETAILS) and UPDATE access for the
action operations (PREREGISTER, MODIFYREQS, and MODIFYCERTS).
To determine the caller, the current TCB is checked for an ACEE. If
one is found, the authority of that user is checked. If there is no
ACEE associated with the current TCB, the ACEE associated with the
address space is used to locate the user ID.