IBM Z and LinuxONE - IBM Z

IBM Z

The enterprise platform for mission-critical applications brings next-level data privacy, security, and resiliency to your hybrid multicloud.

 View Only

Configuring CA, Certificate and Keyring for z/OSMF

By ZHI LI posted Thu August 30, 2018 12:00 AM

  

Today, we will talk about how to setup z/OSMF CA, Certificate and Keyring using IBM shipped default sample - IZUSEC. We'll also expand the topic to cover a few advanced configuration requirements.

Setting Up your first z/OSMF instance

Scenario 1: Use z/OSMF Sample to create a new CA, Certificate and Keyring

z/OSMF provides RACF commands in IZUSEC to create a certificate authority (CA) and a server certificate. IZUSEC also contains commands for creating a SAF key ring, and storing the CA and server certificate in the key ring. The default CA, Certificate and keyring setup can satisfy most users.

In this scenario, you create a certificate and key ring for use by the z/OSMF server. The certificate is signed with local CA.

Follow these steps:
  1. Update the parameter KEYRING_NAME in the IZUPRMxx parmlib member.

    KEYRING_NAME('IZUKeyring.IZUDFLT')

  2. Grant the z/OSMF started task user ID READ access to the key ring and the certificate. By default, the server user ID is IZUSVR.

    PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(IZUSVR) ACCESS(READ) PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(IZUSVR) ACCESS(READ)

  3. Add the key ring to your external security manager, such as RACF.

    RACDCERT ADDRING(IZUKeyring.IZUDFLT) ID(IZUSVR)

  4. Add the CA and the certificate. This example shows the use of the local CA. If you want to use a certificate that is signed by another CA, see the topic "Scenario 1: Secure server with a certificate signed by a certificate authority" in z/OS Security Server RACF Security Administrator's Guide.

    /* Create the local CA certificate for the z/OSMF server */ RACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('z/OSMF CertAuth for Security Domain') OU('IZUDFLT')) WITHLABEL('zOSMFCA') TRUST NOTAFTER(DATE(2023/05/17)) /* Create the server certificate for the z/OSMF server */ /* Change HOST NAME in CN field into real local host name */ /* Usually the format of the host name is 'XXXX.XXX.XXX.XXX' */ RACDCERT ID(IZUSVR) GENCERT SUBJECTSDN(CN('HOST NAME') O('IBM') OU('IZUDFLT')) WITHLABEL('DefaultzOSMFCert.IZUDFLT') SIGNWITH(CERTAUTH LABEL('zOSMFCA')) NOTAFTER(DATE(2023/05/17)) RACDCERT ALTER(LABEL('DefaultzOSMFCert.IZUDFLT')) ID(IZUSVR) TRUST

  5. Connect the certificate to the keyring.

    RACDCERT ID(IZUSVR) CONNECT (LABEL('DefaultzOSMFCert.IZUDFLT') + RING(IZUKeyring.IZUDFLT) DEFAULT) RACDCERT ID(IZUSVR) CONNECT (LABEL('zOSMFCA') + RING(IZUKeyring.IZUDFLT) CERTAUTH)

Scenario 2: Use an existing CA, Certificate and Keyring

In this scenario:

  • Certificate is signed by an external CA.
  • Key ring name is RING01.
  • Certificate and key ring are owned by BBGSRV, which is the Liberty server user ID.

For information about obtaining this certificate and keyring, see the topic "Scenario 7: Sharing one certificate among multiple servers" in z/OS Security Server RACF System Programmer's Guide.

To permit the z/OSMF server ID to access the keyring, certificate, and private key, you can use either the FACILITY class or the RDATALIB class, as follows:
  • To use the FACILITY class:
    1. Grant the z/OSMF server user ID UPDATE access to the key ring. Because the key ring is associated with the Liberty server user ID (BBGSRV), not the z/OSMF server user ID (IZUSVR), the z/OSMF server user ID needs this access.

      PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID(IZUSVR) ACCESS(UPDATE)

    2. If the FACILITY class is not already active, activate and RACLIST it:

      SETROPTS CLASSACT(FACILITY) RACLIST(FACILITY)

    3. If the FACILITY class is already active and RACLISTed, refresh it:

      SETROPTS RACLIST(FACILITY) REFRESH

    4. Permit the z/OSMF server to access the private key. It needs CONTROL access to IRR.DIGTCERT.GENCERT.

      PERMIT IRR.DIGTCERT.GENCERT CLASS(FACILITY) ID(IZUSVR) ACCESS(CONTROL)

  • To use the RDATALIB class:
    1. Define the RDATALIB class:

      RDEFINE RDATALIB BBGSRV.RING01.LST UACC(NONE) PERMIT BBGSRV.RING01.LST CLASS(RDATALIB) ID(IZUSVR) ACCESS(CONTROL)

  • If the RDATALIB class is not already active, activate it and RACLIST it, as follows:

    SETROPTS CLASSACT(RDATALIB) RACLIST(RDATALIB)

  • If the RDATALIB class is already active and RACLISTed, refresh it, as follows:

    SETROPTS RACLIST(RDATALIB) REFRESH

To configure the shared key ring for the z/OSMF server, specify it on the KEYRING_NAME parameter in the IZUPRMxx parmlib member. Because the owner is not the z/OSMF started task user ID, you must create an override file that is named local_override.cfg in the user configuration directory, which is /global/zosmf/configuration/ by default. In the override file, add the following option:

BOOTSTRAP_OPT=izu.ssl.key.store.owner.userid=BBGSRV

Configuring more than one z/OSMF instance

This topic describes two scenarios for sharing CA certificates between multiple instances: You might choose to use one common CA certificate for all of the instances, or a different CA certificate for each instance.

Scenario 3: SSL connections using the same CA certificate

In this scenario, you use the primary system CA to generate a common CA certificate, and distribute this CA certificate to the secondary systems. This approach is recommended if the secondary instances do not already exist.

Complete the following steps:
1. In the primary instance, specify IZU_DEFAULT_CERTAUTH=Y to generate the CA zOSMFCA as part of the configuration process.
2. In the primary instance, generate and sign certificates with the CA for all other instances, as shown in below

  • SSL certificate for instance SC74 created in SC80

RACDCERT ID(IZUSVR) GENCERT SUBJECTSDN(CN('WTSC74.ITSO.IBM.COM') +
O('IBM') OU('ARNDFLT')) WITHLABEL('DefaultzOSMFCert.ARNDFLT.SC74') +
SIGNWITH(CERTAUTH LABEL('zOSMFCA')) NOTAFTER(DATE(2021/06/17))

3. For each instance, export the CA certificate and SSL certificate (with the private keys) for the instance, as shown in below

  • Export the CA certificate

RACDCERT EXPORT(LABEL('zOSMFCA')) DSN('ARUN.CERTD.ZOSMFCA1’) +
FORMAT(CERTDER) CERTAUTH

  • Export the SSL certificate for instance SC74

RACDCERT EXPORT(LABEL('DefaultzOSMFCert.ARNDFLT.SC74')) +
DSN('ARUN.PCKS12.SSL74') +
FORMAT(PKCS12DER) PASSWORD('Guess what') ID(IZUSVR)

4. In binary mode, move the CA certificate and the SSL certificates to the other systems where they are to be imported.

5. Add the CA certificates and SSL certificate to the other systems’ RACF database, as
shown in below

  • Add the CA into the SC74 RACF database

RACDCERT ADD('ARUN.CERTD.ZOSMFCA1') CERTAUTH TRUST +
WITHLABEL('zOSMFCA')

  • Add SSL certificate for instance in SC74 to RACF database

RACDCERT ADD('ARUN.PCKS12.SSL74') ID(ARNSVR) TRUST +
WITHLABEL('DefaultzOSMFCert.ARNDFLT') PASSWORD('Guess what')

6. In the secondary instances, specify the configuration variable IZU_DEFAULT_CERTAUTH as N, in the configuration process so that the CA for the secondary instance is not created.
7. When you get to the stage of running izucofig1.cfg.rexx (the name changes depending upon the name of the configuration file name that you decide to use), comment out the statements that create an SSL certificate for the secondary instance (shown in izuconfig1.cfg.rexx below) before running the REXX exec. Then, the key rings are created when the REXX exec is run, and the CA certificate and the SSL certificates are connected to the keyring for the instance.

  • izuconfig1.cfg.rexx

/* Create the server certificate for the z/OSMF server */
/* Call RacfCmd “RACDCERT ID(ARNSVR) GENCERT
SUBJECTSDN(CN('WTSC74.ITSO.IBM.COM') O('IBM') OU('ARNDFLT'))
WITHLABEL('DefaultzOSMFCert.ARNDFLT')”
“SIGNWITH(CERTAUTH LABEL('zOSMFCA')) NOTAFTER(DATE(2021/06/19))” */
Call RacfCmd “RACDCERT ALTER(LABEL('DefaultzOSMFCert.ARNDFLT')) ID(“ARNSVR”)
TRUST”
Call RacfCmd “RACDCERT ID(ARNSVR) CONNECT (LABEL('DefaultzOSMFCert.ARNDFLT')
RING(IZUKeyring.ARNDFLT) DEFAULT)”

Scenario 4: SSL connections using different CA certificates

In this scenario, each secondary instance of z/OSMF uses its own certificate authority and CA certificate to sign its server certificates. To enable SSL connections in this scenario, you must add each secondary system CA certificate to the primary system security database. This approach is recommended if the secondary instances already exist, and were created to use uniquely named CA certificates. Complete the following steps.

1. Using a unique IZU_SAF_PROFILE_PREFIX and specifying yes to the installation prompt to generate a CA certificate during the installation process results in uniquely named CA certificates. Make the CA certificates of each instance available to the other instances to enable secure communication.
2. When IZU_SAF_PROFILE_PREFIX=ARNDFLT and IZU_DEFAULT_CERTAUTH=Y, the CA certificate that
is generated is shown in below

  • CA certificate for IZU_SAF_PROFILE_PREFIX=ARNDFLT

RACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('z/OSMF CertAuth for Security Domain')
OU('ARNDFLT')) WITHLABEL('zOSMFCA') TRUST NOTAFTER(DATE(2021/06/17))

3. When IZU_SAF_PROFILE_PREFIX=IZUDFLT and IZU_DEFAULT_CERTAUTH=Y, the CA certificate that is generated is shown in below.

  • CA certificate for IZU_SAF_PROFILE_PREFIX=IZUDFLT

RACDCERT CERTAUTH GENCERT SUBJECTSDN(CN('z/OSMF CertAuth for Security Domain')
OU('IZUDFLT')) WITHLABEL('zOSMFCA') TRUST NOTAFTER(DATE(2021/05/31))

4. When you compare Example in step 2 with Example in step 3, the value that is specified for IZU_SAF_PROFILE_PREFIX makes the SUBJECTDSN unique, which also makes the CA unique.
5. When IZU_SAF_PROFILE_PREFIX=ARNDFLT, the SSL certificate and key ring that is created for the instance is shown in below.

  • SSL certificate and key ring for IZU_SAF_PROFILE_PREFIX=ARNDFLT

/* SSL Certificate for the z/OSMF instance */
RACDCERT ID(IZUSVR) GENCERT SUBJECTSDN(CN('WTSC80.ITSO.IBM.COM') O('IBM')
OU('ARNDFLT')) WITHLABEL('DefaultzOSMFCert.ARNDFLT')SIGNWITH(CERTAUTH
LABEL('zOSMFCA')) NOTAFTER(DATE(2021/06/17))
/* key ring for the z/OSMF instance*/
RACDCERT ADDRING(IZUKeyring.ARNDFLT) ID(IZUSVR)

6. When IZU_SAF_PROFILE_PREFIX=IZUDFLT, the SSL certificate and key ring that is created for the instance is shown in below

  • SSL certificate and key ring for IZU_SAF_PROFILE_PREFIX=IZUDFLT

/* SSL Certificate for the z/OSMF instance */
RRACDCERT ID(IZUSVR) GENCERT SUBJECTSDN(CN('WTSC74.ITSO.IBM.COM') O('IBM')
OU('IZUDFLT')) WITHLABEL('DefaultzOSMFCert.IZUDFLT')
SIGNWITH(CERTAUTH LABEL('zOSMFCA')) NOTAFTER(DATE(2021/05/31))
/* key ring for the z/OSMF instance*/
RACDCERT ADDRING(IZUKeyring.IZUDFLT) ID(IZUSVR)

7. ARNDFLT and IZUDFLT make the SSL certificate and key ring unique, as shown in Step 5 and Step 6

Recommendations

To access all the z/OSMF instances that are in your installation from your web browser and to get the z/OSMF instances to talk to each other for any reason, use a unique SSL certificate label for each instance by specifying a unique IZU_SAF_PROFILE_PREFIX for each instance. For certificate management for instances, use of a common CA for all your instances.

References:


1. z/OSMF Marketplace:
https://www.ibm.com/us-en/marketplace/zos-management-facility

2. z/OSMF Trial:
https://www.ibm.com/account/reg/us-en/signup?formid=urx-34578

3. z/OSMF One Stop Hub:
https://www.ibm.com/developerworks/community/blogs/e0c474f8-3aad-4f01-8bca-f2c12b576ac9/entry/z_OSMF_One_Stop_Hub?lang=en

4. z/OSMF Knowledge Center:
https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.izu/izu.htm

0 comments
9 views

Permalink

https://community.ibm.com/community/user/blogs/andrii-vasylchenko1/2018/08/30/configuring-ca-certificate-and-keyring-for-zosmf