Share Keyrings in Top Secret
search cancel

Share Keyrings in Top Secret

book

Article ID: 188115

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

How can a keyring be shared by other users with Top Secret?

Right now, there is a 'copy' defined for each person that needs the keyring and certificates on it, but this leads to potential problems and cumbersome changes - especially now that certificates need to be renewed annually. Is there an option for adding to a profile, or some other mechanism so that they can be defined in one place and used by many?

Environment

 

Resolution

- Certificates owned by CERTAUTH and CERTSITE can be shared on a keyring with the following permits given to the acid that owns the keyring:
 
Own the resource:
TSS ADD(dept) IBMFAC(IRR.)   (if not already owned)

Permit the resources:
TSS PERMIT(acid) IBMFAC(IRR.DIGTCERT.LIST) ACCESS(UPDATE)
TSS PERMIT(acid) IBMFAC(IRR.DIGTCERT.LISTRING) ACCESS(UPDATE)

- Certificates owned by another acid can be shared on a keyring. The above permits need to be given to the owner of the keyring and the acid that is going to use the keyring. 

The following permits to the RDATALIB class also need to be in place. In the below scenario, USER1 needs to share USER2's keyring and the certificates attached:

Note:
The RDATALIB Resclass may have to be defined to the RDT:

TSS ADD(RDT) RESCLASS(RDATALIB) ATTR(LONG,MASK) ACLST(NONE=0000,CONTROL=6400,UPDATE=6000,READ=4000,ALL=FFFF)

Own the resource:
TSS ADD(dept) RDATALIB(USER2.USER2RING.LST)

Give USER2 RDATALIB Access to the keyring:
TSS PERMIT(USER2) RDATALIB(USER2.USER2RING.LST)  ACCESS(READ)

Give USER1 Access to use USER2's Keyring and the certificates attached:
TSS PERMIT(USER1) RDATALIB(USER2.USER2RING.LST) ACCESS(UPDATE)

Note:
The format for the RDATALIB permit is:
RDATALIB(owner of the keyring.name of the keyring.LST)


- Another option is use a Virtual Keyring. In order for a virtual keyring to be used, the application must support a keyring name of *. The most common is to use CERTAUTH. CERTAUTH would have to own all the certificates on the keyring. The parameters for the application would have *AUTH*/*.

      *AUTH* is the owner of the keyring and * is the name of the keyring.

 Anyone using the virtual keyring needs the IBMFAC permits:
Own the resource:
TSS ADD(dept) IBMFAC(IRR.)   (if not already owned)

Permit the resources:
TSS PERMIT(acid) IBMFAC(IRR.DIGTCERT.LIST) ACCESS(UPDATE)
TSS PERMIT(acid) IBMFAC(IRR.DIGTCERT.LISTRING) ACCESS(UPDATE)

 And a permit for the the use of the Virtual Keyring:

Own the resource:
TSS ADD(dept) RDATALIB(CERTAUTH.IRR)   (if not already owned)

Permit the Virtual Keyring to the acids that will be using it:

TSS PERMIT(acid) RDATALIB(CERTAUTH.IRR_VIRTUAL_KEYRING.LST) ACCESS(UPDATE)
 
When using a Virtual Keyring, all certificates owned by CERTAUTH are read.

Powered by Wolken Software