A key ring is a collection of certificates that identify a
networking trust relationship (also called a trust policy). In a
client-server network environment, entities identify themselves using
digital certificates. Server applications on z/OS® and OS/390® that want
to establish network connections to other entities can use RACF key rings
and other related services to determine the trustworthiness of the client
or peer entity.
The usage assigned to a certificate when it is connected to a key ring
indicates its intended purpose. Personal certificates are used by the
local server application to identify itself. Certificate-authority
certificates are used to verify the peer entity's certificate. Peers with
certificates issued by certificate authorities connected to the key ring
are considered trusted network entities. Peers possessing certificates
that cannot be verified because the certificate-authority certificate is
not available might also be considered trusted, if their personal
certificates are connected to the key ring as a trusted site certificate.
Note: Use caution when connecting a peer's certificate to a key
ring as a trusted site certificate. The normal certificate verification
tests performed by the server on the peer's certificate are bypassed in
this case; therefore, even expired certificates are considered trusted.
Key rings are associated with specific RACF user IDs. A RACF user ID can
have more than one key ring. Key rings are managed using the RACDCERT
command, and are maintained in the general resource class called DIGTRING.
RACF key rings provide an installation-wide method to share key rings
across multiple servers. You can decentralize responsibility to manage key
rings by granting access to resources in the FACILITY class. (See
"Examples of Controlling the Use of the RACDCERT Command" in topic
20.2.1.1 in the link under Related information at the bottom of
this technote.) However, you can retain sole ability to connect
certificates to key rings at your installation, making it possible for you
to implement and maintain a centralized security or trust policy toward
certificate authorities. For example, you can establish key rings for
servers that contain certificates from only approved certificate
authorities. You can then delegate other key-ring responsibilities to
server administrators who are able remove certificates from their key
rings, but not add certificates from unapproved sources.
Key rings are identified by ring names that are 1-to-237 characters in
length. Each key-ring profile in the DIGTRING class contains references to
those certificates that are part of that key ring. Profile names are in
the form:
userid.ring-name
When you delete a user ID, DELUSER command processing deletes the user's
key rings by deleting the associated resources in the DIGTRING class. The
certificates referenced in the key ring are not deleted.
Refer to Chapter 20.3 RACF and key rings in the link below.
|