(ZOS) Use writable SAF keyrings

WebSphere Application Server provides the function to allow a WAS administrator to perform certificate management operations on System Authorization Facility (SAF) keyrings using the (Open Cryptographic Services Facility) OCSF Data library functions for SAF keyrings.

We must enable support for writable keyrings using the profile management tool before generating the application server profiles. Writable keyring support is only configurable when running z/OS Release 1.9 or at z/OS Release 1.8 with APAR OA22287 - resource access control facility (RACF ) (or the APAR for our equivalent security product) and APAR OA22295 - SAF.

Define RACF Authority for Clients and Servers

By default, if writable keyring support is enabled during profile management, the default RACF configuration scripts generate the necessary commands to grant write authority. As an option, when we migrate from an existing installation, we can configure RACF using the following procedure.

The control region performs all server certificate management write operations, and the RACF administrator must explicitly grant authority to the RACF ID of the control region to update the control region and servant region keyrings.

The following procedure uses ring-specific profile checking to grant authority. Ring-specific profile checking applies only to a specific keyring and does not allow global access to any keyring.

With ring-specific profile checking, a resource with the format, <ringOwner>.<ringName>.LST is used to provide access control to a specific keyring on the R_datalib READ functions.

A resource with the format <ringOwner>.<ringName>.UPD is used to provide access control to a specific keyring on the UPDATE functions.

The procedure to define RACF authority for clients and servers is as follows:

Tasks

1. Use ring-specific profile checking for the RDATALIB class. We use the following commands:

   SETR CLASSACT(RDATALIB)
   SETR RACLIST(RDATALIB) GENERIC(RDATALIB)
   

2. Define a ring-specific LST profile for the control region RACF ID and the servant region RACF ID.

   RDEFINE RDATALIB CRRACFID.**.LST UACC(NONE)
   RDEFINE RDATALIB SRRACFID.**.LST UACC(NONE)
   

3. Give CONTROL access for the CRRACFID.**.LST and SRRACFID.**.LST profiles in the RACF RDATALIB class to the control region RACF user ID. For example, if the control region RACF user ID is CRRACFID and your servant region RACF user ID is SRRACFID, issue the following commands:

   PERMIT  CRRACFID.**.LST CLASS(RDATALIB) ID(CRRACFID) ACC(CONTROL)
   PERMIT  SRRACFID.**.LST CLASS(RDATALIB) ID(CRRACFID) ACC(CONTROL)
   PERMIT  SRRACFID.**.LST CLASS(RDATALIB) ID(SRRACFID) ACC(CONTROL)
   

   Also, give READ access to all IDs in the WASCFGGROUP for the CRRACFID.**.LST profile.

   PERMIT  CRRACFID.**.LST CLASS(RDATALIB) ID(WASCFGGROUP) ACC(READ)
   

4. Define a ring-specific UPD profile for the control region RACF ID and the servant region RACF ID.

   RDEFINE RDATALIB CRRACFID.**.UPD UACC(NONE)
   RDEFINE RDATALIB SRRACFID.**.UPD UACC(NONE)
   

5. Give CONTROL access for the CRRACFID.**.UPD and SRRACFID.**.UPD profiles in the RACF RDATALIB class to the control region RACF user ID. For example, if your control region RACF user ID is CRRACFID, issue the following command:

   PERMIT  CRRACFID.**.UPD CLASS(RDATALIB) ID(CRRACFID) ACC(CONTROL)
   PERMIT  SRRACFID.**.UPD CLASS(RDATALIB) ID(CRRACFID) ACC(CONTROL)
   

6. Grant write access to the WAS administrator ID to permit write operations on WAS client keyrings.

   RDEFINE RDATALIB ADMINUSERID.**.LST UACC(NONE)
   PERMIT ADMINRACFID.**.LST CLASS(RDATALIB) ID(WASCFGGROUP) ACC(READ)
   PERMIT ADMINRACFID.**.LST CLASS(RDATALIB) ID(ADMINRACFID) ACC(CONTROL)
   RDEFINE RDATALIB ADMINRACFID.**.UPD UACC(NONE)
   PERMIT  ADMINUSERID.**.LST CLASS(RDATALIB) ID(ADMINRACFID) ACC(CONTROL)
   

7. Refresh the RDATALIB class.

   SETR RACLIST(RDATALIB) REFRESH
   

   If RACF authority is not granted, we receive the following message when attempting certificate write operations on a keyring:

   Error Message: An error occurred creating the key store: R_datalib (IRRSDL00) error: One or more 
   updates could not be completed. Not RACF authorized to use the requested service. 
   Function code: (7) Return Codes: (8, 8, 8)
   

   If we attempt to create a new keyring or perform a specific certificate write operation and do not have native writable support, we receive the following message:

   R_datalib (IRRSDL00) error: One or more updates could not be completed. Requested Function_code not defined. 
   Function code: (7) Return Codes: (8, 8, 20)
   

   Remember: We must be running at z/OS release 1.9 or 1.8 with APAR's OA22287 and OA22295 to use writable keyring support.

   We can link to the following documents in the z/OS Internet Library for more information:

   • Security Server RACF Callable Services (SA22-7691) for a complete guide to RACF Callable Services and the R_Datalib service
   • z/OS Security Server RACF Security Administrator's Guide (SA22-7683) for a complete guide to RACF commands

Subtopics

• Create writable SAF keyrings
  WebSphere provides the function to allow a WebSphere administrator to perform certificate management operations on System Authorization Facility (SAF) keyrings using the (Open Cryptographic Services Facility) OCSF Data library functions for SAF keyrings. This task creates new keystore configurations and their associated keyrings.

• Configure the root certificate keyring
  WAS provides the function to allow a WAS administrator to perform certificate management operations on System Authorization Facility (SAF) keyrings by utilizing the (Open Cryptographic Services Facility) OCSF Data library functions for SAF keyrings. This task configures the root certificate keyring.

• Enable writable SAF keyrings
  WAS provides the function to allow a WAS administrator to perform certificate management operations on System Authorization Facility (SAF) keyrings by utilizing the (Open Cryptographic Services Facility) OCSF Data library functions for SAF keyrings. This task migrates existing configurations and enables writable SAF keyrings.

• SAF keyring support for audit signing and encryption
  When we enable auditing, logging occurs in both the servant and control regions. When audit uses a certificate for signing and encryption stored in SAF keyrings, the certificate and the SAF keyring must be accessible by both the servant and the control region RACF IDs.

Related:

Secure Sockets Layer security for WAS for z/OS

Keystore configurations for SSL

WAS security for z/OS

Secure communications

z/OS Internet Library