Using writable SAF keyrings

WebSphere® Application Server provides the function to allow a WebSphere Application Server administrator to perform certificate management operations on System Authorization Facility (SAF) keyrings by utilizing the (Open Cryptographic Services Facility) OCSF Data library functions for SAF keyrings.

Before you begin

You must enable support for writable keyrings using the profile management tool prior to generating the application server profiles. Writable keyring support is only configurable when running z/OS® Release 1.9 or at z/OS Release 1.8 with APAR OA22287 - resource access control facility (RACF®) (or the APAR for your equivalent security product) and APAR OA22295 – SAF.

About this task

Defining RACF Authority for Clients and Servers

By default, if writable keyring support is enabled during profile management, the default RACF configuration scripts generate the necessary commands to grant write authority. As an option, when you migrate from an existing installation, you can configure RACF using the procedure below.
Note: The control region performs all server certificate management write operations, and the RACF administrator must explicitly grant authority to the RACF ID of the control region to update the control region and servant region keyrings.

The procedure below uses ring-specific profile checking to grant authority. Ring-specific profile checking applies only to a specific keyring and does not allow global access to any keyring.

With ring-specific profile checking, a resource with the format, <ringOwner>.<ringName>.LST is used to provide access control to a specific keyring on the R_datalib READ functions.

A resource with the format <ringOwner>.<ringName>.UPD is used to provide access control to a specific keyring on the UPDATE functions.

The procedure to define RACF authority for clients and servers is as follows:

Procedure

  1. Use ring-specific profile checking for the RDATALIB class. You use the following commands:
    SETR CLASSACT(RDATALIB)
    SETR RACLIST(RDATALIB) GENERIC(RDATALIB)
    
  2. Define a ring-specific LST profile for the control region RACF ID and the servant region RACF ID.
    RDEFINE RDATALIB CRRACFID.**.LST UACC(NONE)
    RDEFINE RDATALIB SRRACFID.**.LST UACC(NONE)
    
  3. Give CONTROL access for the CRRACFID.**.LST and SRRACFID.**.LST profiles in the RACF RDATALIB class to the control region RACF user ID. For example, if the control region RACF user ID is CRRACFID and your servant region RACF user ID is SRRACFID, issue the following commands:
    PERMIT  CRRACFID.**.LST CLASS(RDATALIB) ID(CRRACFID) ACC(CONTROL)
    PERMIT  SRRACFID.**.LST CLASS(RDATALIB) ID(CRRACFID) ACC(CONTROL)
    PERMIT  SRRACFID.**.LST CLASS(RDATALIB) ID(SRRACFID) ACC(CONTROL)
    
    Also, give READ access to all IDs in the WASCFGGROUP for the CRRACFID.**.LST profile.
    PERMIT  CRRACFID.**.LST CLASS(RDATALIB) ID(WASCFGGROUP) ACC(READ)
  4. Define a ring-specific UPD profile for the control region RACF ID and the servant region RACF ID.
    RDEFINE RDATALIB CRRACFID.**.UPD UACC(NONE)
    RDEFINE RDATALIB SRRACFID.**.UPD UACC(NONE)
    
  5. Give CONTROL access for the CRRACFID.**.UPD and SRRACFID.**.UPD profiles in the RACF RDATALIB class to the control region RACF user ID. For example, if your control region RACF user ID is CRRACFID, issue the following command:
    PERMIT  CRRACFID.**.UPD CLASS(RDATALIB) ID(CRRACFID) ACC(CONTROL)
    PERMIT  SRRACFID.**.UPD CLASS(RDATALIB) ID(CRRACFID) ACC(CONTROL)
    
  6. Grant write access to the WebSphere Application Server administrator ID to permit write operations on WebSphere Application Server client keyrings.
    RDEFINE RDATALIB ADMINUSERID.**.LST UACC(NONE)
    PERMIT ADMINRACFID.**.LST CLASS(RDATALIB) ID(WASCFGGROUP) ACC(READ)
    PERMIT ADMINRACFID.**.LST CLASS(RDATALIB) ID(ADMINRACFID) ACC(CONTROL)
    RDEFINE RDATALIB ADMINRACFID.**.UPD UACC(NONE)
    PERMIT  ADMINUSERID.**.LST CLASS(RDATALIB) ID(ADMINRACFID) ACC(CONTROL)
    
  7. Refresh the RDATALIB class.
    SETR RACLIST(RDATALIB) REFRESH
    Note: If RACF authority is not granted you receive the following message when attempting certificate write operations on a keyring:
    Error Message: An error occurred creating the key store: R_datalib (IRRSDL00) error: One or more updates could not be completed. Not RACF authorized to use the requested service. Function code: (7) Return Codes: (8, 8, 8)
    Note: If you attempt to create a new keyring or perform a specific certificate write operation and do not have native writable support, you receive the following message:
    R_datalib (IRRSDL00) error: One or more updates could not be completed. Requested Function_code not defined. Function code: (7) Return Codes: (8, 8, 20)
    Remember: You must be running at z/OS release 1.9 or 1.8 with APAR's OA22287 and OA22295 to use writable keyring support.
    You can link to the following documents in the z/OS internet library http://www-03.ibm.com/servers/eserver/zseries/zos/bkserv/ for more information:
    • Security Server RACF Callable Services (SA22-7691) for a complete guide to RACF Callable Services and the R_Datalib service
    • z/OS Security Server RACF Security Administrator's Guide (SA22-7683) for a complete guide to RACF commands



In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Oct 22, 2010 12:21:29 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-zos&topic=tsec_7usewriteSAF_keyring
File name: tsec_7usewriteSAF_keyring.html