IBM Security Z Security

 View Only
  • 1.  Compliance rules for Certificates

    Posted Fri April 22, 2022 06:29 AM
    Hi,

    I'm trying to build some compliance rules for digital certificates held in RACF, using zSecure 2.4.
    I would like to be able to validate the private key size and type, and the certificate signing algorithm. However I can't seem to use the values of these in selection criteria or tests.
    Is there a way to achieve this?

    I've been looking through the Carla manual and the field definitions (types RACF, CERTIFICATE) in IN.D, but I can't see anything to tell me which fields can be used in selections. Is there some obvious information that I'm missing?

    Thanks,
    Pete Buckley
    AXA

    ------------------------------
    Peter Buckley
    ------------------------------


  • 2.  RE: Compliance rules for Certificates

    Posted Fri April 22, 2022 07:32 AM
    Hi Pete,

    You write:
    > I can't seem to use the values of these in selection criteria or tests.

    I am not immediately sure what you experience.

    > the private key size and type, and the certificate signing algorithm

    I think that maps to fields CERTPRVS, CERTPRVT, and CERTIFICATE_SIGNING_ALG in TYPE=CERTIFICATE. (The first two also have longer aliases CERT_PRIVATE_KEY_SIZE and CERT_PRIVATE_KEY_TYPE, resp.)

    In menu option RA.5.1 you can find the selection input fields under "Other fields" (the first two) and "Signing algorithm".

    How can I help you?

    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------



  • 3.  RE: Compliance rules for Certificates

    Posted Fri April 22, 2022 09:32 AM
    Hi Jeroen,

    Thanks for the swift reply. I should give you some examples of my failing code:

    Example 1: Validate private key type

    RULE_SET DIGTCERT,
    DESC("Certificate checks."),
    CAPTION("Certificate checks") SEV(2)

    DOMAIN CERTS,
    DESC("User Certificates"),
    SELECT(racf(certificate_trusted=(TRUST,HIGHTRUST),
    certificate_id<>(irrcerta,irrsitec)))

    DEFINE type=RACF £keytype_OK TRUE WHERE,
    (class=digtcert segment=certdata certprvt='RSA-CRT')

    RULE CERTS_KEYTYPE DOMAIN(CERTS),
    SET(DIGTCERT),
    DESC("Certificate Keytype."),
    CAPTION("Certificate keytype")
    TEST 1.Keytype,
    /*racf(certprvt='RSA-CRT')*/,
    racf(£keytype_OK),
    DESC("Certificate key type must be in valid list.")
    ENDRULE

    Result:
    CKR0114 12 Value selection for field CERTPRVT not supported at CKR4CRL(UIDX010Z) line 15

    Example 2: Validate certificate signing algorithm

    RULE_SET DIGTCERT,
    DESC("Certificate checks."),
    CAPTION("Certificate checks") SEV(2)

    DOMAIN TRUCERTS,
    DESC("Certificates that are trusted or highly trusted"),
    SELECT(certificate(certificate_trusted=(hightrust,trust)))

    RULE CERTS_Algorithm DOMAIN(TRUCERTS),
    SET(DIGTCERT),
    DESC("Certificate Algorithm."),
    CAPTION("Certificate Algorithm")
    TEST 1.Algorithm certificate(CERTIFICATE_SIGNING_ALG<>'sha256RSA'),
    DESC("Certificate signing algorithm validation.")
    ENDRULE

    Result:
    CKR0432 12 Format X.509-objectid not supported for selection - field
    CERTIFICATE_SIGNING_ALG at CKR4CRL(UIDX010) line 17

    Example 3: Validate keysize

    RULE_SET DIGTCERT,
    DESC("Certificate checks."),
    CAPTION("Certificate checks") SEV(2)

    DOMAIN CERTS,
    DESC("User Certificates"),
    SELECT(racf(certificate_trusted=(TRUST,HIGHTRUST),
    certificate_id<>(irrcerta,irrsitec)))

    DEFINE type=RACF £keysize_OK TRUE WHERE,
    (class=digtcert segment=certdata certprvs>=2048)

    RULE CERTS_KEYSIZE DOMAIN(CERTS),
    SET(DIGTCERT),
    DESC("Certificate Keysize."),
    CAPTION("Certificate keysize")
    TEST 1.Keysize,
    racf(certprvs>=2048),
    /*racf(£keysize_OK)*/,
    DESC("Certificate key size must be at least 2048.")
    ENDRULE

    Result:
    All certificates appear non-compliant. In reality, the keysize for all
    certificates is 2048 or more.
    Actual value of test field is blank.

    Test result
    Test value is compliant No Test is true No
    Non-compliant audit finding Yes Relative audit priority 20
    Lookup against
    Actual value of test field

    Test definition
    Test name 1.Keysize
    Test lookup base field name
    Test field name CERTPRVS
    Relational operator >=
    Compliance comparison value 2048
    Test type n/a,(non-)compliant compliant

    Presumably I've got something basic wrong in each case.

    Pete Buckley,
    AXA

    ------------------------------
    Peter Buckley
    ------------------------------



  • 4.  RE: Compliance rules for Certificates

    Posted Fri April 22, 2022 11:06 AM
    Edited by Jeroen Tiggelman Sat April 23, 2022 03:30 AM

    Hi Pete,

    What I can quickly say is that the selections for the first two examples were not yet supported in zSecure 2.4.0, and that that code has not been back-ported to that level as of today.

    * 210621 2.5.0 JJW J0006846: Selection on &PRVT J0006846

    * 210713 2.5.0 JJW J0007201: Select on &OBJID in CKRINPO J0007201

    I have not run the specific tests, but I suppose these should work in zSecure 2.5.0. Edit: Actually, I think the first query also suffers from the same problem as the third as explained below.

    As to the third example, at first glance that looks as a potential gotcha with using TYPE=RACF: that the records are profile segments, not profiles, and that you could get issues if you look for a value in a segment that does not contain it.

    My reading is that you select BASE segments because you use CERTIFICATE_TRUSTED, which is based on UACC, which is in the BASE segment. Then you want to test in those records for a field that is the CERTDATA segment. I would say that that can never work. One reason we made TYPE=CERTIFICATE is to not get caught up with those kinds of issues.

    Regards,

    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------



  • 5.  RE: Compliance rules for Certificates

    Posted Mon April 25, 2022 06:39 AM
    Hi Jeroen,

    Type=certificate is at least partially supported at my current zSecure maintenance level. For example, I can run a simple report in CARLa:

    N n=DIGTCERT type=certificate tt="RACF certs "
    sortlist,
    certlabl,
    certstrt(9) certend(9),
    CERTIFICATE_SIGNING_ALG

    and this produces the desired information.
    I also note that compliance test ICERR020(CKAGDC20) seems to work.
    However the above CARLa also fails if I attempt to select on CERTIFICATE_SIGNING_ALG.

    I'm not sure that my abuse of segments for type=racf is the problem with the other two.
    If I change my Domain selection to: SELECT(racf(certend>=today)), I still see CKR0114.
    This message seems to be telling me that I can only use certprvt and certprvs fields for output, not for selection. Perhaps there's simply no way to do this with type=racf?

    Regards,
    Pete Buckley,
    AXA

    ------------------------------
    Peter Buckley
    ------------------------------



  • 6.  RE: Compliance rules for Certificates
    Best Answer

    Posted Mon April 25, 2022 07:18 AM
    Hi Pete,

    So your level includes the December 2020 Service Stream Enhancement, that's good. :-)

    The selection on CERTIFICATE_SIGNING_ALG fails because there was no code for selection on that format included in that SSE; I wrote that only later in July 2021 and it is not available for 2.4.0 as of today. (I did a compare of the code lines, so I am quite sure.)

    Your abuse of segments has nothing to do with the CKR0114, you are getting the CKR0114 because the code to select on the private key type in the TYPE=RACF parser is not there yet in your level. If you were running 2.5.0 you would not get the CKR0114, but I am predicting the query still will not do what you want because of the abuse of segments.

    > Perhaps there's simply no way to do this with type=racf?

    Not in an easy way in today's zSecure 2.4.0, but this selection code was also added to zSecure 2.5.0. I would say that the fact that the selection code was not added back in 1999 when CERTPRVT was added to TYPE=RACF is APARable in principle.. but a faster solution for you would be to upgrade to 2.5.0.

    However, there is a work-around. When you use a hexadecimal selection, then you circumvent the part of the code that wants to interpret the values you specify according to the output format of the field you are selecting on.

    This means that you have to figure out what the hexadecimal values you want to select on are, though.

    If you have data that contains the values you want to select on, then this query can help with that:
    n type=racf                                
    s exists(certprvt) certprvt<>'00000000'x   
    summary certprvt certprvt(hex)             ​

    You select segments here that contain CERTPRVT and where it does not have a value of 0 (which is "No key").

    When I run that on a random database, I get this output:
    ********************************* Top of Data **********************************
    P R O F I L E   L I S T I N G   25 Apr 2022 07:25                               
                                                                                    
    Key type                 Key type                 Count                         
    RSA-CRT                  00000001                       97                      
    RSA-CRT PKDS token       00000003                        1                      
    RSA-ME public PKDS token 00000005                        1                      
    ******************************** Bottom of Data ********************************​

    So then, instead of selecting certprvt='RSA-CRT', I could select on certprvt='00000001'x.

    I hope this helps,

    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------



  • 7.  RE: Compliance rules for Certificates

    Posted Thu April 28, 2022 10:06 AM
    Hi Jeroen,

    That's very helpful: I now have a working test for certprvt.

    I've put in an order for zSecure 2.5 so I can install and work with it. Unfortunately, at the moment I need to retain compatibility with zSecure 2.4.0 (Dec 2020 SSE) which is in use across our global estate. So I'll be progressing the remaining tests at a later date.

    Thanks again for all your help.

    Pete Buckley,
    AXA

    ------------------------------
    Peter Buckley
    ------------------------------