search cancel

Virtual keyring for existing Root Certificates

book

Article ID: 253001

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

How to use KEYRINGs and Virtual KEYRINGs concurrently with the same Root Certificates/Certificate Authority (CA)?

The Root Certificates are currently being used on KEYRINGs.

Environment

Release : 16.0

Cause

https://ca-broadcomcsm.wolkenservicedesk.com/wolken/esd/knowledgebase_search?articleId=113193

Resolution

1. The Root Certificates/Certificate Authority(CA) must be owned by acid CERTAUTH and be authorized to use Virtual Keyrings.

    Issue a TSS LIST(CERTAUTH) DIGICERT(digicertname). If the certificate is not found, then it is not owned by CERTAUTH and needs to be moved to CERTAUTH.

    Please see the following knowledge document on moving certificate ownership. The examples move ownership to CERTSITE but also appy to CERTAUTH.

2. Issue a TSS WHOOWNS RDATALIB(CERTAUTH.IRR_VIRTUAL) to determine if Virtual Keyrings have been defined as a protected resource in Top Secret. 

   If yes, then the user must be PERMITted to the Virtual Keyring via:

             TSS PER(acid) RDATALIB(CERTAUTH.IRR_VIRTUAL_KEYRING.LST) ACC(READ) 

   If no, then the above PERMIT is not needed.

3. Users must be authorized to access certificates.

   Issue a TSS WHOOWNS IBMFAC(IRR.DIGTCERT) to determine if certificate access is defined as a protected resource in Top Secret. 

   If yes, then the user must be PERMITted to use certificates via:

       TSS PER(acid) IBMFAC(IRR.DIGTCERT) ACC(CONTROL)

   If no, then the above PERMIT is not needed.