The ISPF panels in this chapter are used to build and maintain the SecureZIP for z/OS certificate store. These panels are not part of the separately licensed feature “ISPF”. They are standard with SecureZIP for z/OS.
SecureZIP Main Panel—Access to the Certificate Stores
SecureZIP Version 10.0
Option ===>
C Config Modify Run-time Configuration Settings ZD Zip Defaults Modify Default ZIP Command Settings UD Unzip Defaults Modify Default UNZIP Command Settings
U Unzip Decompress, Decrypt, Authenticate File(s) in an Archive V View Display the Contents of a Zip Archive
Z Zip Compress, Encrypt, Sign File(s) into a Zip Archive
S Sysprint Browse Log of Last Foreground Execution M Messages Message ID lookup
A Administration Administration Services and Reference Information
W Wizard List
For HELP Press PF1 Release Date: 09/13/2007 11.47 LVL(Q1)
To access the certificate store administration and configuration, enter “A” in the Option field from the main SecureZIP panel; then enter “CS” from the main SecureZIP Administration panel.
SecureZIP Certificate Store Administration and Configuration
Local certificate storethrough a set of local files, either PDS or PDSE, and VSAM index paths. The composite of these elements is known as recipient database access.
LDAP certificate store
SecureZIP for z/OS also provides access to public key certificates located in an
external LDAP (Light Weight Directory Access Protocol) server via a TCPIP network connection.
x.509 certificate information
SecureZIP for z/OS also provides identification of and simulation with certificates
prior to including them in your local certificate store. Each certificate store is described in detail below.
Local Certificate Store Administration
This section assists with allocating the components necessary to support the local DB, as well as administer the certificates within it.
SecureZIP for z/OS provides access to both public and private key certificates through a set
of local files, PDS or PDSE, and index paths. The files and VSAM indexing components (Cluster, Alternate Indexes and Paths) must be allocated and synchronized.
The following administration phases should be planned for:
Initial Setup: A one-time initialization of the local certificate store datasets. This is
initiated through the SecureZIP ISPF Dialogs and is performed by a generated batch job stream. Certificate store datasets are allocated and initialized for future use. In addition, a set of run-time configuration control records is generated for run-time access by SecureZIP.
Certificate Administration: The addition of new certificates to be used for
encryption must be periodically performed as new exchange partners are identified. Installation of the certificates may be performed either through ISPF dialog foreground (manual) processing, or via a batch job stream. The following certificate
administration actions must be accounted for:
One or more public-key certificates must be available for use when a RECIPIENT encryption operation is performed (when updating an archive). These digital certificates may either be placed into MVS datasets (or PDS members) on the system that will be used to perform the encryption.
A private-key certificate must be available for use when a decryption operation is performed (either during extract processing, or when accessing an archive that has been protected with Filename Encryption). Corresponding RECIPIENT command instructions with the associated private-key certificate password must also be prepared for run-time access.
In order to complete the above tasks, digital certificate data must be made available to the activating system in the form of sequential files:
o Private-key certificates in PKCS#12 format (.PFX DSN suffix)
PartnerLink SecureZIP Partner: Supplemental administration activities unique to
SecureZIP Partner for z/OS are covered in the section “PartnerLink Certificate Store
Administration and Configuration” in chapter 6.
A configuration profile is a collection of SecureZIP for z/OS commands that describe the collection of components. At execution time this profile is read to locate the appropriate stores and index.
SecureZIP Certificate Store Administration
Option ===>
Select one of the following options and press Enter:
1 Local Certificate Store Administration 2 LDAP Certificate Store Configuration 3 x.509 Certificate Utilities
4 ICSF CKDS Passphrase Registration Service
To access the local certificate store administration and configuration, enter “1” in the Option field.
SecureZIP Local Certificate Store
SecureZIP Local Certificate Store Option ===>
Local Certificate Store Administration
1 View Certificate Entries (ISPF Table) 2 List Certificate Entries
3 Add new Certificates 4 Delete a Certificate
5 Synchronize/Verify Local Store Certificates 6 Report Statistics
7 Edit Active Profile
8 Supplemental Administration Utilities
Create Define and Initialize a New Local Certificate Store CRL Work with Certificate Revocation Lists
Active Store Configuration: 'PKWARE.MVS.JCL(DBPROF)' -{CSPUB=4;1;SECZIP.CERTSTOR.PUBLIC} -{CSPRVT=4;1;SECZIP.CERTSTOR.PRIVATE} -{CSPUB_DBX=SECZIP.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=SECZIP.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=SECZIP.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=SECZIP.CERTSTOR.PATHPUBK}
This is the main local certificate store panel. It will guide you in establishing your local cert- store environment. To create a new local certificate store database, enter “CREATE” in the Option field.
Create a New Local Certificate Store DB
SecureZIP Local Certificate Store Option ===>Create and Prime New Local Certificate Store
Fill in the required information below using the DOWN PFK to complete all fields, including storage management options if necessary. Then Press ENTER to generate the create JCL.
Batch Job Card information:
//SECZIP81 JOB 'SEZIP82',CLASS=A,REGION=8M,
// MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID //*
High-Level Qualifier(s): PKWARE.MVS (up to 20 characters) A set of PDS/PDSE datasets, VSAM Clusters, Alternate Indexes and PATHs will be allocated by the JOB. All components of the store must be allocated in the form: hlqs...CERTSTOR.type
New Store Configuration Profile: 'PKWARE.MVS.JCL(DBPROF)' For example: 'PKWARE.MVS.PARMLIB(CERTCFG1)'
Specify the PDS and member where the run-time configuration commands are to be placed for SecureZIP.
The PDS dataset and/or member will be allocated if they do not already exist. If the PDS member already exists, it will be overwritten.
This member is to be referenced in SecureZIP runs requiring requests from the Local Certificate Store via -RECIPIENT=DB This may be achieved in one of the following ways:
1. Use -INCLUDE_CMD=dsname(member) in the command stream for an individual run.
2. Specify this dataset in the DB Profile field of each user's SecureZIP Runtime Configuration panel.
3. Specify this dataset in the SECUREZIP_CONFIG= parameter of the SecureZIP defaults module (ACZDFLT) to make it effective as a default for all users.
Specify SMS/non-SMS allocation parameters
Management class . . . (Blank for default management class) Storage class . . . . (Blank for default storage class) Data class . . . (Blank for default data class) Volume serial . . . . (Specify for NON sms volume) Device type . . . (Specify for NON sms volume)
This panel will set up the job stream to create the public, private, CA and root certificate stores, the data base, all corresponding paths, and the data base profile.
The public, private, CA and root certificate stores, and the DB profile are PDS files. The data base is a VSAM cluster with alternate index paths. The certificate stores are initialized with 1 CA, 1 root, four public and four private certificates in their respective stores. The password for those private certificates is PKWARE.
New Data Base Profile
The profile is used to read the configuration commands to allow access to the certificates during execution of SecureZIP for z/OS in either ZIP or UNZIP operations. If the data base profile does not exist, one will be dynamically allocated. If it exists you will see the message “Profile Exists” in the upper right corner of the screen.
The data base profile follows the standard PDS dataset name format: datasetname(membername).
High-Level Qualifier
The high-level qualifier (hlq) is used to prefix the certificate stores as well as all components of the database. Multiple nodes are acceptable.
For the certificates, the PDS names are: hlq.CERTSTOR.PUBLIC
hlq.CERTSTOR.PRIVATE For the Data Base, the names are:
hlq.CERTSTOR.DBX hlq.CERTSTOR.DBXCN hlq.CERTSTOR.DBXEM hlq.CERTSTOR.DBXPUBK hlq.CERTSTOR.PATHCN hlq.CERTSTOR.PATHEM, hlq.CERTSTOR.PATHPUBK hlq.CERTSTOR.P7CA hlq.CERTSTOR.P7ROOT hlq.CERTSTOR.P7CRL
Batch Job Card information
This is the JOB Card to be used for the batch run.
Certificate Validation Options
When you are satisfied with the parameters you have entered, press ENTER and enter Y or N into the associated certificate validation fields.
SECUREZIP CERTSTORE Policy Setup Command ===>
Specify whether certificate validation should be performed for each phase of processing ( Y or N ). Press PF1 for detailed information.
Encryption:
Y Trusted Y Expired Y Revoked
Signing:
Y Trusted Y Expired Y Revoked
Authentication:
Y Trusted Y Expired Y Revoked Y Tampercheck
The configuration profile for certificate store access also defines default policy settings to be used for certificate validation. Certificates may be validated for use during RECIPIENT selection for Encryption, Signing Certificate selection (SIGN FILES/SIGN ARCHIVE), and Authentication (AUTHCHK) processing.
Generated JCL to Build the Initial Certificate Store
When you are satisfied with the parameters you have entered you would then press ENTER. An Edit session will be created for you to review and submit to generate the certificate store.
File Edit Edit_Settings Menu Utilities Compilers Test Help
--- ****** ********************************* Top of Data ****************
000001 //FPDCS1 JOB 'ACCOUNTING INFO',CLASS=A,REGION=8M, 000002 // MSGCLASS=H,MSGLEVEL=(1,1),NOTIFY=&SYSUID 000003 //*
000004 //****************************************************************** 000005 //* PLEASE BE SURE PROCEDURE PKISPF IN INSTLIB HAS BEEN TAILORED * 000006 //* TO MEET YOUR SITES SPECIFICATIONS. * 000007 //****************************************************************** 000008 // JCLLIB ORDER=PKWARE.MVS.INSTLIB
000009 //JOBLIB DD DISP=SHR,DSN='PKWARE.MVS.LOAD' 000010 //*
000011 //* GENERATED JCL TO BUILD INITIAL CERTIFICATE STORE 000012 //* DELETE OLD CERTIFICATE STORE
000013 //DELCERT EXEC PGM=IEFBR14
000014 //DPUB DD DISP=(MOD,DELETE,DELETE),SPACE=(TRK,(0)), 000015 // DSN=PKWARE.MVS.CERTSTOR.PUBLIC
000016 //DPRV DD DISP=(MOD,DELETE,DELETE),SPACE=(TRK,(0)), 000017 // DSN=PKWARE.MVS.CERTSTOR.PRIVATE
000018 //* CREATE PUBLIC CERTIFICATE STORE 000019 //COPYIN EXEC PGM=IEBCOPY
………. ……….
After you have SUBmitted the JOB and then pressed PF3 to end the Edit session, the following screen appears.
****************************** Top of Data ******************************* ***
* LOCAL CERTIFICATE STORE CONFIGURATION CONTROL *
* Include this member in SecureZIP runs requiring Local Certificate * Store RECIPIENTS, SIGN_ARCHIVE, SIGN_FILES and AUTHCHK signatories. *** -{CSPUB=4;1;PKWARE.MVS.CERTSTOR.PUBLIC} -{CSPRVT=4;1;PKWARE.MVS.CERTSTOR.PRIVATE} -{CSPUB_DBX=PKWARE.MVS.CERTSTOR.DBX} -{CSPUB_DBX_PATH_CN=PKWARE.MVS.CERTSTOR.PATHCN} -{CSPUB_DBX_PATH_EM=PKWARE.MVS.CERTSTOR.PATHEM} -{CSPUB_DBX_PATH_PUBKEY=PKWARE.MVS.CERTSTOR.PATHPUBK} -{CSCA=1;0;PKWARE.MVS.CERTSTOR.P7CA} -{CSROOT=1;0;PKWARE.MVS.CERTSTOR.P7ROOT} -{CSCRL=1;0;PKWARE.MVS.CERTSTOR.P7CRL} -{AUTHENTICATE=TRUSTED,EXPIRED,REVOKED,TAMPERCHECK} -{VALSIGN=TRUSTED,EXPIRED,REVOKED} -{VALENCRYPT=TRUSTED,EXPIRED,REVOKED} ****************************** Bottom of Data ****************************
This is the data base profile that will be saved in the dataset and member you specified. It is used to read the configuration commands to allow access to the certificates during execution of SecureZIP for z/OS in either ZIP or UNZIP operations.
View Data Base Certificate Entries
You can view details about a certificate.
SecureZIP Local Certificate Store Option ===>
View Data Base Certificate Entries
Active Store Configuration: 'PKWARE.MVS.JCL(DBPROF)’
Select one or more types for viewing: (Default is all) Public Private Certificate-Authority Root
Optional Search Criteria: Search String:
Search Fields: ALL (CN/EM/ALL) Case Sensitive: N (Y/N)
Filters:
Exclusion - Do not show certificates with the following characteristics. Revoked Suspended Expired Not Trusted
Inclusion - Show certificates only having the specific indicators. Encryption Signing
This panel will create a data base table display using the criteria entered in the fields. The table view will provide an opportunity to select individual entries for various actions.
Active Store Configuration
The data base to be operated upon.
Select Types:
This is a report filter that you can use to select the types of certificates to report on. You may report on all certificates in the store by pressing Enter (Default) or selecting a specific type(s).
Public key (CER) end-entity certificates will be included from the certificate store index.
Private key (PFX) end-entity certificates will be included from the certificate store index.
Certificate-authority (P7B) intermediate issuing certificates will be displayed from the active x.509 CA store data set.
Root (P7B) self-signed issuing certificates will be displayed from the active x.509 root store data set.
Search String
Enter a string of characters to be used as a filter, listing only those certificates containing a match for the string. Leave this field blank if no filtering is desired.
Search Fields
Enter ALL, CN (common name) or EM (Email address).
Case Sensitive
Filters
Filters can be useful in viewing qualified certificates in the local certificate store. The filters may be used in combination with other type and search criteria to further restrict the number of entries returned.
The Exclusion filters will eliminate entries known to have failed the specified characteristic (based on the information held in the index). For example, index entries marked as “Revoked” by the System Administration Validate function will fail the “Revoked” policy test when an attempt is made to use them for signing or encryption. This filter will assist in locating
certificate entries that are known to have never failed the Validation test. However, it does not guarantee that the trust chain is currently intact within the certificate store configuration. (The system administrator may not have run the Validate service request against the certificate).
The Inclusion filters will assist in identifying certificates issued for a specific purpose. However, certificates issued without the designated use flag will be eliminated from the display. Your enterprise must obtain certificates specific to the qualifications from a certificate authority for this filter to be of use.
Be aware that when a certificate validation policy is set for a given SecureZIP action such as Encryption, Signing or Authentication, a dynamic check against the live certificate store is performed in lieu of the database index record settings. This means that multiple certificates identified by a CN= or EMAIL= search may still be identified at run-time and be flagged as unusable based on the policy in force. When records are no longer desired to be referenced at run-time because they are Expired, Revoked, or Not Trusted, the system administrator should mark the entries as Suspended.
PKCSV001 SecureZIP View Certificate Store Row 1 to 10 Command ===> SCROLL ===> CSR Certificate Database: 'SECZIP.NEWDB.CERTSTOR.DBX'
Primary commands: LOCATE , SORT and SAVE. Scroll RIGHT or LEFT for more information. Enter line command or '/' for list of valid line commands.
Cmd Type Common Name
--- /_ CER Al Smith
__ CER Bill Jones __ CER Kevin Johnson __ CER Mark Arrow __ CER Matt Brewster __ CER Michael Stanley __ CER PKWARE Test1 __ PFX PKWARE Test1 __ CER PKWARE Test2 __ PFX PKWARE Test2
Valid Line Commands
SecureZIP Certstore Line Commands Command ==>
Action: I
D Delete Certificate
I Detailed Certificate Information EX Edit Certificate Index information VAL Validate Certificate
RC Generate -RECIPIENT command based on Common Name RE Generate -RECIPIENT command based on Email Address SAC Generate -SIGN_ARCHIVE command based on Common Name SAE Generate -SIGN_ARCHIVE command based on Email Address SFC Generate -SIGN_FILES command based on Common Name SFE Generate -SIGN_FILES command based on Email Address AAC Generate -AUTHCHK archive command based on Common Name AAE Generate -AUTHCHK archive command based on Email Address AFC Generate -AUTHCHK files command based on Common Name AFE Generate -AUTHCHK files command based on Email Address SUS Suspend a certificate from use
The Generate option(s) will place the commands to a memory clipboard for a subsequent SAVE command.
Specifying “D” to delete the certificate will remove the specified certificate from your local store. Please be aware that deleting certificate authority and/or root certificates will prevent authentication processing from completing a TRUST check operation.
Before permanently removing the certificate from the local store, SecureZIP will prompt the user with the following screen:
Confirm Certificate Delete
Active DB Profile: 'PKWARE.MVS.PROFILE(CERTCFG1)'
Certificate to be deleted: Location= 1
Name = Class 3 Public Primary Certification Authority Serial #= 02CDBA356FFDWE4BC54FE22ACBA72A325
Note: Certificates that are issued by the certification authorities or any lower level certification authorities will no longer be trusted. Press ENTER to continue or PF3 to exit without deleting the certificate.
Press ENTER to continue or PF3 to exit without deleting the certificate
By requesting “I” for additional information about the certificate, a report will be generated and displayed.
PKSCANCRT 005I scan(0) file is: //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB1CERT)'
PKSCANCRT 008I Certificate #1 found (924) //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB1CERT)'
--- Certificate 1 --- PKWARE Test1
Subject: C=US
CN=PKWARE Test1 [email protected] Issuer: C=US OU=Certification Services CN=PKWARE Test1 [email protected] SerialNumber: 00 NotBefore: Wed Apr 14 13:20:41 2004 NotAfter: Sat Apr 13 13:20:41 2024
SHA-1 Hash of Certificate(Thumbprint):
DF 31 1E 8D DF 02 BD 0C 7C 4A 75 72 00 CA 03 6D 68 95 49 C9 Public Key Hash:
83 0A 0A E9 DB F0 49 69 54 76 38 62 12 6E CE 7A 34 BB 7A 56 Self Signed
Certificate Authority
The following table explains fields of certificate details in the display.
Heading Description
Subject Information about the entity to whom the certificate was issued.
Issuer Information about the entity that issued the certificate
Serial Number Serial number of the certificate
NotBefore/NotAfter Date range for which the certificate is valid
SHA-1 Hash of Certificate The SHA-1 algorithm hash, or “thumbprint,” of the certificate
Public Key Hash The hash or “thumbprint,” of the public key
Key Usage Key usage flags that determine how the certificate was intended to be used.
The public key hash value is the prime key used in the local certificate store index.
The Issuer fields are composed of several x.509 subfields. The exact set varies; the following table describes some of the most commonly used.
Code Description O Organization OU Organizational Unit CN Common Name E Email address C Country ST State or Province L Locality or City
By entering “EX” from the SecureZIP Line Commands panel, you may edit the certificate index information such as the certificate member name. See resulting screen below:
Edit Certificate Index Information
Active DB Profile: 'PKWARE.MVS.PROFILE(CERTCFG1)'
Certificate Path: //'PKWARE.MVS.CERTSTOR.PUBLIC(PUB4CERT)' Common Name: PKWARE Test4
Email Address: [email protected]
Certificate PDS member name: PUB4CERT
The member name may be changed here. The Certificate Store index will be updated to reflect the new location.
Press ENTER to process, or END to return.
If you request “VAL” SecureZIP will look to validate the certificate by using the current -{VALENCRYPT=...} setting in the profile. It validates the certificate by generating a -RECIPIENT(...,R,PASSWORD=pppppp) command, and running SecureZIP for both ZIP and TEST. Please be aware that, if -{VALENCRYPT=} is not active, the certificate will always pass the validation check.
You may also generate and save commands for the RECIPIENT, SIGN_ARCHIVE, SIGN_FILES and AUTHCHK (archive and/or file) parameters. For example, by selecting RC, you will see the –RC appear on the far right of the screen (see below):
Command ===> SCROLL ===> PAGE Certificate Database: 'PKWARE.MVS.CERTSTOR.DBX'