RACF and key rings
 Technote (troubleshooting)
 
Problem(Abstract)
Information about using RACF® and key rings
 
Resolving the problem
A key ring is a collection of certificates that identify a networking trust relationship (also called a trust policy). In a client-server network environment, entities identify themselves using digital certificates. Server applications on z/OS® and OS/390® that want to establish network connections to other entities can use RACF key rings and other related services to determine the trustworthiness of the client or peer entity.

The usage assigned to a certificate when it is connected to a key ring indicates its intended purpose. Personal certificates are used by the local server application to identify itself. Certificate-authority certificates are used to verify the peer entity's certificate. Peers with certificates issued by certificate authorities connected to the key ring are considered trusted network entities. Peers possessing certificates that cannot be verified because the certificate-authority certificate is not available might also be considered trusted, if their personal certificates are connected to the key ring as a trusted site certificate.

Note: Use caution when connecting a peer's certificate to a key ring as a trusted site certificate. The normal certificate verification tests performed by the server on the peer's certificate are bypassed in this case; therefore, even expired certificates are considered trusted.

Key rings are associated with specific RACF user IDs. A RACF user ID can have more than one key ring. Key rings are managed using the RACDCERT command, and are maintained in the general resource class called DIGTRING.

RACF key rings provide an installation-wide method to share key rings across multiple servers. You can decentralize responsibility to manage key rings by granting access to resources in the FACILITY class. (See "Examples of Controlling the Use of the RACDCERT Command" in topic 20.2.1.1 in the link under Related information at the bottom of this technote.) However, you can retain sole ability to connect certificates to key rings at your installation, making it possible for you to implement and maintain a centralized security or trust policy toward certificate authorities. For example, you can establish key rings for servers that contain certificates from only approved certificate authorities. You can then delegate other key-ring responsibilities to server administrators who are able remove certificates from their key rings, but not add certificates from unapproved sources.

Key rings are identified by ring names that are 1-to-237 characters in length. Each key-ring profile in the DIGTRING class contains references to those certificates that are part of that key ring. Profile names are in the form:

userid.ring-name



When you delete a user ID, DELUSER command processing deletes the user's key rings by deleting the associated resources in the DIGTRING class. The certificates referenced in the key ring are not deleted.

Refer to Chapter 20.3 RACF and key rings in the link below.

 
Related information
z/OS V1R4.0 Security Server RACF Security Administrator
 
 
 


Document Information


Current web document: swg21170756.html
Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server for z/OS > Security
Operating system(s): z/OS
Software version: 5.0
Software edition:
Reference #: 1170756
IBM Group: Software Group
Modified date: Jun 3, 2004