The simple answer is called ICSF. (Of course only if you have crypto
cards...) But this is exactly what ICSF is engineered to do. You protect
the keys using the CSFKEYS RACF (and SAF compatible) class, and have
request them through the ICSF APIs by label.
Of course you can represent your own key managing API using an equivalent
home-grown RACF class. But that only works well if you API is the only
vehicle to READ or UPDATE the keys and can not be bypassed.
Hayim
_____________________________________
Hayim Sokolsky
Mainframe Security Architect
DTCC Corporate Information Security
18301 Bermuda Green Dr, MS 1-CIS
Tampa FL 33647-1760
Tel. (813) 470-2177
P S <[email protected]>
Sent by: IBM Mainframe Discussion List <[email protected]>
2009.03.26 16:58
Please respond to
IBM Mainframe Discussion List <[email protected]>
To
[email protected]
cc
Subject
Re: "Cost" of RACF vs. small file I/O
Sure, I've been being unnecessarily cagey -- trying to keep the
scenario simple, and overdoing it! Sorry 'bout that.
I think it really is an access control issue: we have symmetric
encryption keys that are managed by a process, but in the
non-mainframe world, you ask the key server whether you're allowed to
use one or not (keys have names). So the idea is that if you put the
key *names* under ESM control, then our process asks RACF/ACF2/TSS,
"Mother may I use this key?" rather than making the network hop.
I've been told repeatedly, "RACF does not manage symmetric keys". But
if it can manage an arbitrarily named object -- not the object
*itself*, but access using the name -- then at least in theory, key
names could be stored as resources in RACF, and thus access controlled
by RACF.
Does that make more sense?
On Thu, Mar 26, 2009 at 12:06 PM, Rick Fochtman <[email protected]> wrote:
>
---------------------------<snip>------------------------------------------
> There seems to be a misconception here. RACF is a security mechanism,
NOT a
> generalized data-storage mechanism.
>
> No, definition of arbitrary objects in RACF is NOT an option. Storage in
HFS
> is fine, or some other small dataset if you like. Whoever told you "They
> should be in RACF" has a faulty understanding of RACF function and
usage. If
> you could go into more detail about the application and its usage,
perhaps
> we can arrive at an acceptable solution for your issue.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
-----------------------------------------
________________________________________________________
DTCC DISCLAIMER: This email and any files transmitted with it are
confidential and intended solely for the use of the individual or
entity to whom they are addressed. If you have received this email
in error, please notify us immediately and delete the email and any
attachments from your system. The recipient should check this email
and any attachments for the presence of viruses. The company
accepts no liability for any damage caused by any virus transmitted
by this email.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
