eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect
eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect
Digital Certificate SupportLABLCERT—Specifies an optional and case-sensitive label to be associated withthe certificate being added to the user. Up to 32 characters can be specified forthe label name. Spaces are allowed if you use single quotes. This label is used asa handle instead of the serial number and issuer’s distinguished name, and mustbe unique for the individual user. If a label is not specified, the label field willdefault to the value specified within the DIGICERT keyword.PKCSPASS—The PKCS-password can be up to 255 characters, is case sensitive,and can contain blanks.Important!■■The password associated with PKCS#12 certificates are not viewable. It is theeTrust CA-Top Secret administrator’s responsibility to keep track of thePKCS#12 password that is assigned to the digital certificate.If the certificate’s private key resides in an ICSF storage facility and theformat of PKCS12DER or PKCS12B64 is specified in the TSS EXPORTcommand, the command is rejected. A TSS0533E message is issued. Youcannot export a digital certificate with ICSF.Sharing Certificates on Key RingsA key ring is a collection of digital certificates for an individual user. Key ringsprovide an installation-wide method to share digital certificates across multipleservers. A user can have more than one key ring.Creating a Key RingUse the following syntax to add a key ring to a user's acid record:TSS ADD(acid) KEYRING(8-byte key ring name) [LABLRING(237-byte ring name)]KEYRING—Specifies the key ring being added to the user's acid. An individualacid can be a member of more than one key ring.LABLRING—Specifies the label to be associated with the keyring being added tothe user. Up to 237 characters can be specified for the lablring name. This label isused as an identifier of the digital certificate code and must be unique for the keyring.You can add digital certificates that were issued by a certificate authority to oneuser to another user's key ring. This allows the administrator to further definethe access that a user has to certain resources. Before a digital certificate can beadded to a key ring, it must have been added to the owner's acid record throughthe TSS ADD DIGICERT command.Note: You cannot add a KEYRING to predefined ACIDS (CERTAUTH orCERTSITE).1–66 Cookbook
Digital Certificate SupportAdding a Certificate to a Key RingThe following syntax shows how to add a digital certificate to a key ring:TSS ADD(acid) KEYRING(8-byte key ring name)[LABLRING(237-byte ring name)]{RINGDATA(acid,digicert)}{RINGDATA(CERTAUTH,digicert)}{RINGDATA(CERTSITE,digicert)}[DEFAULT][USAGE(PERSONAL|CERTAUTH|CERTSITE)]The sub keywords of the KEYRING function specify more detailed informationthat can be added along with KEYRING.KEYRING – The ring name is unique within the user, the name you specify inKEYRING will identify the key ring for a user.LABLRING – Provides the ability to add a 237-character label name to the keyring; can be used as a key to locate a certificate key ring. If not specified, the8-byte KEYRING name is automatically added to the LABLRING.RINGDATA—Specifies the acid and certificate label name (as specified byDIGICERT) of the certificate being added to the user.DEFAULT—Specifies that the certificate is the default certificate for the key ring.This parameter is optional. Only one certificate within the key ring can be thedefault. If a default already exists, its DEFAULT status is removed, and thespecified certificate becomes the default certificate.USAGE—Specifies how this certificate is used with the specified key ring. Thedefault usage is the same as the certificate that is being connected.■■■PERSONAL—Demotes a certificate to ensure that it is not used as acertificate authority in this key ring.CERTAUTH—Promotes an ordinary user certificate to that of a certificateauthority within this key ring.CERTSITE—Promotes an ordinary user certificate to that of a site certificate.Removing a Key ring from an acidTo remove a key ring, use the TSS REMOVE command with the followingsyntax:TSS REMOVE(acid) {KEYRING(8-byte name)|LABLRING(237-byte ring name)}This command also removes all key ring cross references from all acids that havecertificates that were attached to the key ring that is being removed.Implementing eTrust CA-Top Secret in a z/OS or OS/390 Environment 1–67
- Page 25 and 26: OpenEdition MVS / UNIX System Servi
- Page 27 and 28: OpenEdition MVS / UNIX System Servi
- Page 29 and 30: OpenEdition MVS / UNIX System Servi
- Page 31 and 32: Tracing UNIX System Services (OMVS)
- Page 33 and 34: Tracing UNIX System Services (OMVS)
- Page 35 and 36: Tracing UNIX System Services (OMVS)
- Page 37 and 38: Tracing UNIX System Services (OMVS)
- Page 39 and 40: Using TCP/IPFILE AUDIT OPTIONS—Th
- Page 41 and 42: Using TCP/IPwheresysname is the nam
- Page 43 and 44: Using FTPHow to Secure FTPFTP runs
- Page 45 and 46: Using TELNETTerminal Source Restric
- Page 47 and 48: WebSphere Application Server for z/
- Page 49 and 50: WebSphere Application Server for z/
- Page 51 and 52: WebSphere Application Server for z/
- Page 53 and 54: WebSphere Application Server for z/
- Page 55 and 56: WebSphere Application Server for z/
- Page 57 and 58: Lotus Domino Go Webserver/* PERMITT
- Page 59 and 60: Lotus Domino Go WebserverTo disable
- Page 61 and 62: Lotus Notes and Novell Directory Se
- Page 63 and 64: Digital Certificate SupportGeneral
- Page 65 and 66: Digital Certificate SupportFOR|UNTI
- Page 67 and 68: Digital Certificate SupportDCDSN(re
- Page 69 and 70: Digital Certificate SupportNote: In
- Page 71 and 72: Digital Certificate SupportYou can
- Page 73 and 74: Digital Certificate SupportCase #2.
- Page 75: Digital Certificate SupportImportan
- Page 79 and 80: Digital Certificate SupportReconnec
- Page 81 and 82: Digital Certificate SupportTSS LIST
- Page 83 and 84: Certificate Name Filtering SupportT
- Page 85 and 86: Certificate Name Filtering SupportI
- Page 87 and 88: Certificate Name Filtering SupportD
- Page 89 and 90: Certificate Name Filtering SupportL
- Page 91 and 92: KerberosKerberosetrust CA-Top Secre
- Page 93 and 94: KerberosThe command syntax for this
- Page 95 and 96: KerberosThe following command creat
- Page 97 and 98: Mapping of Foreign EnvironmentsMapp
- Page 99 and 100: Mapping of Foreign EnvironmentsMapp
- Page 101 and 102: Distributed File Server SMB SUPPORT
- Page 103 and 104: NFS (Network File System)The first
- Page 105 and 106: z/OS and OS/390 Security Server Sup
- Page 107 and 108: z/OS and OS/390 Security Server Sup
- Page 109 and 110: z/OS and OS/390 Security Server Sup
- Page 111 and 112: Chapter2Controlling Access to theHi
- Page 113 and 114: Controlling HFS Using the Native UN
- Page 115 and 116: Controlling HFS Using CA SAF HFS Se
- Page 117 and 118: Securing HFS FunctionsKeywordALLCON
- Page 119 and 120: Securing HFS FunctionsFile Function
- Page 121 and 122: Implementing CA SAF HFS SecurityImp
- Page 123 and 124: HFSSEC Control Option+12—The addr
- Page 125 and 126: HFSSEC Control OptionDiagnosticsThe
Digital Certificate SupportLABLCERT—Specifies an optional <strong>and</strong> case-sensitive label to be associated withthe certificate being added to the user. Up to 32 characters can be specified <strong>for</strong>the label name. Spaces are allowed if you use single quotes. This label is used asa h<strong>and</strong>le instead of the serial number <strong>and</strong> issuer’s distinguished name, <strong>and</strong> mustbe unique <strong>for</strong> the individual user. If a label is not specified, the label field willdefault to the value specified within the DIGICERT keyword.PKCSPASS—The PKCS-password can be up to 255 characters, is case sensitive,<strong>and</strong> can contain blanks.Important!■■The password associated with PKCS#12 certificates are not viewable. It is the<strong>eTrust</strong> <strong>CA</strong>-<strong>Top</strong> <strong>Secret</strong> administrator’s responsibility to keep track of thePKCS#12 password that is assigned to the digital certificate.If the certificate’s private key resides in an ICSF storage facility <strong>and</strong> the<strong>for</strong>mat of PKCS12DER or PKCS12B64 is specified in the TSS EXPORTcomm<strong>and</strong>, the comm<strong>and</strong> is rejected. A TSS0533E message is issued. Youcannot export a digital certificate with ICSF.Sharing Certificates on Key RingsA key ring is a collection of digital certificates <strong>for</strong> an individual user. Key ringsprovide an installation-wide method to share digital certificates across multipleservers. A user can have more than one key ring.Creating a Key RingUse the following syntax to add a key ring to a user's acid record:TSS ADD(acid) KEYRING(8-byte key ring name) [LABLRING(237-byte ring name)]KEYRING—Specifies the key ring being added to the user's acid. An individualacid can be a member of more than one key ring.LABLRING—Specifies the label to be associated with the keyring being added tothe user. Up to 237 characters can be specified <strong>for</strong> the lablring name. This label isused as an identifier of the digital certificate code <strong>and</strong> must be unique <strong>for</strong> the keyring.You can add digital certificates that were issued by a certificate authority to oneuser to another user's key ring. This allows the administrator to further definethe access that a user has to certain resources. Be<strong>for</strong>e a digital certificate can beadded to a key ring, it must have been added to the owner's acid record throughthe TSS ADD DIGICERT comm<strong>and</strong>.Note: You cannot add a KEYRING to predefined ACIDS (CERTAUTH orCERTSITE).1–66 Cookbook