community icon indicating copy to clipboard operation
community copied to clipboard

Published 20 hours ago verified publisher icon zowe

Support all types of keyrings used within the z/OS ecosystem.

Open JirkaAichler opened this issue 2 years ago • 12 comments

Some customers are requesting support for different keyring types that are used in their mainframe security environments. They are interested primarily in the JCECCARACFKS keyring format.

What Zowe components support keyring? How difficult would be to implement it?

It should be simple to update Java-based applications:

  • Java 8 docs https://www.ibm.com/docs/en/sdk-java-technology/8?topic=components-java-cryptography-extension-common-cryptographic-architecture-jcecca
  • Java 11 docs (I know it is not supported but it provides better documentation than Java 8) https://www.ibm.com/docs/en/semeru-runtime-ce-z/11?topic=security-guide https://public.dhe.ibm.com/software/Java/Java11/IBMJCECCA/JSSEzOSRefGuide.html

JirkaAichler avatar Feb 14 '23 12:02 JirkaAichler

I'm upvoting this request. We have customers using hardware private keys in RACF/Top Secret (ICSF), and just for ZOWE they have to create soft keys and are not happy about it.

rudatp avatar Mar 08 '23 14:03 rudatp

Some related ICSF details in https://github.com/zowe/zss/issues/597.

Joe-Winchester avatar Aug 30 '23 10:08 Joe-Winchester

We have another customer that would benefit from the ICSF support.

balhar-jakub avatar Oct 05 '23 12:10 balhar-jakub

@MarkAckert Mark, do you think that the Marist system could be setup to support this hardware (ICSF) ?

nkocsis avatar Oct 05 '23 15:10 nkocsis

I believe we have CSFSERV configured on the Marist boxes with some access already in place; we can update user permissions on the box and stc permissions through ZWESECUR. Do we have a test case we can run to verify its working? And is this just an ESM configuration change to get this working, or is it paired with a code change?

MarkAckert avatar Oct 05 '23 15:10 MarkAckert

The best way to validate the configuration is by generating an ICSF key ring.

I could not find any good documentation. This is probably the best that I found:

https://www.ibm.com/docs/en/sklmfz/1.1.0?topic=certificates-example-using-jceracfks-jceccaracfks-keystore-zos

JirkaAichler avatar Oct 06 '23 08:10 JirkaAichler

We have a test installation with private keys in ICSF. Which build/version is needed? Mine is a bit outdated, but I can update it quickly and test it.

rudatp avatar Oct 06 '23 09:10 rudatp

I'm not sure if we have the code ready for this "feature". I'll leave it up to others to reply @1000TurquoisePogs @achmelo @balhar-jakub

nkocsis avatar Oct 06 '23 12:10 nkocsis

correct, the code is not ready for testing of zlux. i would love to make the code available to @rudatp soon to know where to go next.

1000TurquoisePogs avatar Oct 20 '23 12:10 1000TurquoisePogs

We have another customer looking for JCECCARACF keyring stored in the ICSF.

balhar-jakub avatar Nov 08 '23 11:11 balhar-jakub

The latest discussion on the topic during the ZAC call discussed that:

  • Sean Grady will reach out to his colleague who could have the environment
  • Joe Winchester will also sync on the environment available for testing the certificates.

balhar-jakub avatar Nov 14 '23 13:11 balhar-jakub