|
Problem |
This technote includes general information about Secure
Socket Layers (SSL®) and using key rings in WebSphere® Application Server
for z/OS®. |
|
Solution |
A key ring is a collection of certificates that identify a
networking trust relationship (also called a trust policy). In a
client-server network environment, entities identify themselves using
digital certificates. Server applications on z/OS and OS/390® that want to
establish network connections to other entities can use RACF® key rings
and other related services to determine the trustworthiness of the client
or peer entity.
The usage assigned to a certificate when it is connected to a key ring
indicates its intended purpose. Personal certificates are used by the
local server application to identify itself. Certificate-authority
certificates are used to verify the peer entity's certificate. Peers with
certificates issued by certificate authorities connected to the key ring
are considered trusted network entities. Peers possessing certificates
that cannot be verified because the certificate-authority certificate is
not available might also be considered trusted if their personal
certificates are connected to the key ring as a trusted site certificate.
Note: Use caution when connecting a peer's certificate to a key
ring as a trusted site certificate. The normal certificate verification
tests performed by the server on the peer's certificate are bypassed in
this case; therefore, even expired certificates are considered trusted.
Key rings are associated with specific RACF user IDs. A RACF user ID can
have more than one key ring. Key rings are managed using the RACDCERT
command, and are maintained in the general resource class called DIGTRING.
RACF key rings provide an installation-wide method to share key rings
across multiple servers. You can decentralize responsibility to manage key
rings by granting access to resources in the FACILITY class. (See
"Examples of Controlling the Use of the RACDCERT Command" in topic
20.2.1.1 under Related information at the bottom of this technote.)
However, you can retain sole ability to connect certificates to key rings
at your installation. You can then implement and maintain a centralized
security or trust policy toward certificate authorities. For example, you
can establish key rings for servers that contain certificates from only
approved certificate authorities. You can then delegate other key ring
responsibilities to server administrators who are able remove certificates
from their key rings, but not add certificates from unapproved sources.
Key rings are identified by ring names that are 1-to-237 characters in
length. Each key ring profile in the DIGTRING class contains references to
those certificates that are part of that key ring. Profile names are in
the form:
userid.ring-name
When you delete a user ID, the DELUSER command deletes the user's key
rings by deleting the associated resources in the DIGTRING class. The
certificates referenced in the key ring are not deleted. |
|
|