Setup EKM Tape Data Encryption digital certificates with ACF2
search cancel

Setup EKM Tape Data Encryption digital certificates with ACF2

book

Article ID: 27269

calendar_today

Updated On:

Products

ACF2 ACF2 - z/OS ACF2 - MISC

Issue/Introduction

This document outlines how to setup EKM Tape Data Encryption digital certificates in ACF2.

Resolution

This informational solution consists of two sections related to the setup of digital certificates for EKM Tape Data Encryption, Section A. for Local Certificate Authority Certificate and Section B. for Third Party Certificate Provider.

Section A.

Setting up EKM Tape Data Encryption using a Local Certificate

This example is for setting up certificates using a local certificate authority certificate.

EKM requires a z/OS user ID that identifies the EKM process as a started task on z/OS. In this example, the LOGONID of EKMSERV is used.

Setting up EKM digital certificates for the data encryption key protection used by EKM tape write operations.

  1. Generate a self signed certificate as a local authority certificate using the GENCERT command. Sample GENCERT commands follow. 
    ACF 
    GENCERT CERTAUTH.localca SUBJ(CN='MyLocalCA' -OU='deptName' O='Company Name' C=xx) LABEL(Local CA) SIZE(1024) EXPIRE(12/31/2030)
    Note 1: Parameters specified in lower or mixed case are examples and should be set to meet site standards.

    Note 2: Be sure you specify an EXPIRE date if you are creating your own CA. It should be 5-10 years in the future ensure it will extend beyond the EXPIRE date of any certificates signed by it.

  2. Generate a RSA key pair and certificate for the EKM server instance on z/OS using the GENCERT command. A sample GENCERT command follows. The certificate generated is signed with the CERTAUTH certificate generated in step 1. 
    ACF
    GENCERT EKMSERV.CERT SUBJ(CN='cnName' OU='MyCo' C=xx) -LABEL(EKM Server Label) SIZE(1024) SIGNWITH(CERTAUTH.localca)
    Note 1: Parameters specified in lower or mixed case are examples and should be set to meet site standards.

  3. Create a FACILITY class resource rule to allow the EKM server read from its key ring. 
    ACF
    SET RESOURCE(FAC)
    COMPILE * 
    $KEY(IRR) TYPE(FAC)
    DIGTCERT.LIST UID(UID for EKMSERV logonid) SERVICE(READ) ALLOW
    DIGTCERT.LISTRING UID(UID for EKMSERV logonid) SERVICE(READ) ALLOW
  4. Create the EKM Keyring and connect the CERTAUTH and EKMSRV certificates. 
    ACF
    SET PROFILE(USER) DIV(KEYRING)
    INSERT EKMSERV.RING RINGNAME(ringName)
    CONNECT CERTDATA(CERTAUTH.LOCALCA) KEYRING(EKMSERV.RING) USAGE(CERTAUTH)
    CONNECT CERTDATA(EKMSERV.CERT) KEYRING(EKMSERV.RING) USAGE(PERSONAL) DEFAULT
    NOTE 1: This example sets the ring name to "ringName". The ring name that you assign must match the Keyring named specified in the EKM configuration file as shown in step 6 below.

  5. The EKM server name and the KEYRING name used in steps 1, 2 and 4 above should correspond to the EKM configuration file: 
    Admin.ssl.keystore.name = safkeyring://EKMSERV/ringName
    Admin.ssl.truststore.name = safkeyring://EKMSERV/ringName
    Ringconfig.keystore.file = safkeyring://EKMSERV/ringName
    TransportListener.ssl.keystore.name = safkeyring://EKMSERV/ringName
    TransportListener.ssl.truststore.name = safkeyring://EKMSERV/ringName
  6. Before attempting to use the defined KEYRING and CERTDATA records, you will need to issue these operator commands to activate them: 
    F ACF2,REBUILD(USR),CLASS(P)
    F ACF2,OMVS or F ACF2,OMVS(CERTDATA)
    F ACF2,REBUILD(FAC)

Section B.

Setting up EKM Tape Data Encryption using a Third Party Certificate Provider

This example is for setting up certificates using a third party certificate provider.

Setting up EKM digital certificates for the data encryption key protection used by EKM tape write operations.

  1. Generate the certificate for the EKM server on z/OS using the GENCERT command. Then issue the GENREQ command to generate a certificate request to be sent to a Certification Authority. The GENREQ extracts the subjects distinguished name and the public key from the certificate and puts it in a dataset from which the request is sent to the Certification Authority: 
    ACF
    GENCERT EKMSERV.CERT SUBJ(CN='cnName' OU='MyCo' C=xx) -
    LABEL(EKM Server Label) SIZE(1024)
    GENREQ EKMSERV.CERT DSN('hlq.EKMSERV.CERT.REQUEST')
    Note 1: Parameters specified in lower or mixed case are examples and should be set to meet site standards.

  2. Submit the GENREQ request dataset (hlq.EKMSERV.CERT.REQUEST) to a Third Party Certification Authority, which will create a new certificate with the same distinguished name and public key, but issued and signed by the Third Party Certification Authority. This example assumes the returned certificate that you have received from the Third Party Certification Authority now resides in the dataset 'THIRD.PARTY.CERT' on z/OS. This dataset will be INSERTed into the the ACF2 database. 
    ACF
    SET PROFILE(USER) DIV(CERTDATA)
    INSERT EKMSERV.CERT DSN('THIRD.PARTY.CERT') LABEL(EKM Server Label)
    Note 1: The DSN(data set) must be defined as physical sequential (DSORG=PS), variable-blocked (RECFM=VB), (LRECL=255) and must be catalogued.

  3. When using certificates signed by a CA, the CA's root certificate must be obtained and inserted as a CERTAUTH CERTDATA profile record.

    If the CA is external you should be able to get its root certificate from the CA's website, put it in a dataset, and insert it as follows: 
    ACF
    SET PROFILE(USER) DIV(CERTDATA)
    INSERT CERTAUTH.3rdPartyCA DSN('THIRD.PARTY.CA.CERT') TRUST
  4. Create a FACILITY class resource rule to allow the EKM server read from its key ring. 
    ACF
    SET RESOURCE(FAC)
    COMPILE * 
    $KEY(IRR) TYPE(FAC)
    DIGTCERT.LIST UID(UID for EKMSERV logonid) SERVICE(READ) ALLOW
    DIGTCERT.LISTRING UID(UID for EKMSERV logonid) SERVICE(READ) ALLOW
  5. Create the EKM Keyring and connect the CERTAUTH and EKMSERV certificates. 
    ACF
    SET PROFILE(USER) DIV(KEYRING)
    INSERT EKMSERV.RING RINGNAME(ringName)
    CONNECT CERTDATA(CERTAUTH.3rdPartyCA) KEYRING(EKMSERV.RING) USAGE(CERTAUTH)
    CONNECT CERTDATA(EKMSERV.CERT) KEYRING(EKMSERV.RING) USAGE(PERSONAL) DEFAULT
    NOTE 1: This example sets the ring name to "ringName". The ring name that you assign must match the Keyring name specified in the EKM configuration file as shown in step 6 below.

  6. The EKM server name and the KEYRING name used in steps 1, 2 and 5 above should correspond to the EKM configuration file: 
    Admin.ssl.keystore.name = safkeyring://EKMSERV/ringName
    Admin.ssl.truststore.name = safkeyring://EKMSERV/ringName
    config.keystore.file = safkeyring://EKMSERV/ringName
    TransportListener.ssl.keystore.name = safkeyring://EKMSERV/ringName
    TransportListener.ssl.truststore.name = safkeyring://EKMSERV/ringName
  7. Before attempting to use the defined KEYRING and CERTDATA records, you will need to issue these operator commands to activate them: 
    F ACF2,REBUILD(USR),CLASS(P)
    F ACF2,OMVS or F ACF2,OMVS(CERTDATA)
    F ACF2,REBUILD(FAC)
Powered by Wolken Software