How do I enable signature validation of the System SSL or ICSF modules in a mode that has been designed to meet the FIPS 140-2 criteria?
search cancel

How do I enable signature validation of the System SSL or ICSF modules in a mode that has been designed to meet the FIPS 140-2 criteria?

book

Article ID: 17925

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction



How is signature validation of the System SSL or ICSF modules in a mode that has been designed to meet the FIPS 140-2 criteria enabled?

 

Environment

Release: ACF2..001AO-15-ACF2
Component:

Resolution

To enable signature validation of the System SSL modules additional steps are required prior to the execution of a FIPS enabled System SSL application. These steps include:

  1. Defining specific ESM profiles and Keyring to enable the verification of the System SSL module signature when loaded by the z/OS loader.
  2. Defining specific ESM profiles(ACF2 GSO SIGVER records) and identifying which System SSL modules require signature verification.

The following steps need to be followed by the ACF2 system administrator to enable signature validation of the System SSL modules:

*

* Mark the IBM root CA as TRUSTed if not already TRUSTed
*
* CA ACF2 supplies the STG Code-Signing Certificate Authority so you do not 
* have to define them yourselves. The certificates are added when CA ACF2 
* starts. The certificates are added under the CERTAUTH logonid with a suffix 
* of AUTOxxx. You can use the LIST LIKE(CERTAUTH.AUTO-) command to determine 
* the exact suffix of the certificate you want to use. For example:
* 
ACF
SET PROFILE(USER) DIV(CERTDATA)
list like(certauth.auto-)
*
* CERTDATA / CERTAUTH.AUTO004 LAST CHANGED BY ACF2 ON 06/25/10-16:41           
*                 CERTNSER(0000000000000001) ISSUERDN(CN=STG Code Signing C
*                 A.OU=IBM Code Signing.O=IBM Corporation.C=US)           
*                 LABEL(STG Code Signing CA) SERIAL#(00) SUBJDN(CN=STG Code
*                  Signing CA.OU=IBM Code Signing.O=IBM Corporation.C=US) 
*
* Issue the following command to set the TRUST status:
*
CHANGE certauth.auto00x TRUST
* Create a Keyring and Keyring owner to hold the STG Code Signing CA  
* certificate and connect the certificate to the keyring.
*
ACF
INSERT ACFADM NAME(SECADMIN Code Signer) SECURITY
*
SET PROFILE(USER) DIVISION(KEYRING)
INSERT ACFADM.ring RINGNAME(CODE.SIGNATURE.VERIFICATION.KEYRING) 
CONNECT CERTDATA(certauth.yoursfx) KEYRING(ACFADM.keyring) USAGE(CERTAUTH)
*
* Create the FACILITY class profile that tells security the keyring to use for 
* module signature verification if it is not already defined.
*
ACF
set profile(program) division(signver)
PROFILE
INSERT VERIFY RINGNAME(CODE.SIGNATURE.VERIFICATION.KEYRING) USER(ACFADM)
*
* Activate PROGRAM control, if not already active.
*
* Program control is covered in the r15 CA ACF2 for z/OS Administration Guide
* (Seventh Edition) in Chapter 23: Controlling Access to the Hierarchical 
* File System section 'Program Control in the UNIX Environment' page 1069.
*
* Create the PROGRAM class profile that protects the program verification 
*  module IRRPVERS and specify its signature verification options.
*
ACF
Set control(gso)
Insert sigver.IRRPVERS sigreq failload(anybad) audit(anybad) -
Lib(SYS1.SIEALNKE) SIGREQ
*
ACF
F ACF2,REFRESH(SIGVER)
*
* NOTE: 
* Create the PROGRAM class profiles to indicate the System SSL modules must 
* be signed. The load should fail if the signature cannot be verified and 
* auditing should occur for failure only. 
*
ACF 
Set control(gso)
Insert sigver.GSKSSL sigreq failload(anybad) audit(anybad) -
Lib(SYS1.SIEALNKE) SIGREQ
Insert sigver.GSKSSL64 sigreq failload(anybad) audit(anybad) - 
Lib(SYS1.SIEALNKE) SIGREQ
Insert sigver.GSKS31F sigreq failload(anybad) audit(anybad) -
Lib(SYS1.SIEALNKE) SIGREQ
Insert sigver.GSKS64F sigreq failload(anybad) audit(anybad) -
Lib(SYS1.SIEALNKE) SIGREQ
Insert sigver.GSKCMS31 sigreq failload(anybad) audit(anybad) -
Lib(SYS1.SIEALNKE) SIGREQ
Insert sigver.GSKCMS64 sigreq failload(anybad) audit(anybad) -
Lib(SYS1.SIEALNKE) SIGREQ
Insert sigver.GSKC31F sigreq failload(anybad) audit(anybad) -
Lib(SYS1.SIEALNKE) SIGREQ
Insert sigver.GSKC64F sigreq failload(anybad) audit(anybad) -
Lib(SYS1.SIEALNKE) SIGREQ
Insert sigver.GSKSRVR sigreq failload(anybad) audit(anybad) -
Lib(SYS1.SIEALNKE) SIGREQ
Insert sigver.GSKKYMAN sigreq failload(anybad) audit(anybad) -
Lib(SYS1.SIEALNKE) SIGREQ
Insert sigver.GSKSRBRD sigreq failload(anybad) audit(anybad) -
Lib(SYS1.SIEALNKE) SIGREQ
Insert sigver.GSKSRBWT sigreq failload(anybad) audit(anybad) -
Lib(SYS1.SIEALNKE) SIGREQ
*
F ACF2,REFRESH(SIGVER)

 

Additional Information

Additional Information: 

Details on the ACF2 SIGVER GSO record can be found in the CA ACF2 for z/OS Administration Guide, Chapter 14: Maintaining Global System Options Records, section 'Signature Verification (SIGVER)'.

Details on the ACF2 SIGNVER Profile Data Record can be found in the CA ACF2 for z/OS Administration Guide, Chapter 16: Maintaining Profile Records, section 'SIGNVER Profile Data Records'.

Powered by Wolken Software