Introducing z/OS PKI Services
This chapter gives you a brief overview of what z/OS PKI Services can provide to accommodate the management considerations and shows how flexible it can accommodate the certificate lifecycle.
This chapter includes the following topics:
3.1 Goals
In this chapter, we have the following goals:
•Show how the z/OS PKI Services functions fit into the digital certificate lifecycle.
•Clarify the similarities and differences of the administrator and requester (or user).
•Provide an overview of the z/OS PKI Services elements.
3.2 z/OS PKI Services functions
The z/OS PKI Services are structured to help you manage your organization and help simplify some of the procedures and processes of the certificate's lifecycle. z/OS PKI Services includes functions for the following roles:
•The certificate requester, which can be a person or a server (sometimes referred to as the user).
•The administrator or team of administrators.
3.2.1 Certificate templates
z/OS PKI services provides you with default certificate templates within the web application. You can request different kinds of certificates that are based on the intended purpose and other considerations, such as the validity period. These templates can be customized and completed with default values. You also can indicate fields that are mandatory or optional to complete on the certificate request form, as shown in Figure 3-1.
Figure 3-1 Use of the templates
Use of the provided certificate templates can ensure that all certificates that are requested by using your customized templates are aligned with your organization’s IT security policies.
z/OS PKI provides the following services:
•Request or renew certificates
•Approve certificate requests
•Email notification
•Generate certificates
•Distribute certificates
•Revoke certificates
3.2.2 Requesting or renewing certificates
To request or renew digital certificates, z/OS PKI Services provides a user web application. This application guides the user to request and renew certificates through their web browsers. The application includes sample windows that can be easily customized to meet your organization’s requirements, standards, and appearance, as shown in Figure 3-2.
Figure 3-2 User web application sample window
z/OS PKI services creates certificates for requesters who did and did not generate their own key pair. For those requesters who did not generate their own key pair, the key pair might be generated. However, the Integrated Cryptographic Service Facility (ICSF) must be configured to use this function.
3.2.3 Approving certificate requests
z/OS PKI Services provides administrative functions to approve, approve with modifications, or reject requests. It also supports the following tasks:
•Review pending certificate requests.
•Query pending requests to process those requests that meet certain criteria.
•Display detailed information about a certificate or request.
•Annotate the reason for an administrative action.
z/OS PKI Services provides fine granular controls of authorizing PKI administrators that are based on the certificate authority (CA) domain, the administrative action that is being performed, or the certificate type, as shown in Figure 3-3.
Figure 3-3 Administration web application sample window
Depending on the IT Security policies you have in your enterprise, you might have a team of administrators in place for approving a certificate request. z/OS PKI Services provide the ability to require approvals from multiple administrators before issuing the requested certificate (NxM authorization).
In contrast to certificate requests that require multiple approval steps, you can set up z/OS PKI services to bypass the approval process; for example, the certificate request is automatically approved if the requester authenticated themselves in RACF first.
3.2.4 Email notifications
z/OS PKI Services provides the capability to send email notifications to different users in the following circumstances:
•Notify users whose certificate request was rejected or is ready for retrieval, as shown in Figure 3-4.
•Send renewal notifications to avoid issues arising from expired certificates. This ability helps prevent outages from occurring because of expired certificates, especially certificates owned by servers.
•Send email notifications to administrators who have requests pending.
•Automatically renew certificates.
|
Attention - Please do not reply to this message as it was automatically
sent by a service machine.
Dear [email protected],
Thank you for choosing ITSO SUBCA1 PKI. The certificate you requested for
subject CN=ibm.Redbooks.com,OU=Class 1 Internet Certificate CA,O=The Firm is now ready for pickup.
Please visit:
https://wtsc74.itso.ibm.com/Subca1/ssl-cgi-bin/caretrieve.rexx?TransactionId=1k9UcGqjTLuv2Qn17%2B%2B%2B%2B%2B%2B%2B&Template=PKI+Key+Certificate
to retrieve your certificate.
If that link does not work, try to go to
http://wtsc74.itso.ibm.com/Subca1/public-cgi/camain.rexx
And enter the transaction ID listed below:
1k9UcGqjTLuv2Qn21+++++++
You will need to input your passphrase that you entered when you submitted the
request.
|
Figure 3-4 Email notification that a requested certificate is available to pick up
3.2.5 Generating certificates
z/OS PKI Services acts as a CA and a Registration Authority (RA). It performs the verification, approval, and issuance processes.
If the certificate requester generated the key pair, the public key is sent with the request. The requester keeps their private key. z/OS PKI Services has no knowledge of the private key, but includes the public key into the certificate.
There is a key issue here that must be considered. Because z/OS PKI Services has no knowledge of the private key, z/OS PKI Services cannot recover the private key if the requester loses the private key. Also, the requester must recover the key or request a new certificate by using a new key pair.
However, if the requester asked z/OS PKI Services to generate the key pair (via ICSF), the key pair is stored it in the token data set. After the certificate is created, it is packaged with the private key and an email is sent to the requester that contains a link for the requester to retrieve the package.
z/OS PKI services can generate Rivest-Shamir-Adleman (RSA) keys and ECC keys.
3.2.6 Distributing certificates
Requesters can obtain their certificates by using the user web application directly from the web browser.
z/OS PKI Services also supports standardized protocols; therefore, client applications can request and obtain certificates autonomously. The support includes the following protocols:
•Simple Certificate Enrollment Protocol (SCEP)
By using SCEP, you can securely issue certificates to large numbers of network devices by using an automatic enrollment technique. The network devices (often IPSEC devices, such as Cisco routers) must be SCEP-enabled and preregistered to your CA domain before they can successfully request certificates from you.
You can configure PKI Services to respond automatically to SCEP certificate requests or to submit SCEP certificate requests to the PKI administrator for approval.
•Certificate Management Protocol (CMP)
CMP is an Internet Protocol that is used to manage digital certificates within a PKI. A certificate request message object is used within the protocol to convey a request for a certificate to a CA. z/OS PKI Services allows a CMP client to communicate with it to request, revoke, suspend, and resume certificates.
3.2.7 Providing certificate revocation status
A certificate can be revoked by the administrator or the certificate owner. When a certificate is revoked, it is put on a Certificate Revocation List (CRL). If there are high activity levels for the certificates, the CRL can become large, which can result in longer response times for applications processing the CRL. If so, you might consider dividing the single CRL into Distribution Point CRLs (DP CRLs), as shown in Figure 3-5 on page 33.
Figure 3-5 Dividing the CRL into multiple DP CRLs
Each DP CRL contains its own location and this location is contained within the CRLDistributionPoints extension value. The CRLs and the DP CRLs can be saved in a file system or they can be posted to LDAP. You check the revocation status by referring to the CRL or DP CRLs.
z/OS PKI Services provides you with another way to check the certificate revocations status by using the Online Certificate Status Protocol (OCSP). z/OS PKI Services can be enabled as an OCSP responder. Therefore, z/OS PKI Services can receive requests that contain a certificate serial number and it makes a call to OCSP, which used the certificate unique information to check the revocation status of the certificate and responds accordingly to the requester with the appropriate status. The location of the revocation status is contained within the certificate in the AuthorityAccessInformation extension.
|
Note: The status that is retrieved by using OCSP is current, although the CRL option might not reflect the latest content at the time the check was performed.
|
3.3 z/OS PKI Services elements overview
The elements that make up z/OS PKI Services can be divided into the following topics:
•User interfaces
•Request handlers
•Repositories
•Audit data and reporting opportunities
3.3.1 User interfaces
The interfaces can be started by a user or from a software on a server. The following interfaces are available:
•Certificate Management Protocol (CMP)
•Online Certitude Status Protocol (OCSP)
•Simple Certificate Enrollment Protocol (SCEP)
•Browser interface for the user
•Browser interface for the administrator
The interfaces are through the web services provided by the following servers:
•z/OS HTTP Server
•IBM WebSphere® Application Server
Figure 3-6 shows which interfaces can connect to which server.
Figure 3-6 Interfaces
|
Note: IBM HTTP Server powered by Domino® V5.3 is not supported by z/OS V2R2. Earlier versions of z/OS PKI Services (z/OS 2.1 and lower) support IBM HTTP Server that is powered by Domino. The z/OS V2R2 requires the IBM HTTP Server powered by Apache V9.0, which is shipped with the base z/OS V2R2.
|
Certificate Management Protocol
CMP is an Internet Protocol that is used to manage X.509 digital certificates within a PKI. Messages can be sent to the CA to request, revoke, suspend, or resume a certificate. The CMP client sends the request directly to the HTTP server (and port number) that handles the client authentication requests. The CMP client must have a certificate installed in RACF (or equivalent) under the client’s ID. The certificate is used by the requester to authenticate itself, and its owner ID is used to access the PKI.
Online Certificate Status Protocol
OCSP is used extensively for determining a certificate's status to see whether it was revoked. For more information, see “Providing certificate revocation status” on page 32.
Simple Certificate Enrollment Protocol
The web application can be used to pre-register as a client to use SCEP. The SCEP provides a simplified way for the z/OS PKI services web application to format the requests for the creation of certificate requests.
Browser interface for users
The user web pages consist of sample screens that you can easily customize to meet your organization's needs for certificate content and standards for appearance. For example, you can display your organization’s logo. It offers several certificate templates that the requester can use to create requests for various certificate types, based on the certificate’s intended purpose and validity period, and supports certificate requests that are automatically approved.
It supports the following tasks:
•Request a certificate
•Renew a certificate
•Revoke or suspend a certificate
•Pick up a certificate
Browser interface for administrators
The web application assists authorized administrators to manage certificate requests and issued certificates through their own web browsers. It also supports the following tasks:
•Reviewing pending certificate requests
•Querying pending requests to approve or reject those requests
•Displaying detailed information about a certificate or request
•Monitoring certificate information, such as validity period
•Annotating the reason for an administrative action
•Revoke or suspend a certificate
•Delete a certificate request
•Delete an issued certificate
Administrator and user actions
We described the z/OS PKI services functions that are available to the administrator and user. Table 3-1 lists the actions, required status of the certificate to take the action, and who can perform the action.
Table 3-1 Administrator and user actions summary
|
Action
|
Required Certificate Status
|
Who performs the action
|
|
Renew
|
Active
|
User
|
|
Resume
|
Suspended
|
Administrator
|
|
Revoke
|
Active or suspended
|
User or Administrator
|
|
Suspend
|
Active
|
User or Administrator
|
|
Delete
|
Active, Expired, Suspended, Revoked, or Revoked Expired
|
Administrator
|
|
Enable automatic renewal
|
Active or Active AutoRenewDisabled
|
Administrator
|
|
Disable automatic renewal
|
Active or Active AutoRenew
|
Administrator
|
|
Change requester email
|
All statuses (applies only to certificates z/OS PKI Services generated the key pair
|
Administrator
|
3.3.2 Query and request handlers
The queries and requests from the user interfaces can be handled by the processes that are shown in Figure 3-7, depending on what actions are required to satisfy the request.
Figure 3-7 Query and request handlers
The queries and requests are captured by the HTTP server or WebSphere Application Server or go directly to the Systems Authorization Facility (SAF) Services application programming interface (API) R_PKIServ callable service (IRRSPX00). It allows authorized applications, such as servers, to programmatically request the functions of PKI Services. If the HTTP server is used, the CGI scripts call R_PKIServ through a REXX glue routine. If the WebSphere Application Server is used, the JSPs call R_PKIServ through the JNI layer.
RACF (or equivalent)
Controls can use the functions of the R_PKIServ callable service and protect the components of your PKI Services system. RACF creates your certificate authority's certificate, key ring, and private key. You can also use it to store the private key if ICSF is not available.
ICSF
Although optional, it is strongly suggested that ICSF is part of your PKI. Because it is not required to be present initially, it can be added later. PKI is necessary for the following functions:
•RACF can optionally use ICSF’s public key data set (PKDS) to securely store the PKI Services CA signing key.
•PKI Services can use ICSF PKCS #11 token data set (TKDS) to store key pairs that PKI Services generates for non-CMP certificate requests.
|
Note: If ICSF is not running and the TKSDS is not set up, PKI Services cannot generate the key pairs.
|
•Securely store the z/OS PKI Services certificate authority's private signing key and key pairs that PKI Services generates for certificates.
ICSF supports elliptic curve cryptography (ECC) keys. The z/OS PKI Services CMP CGI (see Figure 3-6 on page 34) needs ICSF’s PKCS #11 to generate key pairs.
PKI Services daemon
The server daemon performs all the z/OS PKI Services functions.
3.3.3 Repositories
Figure 3-8 shows the repositories that are associated with z/OS PKI Services. Some of the repositories are optional and their existence and use depends on how you choose to configure your environment. For example, if you choose the IBM DB2® database options in preference to the VSAM options, DB2 must be available.
Figure 3-8 z/OS PKI Services associated repositories
The ICSF data sets also are optional. If you are not running ICSF, you cannot perform only specific tasks that are related to ICSF. You might not need those specific requirements.
RACF database
The RACF database contains many aspects that are related to security as a whole. In terms of z/OS PKI Services, it contains the following components:
•The CA’s key ring, which contains the CA certificate and its private key
•Profiles protecting the PKI Services’ functions and keys
LDAP
The directory that maintains information about the valid and revoked certificates that PKI Services issues in an LDAP-compliant format. You can use an LDAP server, such as the one provided by IBM Tivoli® Directory Server for z/OS.
Object store database
The object store contains all of the certificate requests. This store can be a VSAM file or DB2 database.
Issued certificates list database
This database contains the issued certificates list (ICL) and details about the certificates. This database can be a VSAM file or DB2 database.
Public key data set (optional)
The PKDS is used by RACF through ICSF to securely store the PKI Services CA signing key.
Token key data set (optional)
z/OS PKI Services can use ICSF PKCS #11 token data set (TKDS) to store key pairs that PKI Services generates.
3.3.4 Audit data and reporting opportunities
z/OS PKI services creates SMF type 80 records through the RACF R_PKIServ callable service and through the daemon. Figure 3-9 shows a list of the recorded activities.
Figure 3-9 SMF data capture and possible uses
The SMF record type 80 data can be post-processed in similar ways as other SMF records are used for valuable reporting on activity levels.
Audit trail
The SMF data is an audit trail of the z/OS PKI Services activities. Depending on the audit policies and practices that are deployed in your site, this feature is an effective way to report certificate activities to monitor the policies and practices and to measure their effectiveness. The SMF data can be analyzed and includes the following possibilities for its use:
•To identify non-expired obsolete certificates from remaining available
•Monitor the request activities and identify who is involved with each request
•Provide activity level for potential charge back to projects
•Analyze activity trends
•Explore certificate status for problem determination purposes
3.4 Added value of z/OS PKI Services
The z/OS PKI Services is a full PKI and can support the certificate lifecycle. It also adds value that is inherited from the underlying hardware and operating system.
3.4.1 Scalability
The implementation of your PKI infrastructure can enjoy the scalability of z Systems hardware and software. You can use the amount of capacity you need to fulfil your organization’s requirements.
3.4.2 Availability
z/OS PKI Services benefits from the Qualities of Service for availability. This benefit is provided by the underlying operating System z/OS, especially when z/OS Sysplex capabilities are used.
The scope of sharing affects your strength of availability. With the Sysplex option offered by z Systems, you can share the repositories across the sysplex; that is, across multiple instances of z/OS. Availability is strengthened because each z/OS system can access z/OS PKI Services and access the shared data.
Figure 3-10 on page 40 shows a scenario in which there is a remote data center that also has a Sysplex. This configuration can take over the certificate work if the first data center become unavailable.
Figure 3-10 Availability
When VSAM data sets are used as back-end storage, VSAM record level sharing (RLS) can be used across the Sysplex. When DB2 for z/OS is used, DB2 data sharing can be used to set up high available back-end storage. IBM HTTP Server and WebSphere Application Server allow setup for failover scenarios.
3.4.3 Security
PKI Services uses the SSL/TLS for all the traffic flow through the z/OS HTTP server. The WebSphere Application Server can be used as an alternative to the z/OS HTTP Server, which is the same security mechanisms regarding encrypted traffic and authenticated requests apply.
The Resource Access Control Facility (RACF) or equivalent external security manager can be used to control who can call the PKI Services functions and protect access of the private key of the CA.
RACF provides granular administration authorization control on requests and certificates based on the domain, action, and the certificate template.
RACF creates your CA’s certificate, key pair, certificate, and key ring. The private key is stored in the RACF database or in the public key data set (PKDS) if ICSF is available.
If the Enterprise PKCS#11 coprocessor is available to your system, it provides the ability for hardware protection for the private key of the PKI Services CA and those it generated for the requesters.
The private signing key of the CA is critical. If this key is compromised, an attacker can issue certificates in the name of the CA. The use of a hardware security module (HSM), such as the IBM Enterprise PKCS#11 coprocessor, ensures that the CA’s private signing key never leaves the secure coprocessor boundary decrypted.
3.4.4 Cost
z/OS PKI Services is not a separately priced product. Rather, it is licensed and integrated within z/OS.
Because z/OS PKI Services provides the capability to issue certificates, it is an alternative to buying certificates from third parties; for example, for the company’s internal IT environment. With costs of $20 - $1,200 USD per SSL certificate and year for x number of entities, this issue can easily sum up to millions of savings per year.
3.5 Certificates across the enterprise
Figure 3-11 shows an example for a possible CA hierarchy set up in an enterprise. The root CA has 3 intermediate or sub CAs.
Figure 3-11 Possible setup of enterprise CA hierarchy
The three sub CAs issue certificates for different use cases in the enterprise. You can divide the sub CAs into organizational structures to match your enterprise.
Different use case can be for example, certificates to authenticate mobile devices to the corporate network, SSL certificates for internal servers, VPN certificates for users dialing into the corporate network from home, and certificates to sign or encrypt email.
After the certificate is available, the requesters can download it to their respective areas. This task can be on any platform or in the requester’s cloud.
3.6 What is next?
You now have a high-level understanding of the capabilities of z/OS PKI services and the key role it can play in providing an effective way to create and manage certificates and provide you with important email notification functions and audit trails to help reduce security risks.
The next step for you is to implement a quick and simple structure on a test LPAR so that you can quickly see and get the feel of z/OS PKI services.
This book shows you how to set up and use the web application with the default supplied templates.
For more information, see the IBM Redbooks publication IBM PKI on z/OS: Quick Set up and Explore, SG24-8337, which is planned for publication in March 2016.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.