On Thu, 26 Mar 2009 16:58:14 -0400, P S <[email protected]> wrote: >Sure, I've been being unnecessarily cagey -- trying to keep the >scenario simple, and overdoing it! Sorry 'bout that.
As you've now learned, trying to hide details often results in getting less than useful answers. > >I think it really is an access control issue: we have symmetric >encryption keys that are managed by a process, but in the >non-mainframe world, you ask the key server whether you're allowed to >use one or not (keys have names). So the idea is that if you put the >key *names* under ESM control, then our process asks RACF/ACF2/TSS, >"Mother may I use this key?" rather than making the network hop. > >I've been told repeatedly, "RACF does not manage symmetric keys". But >if it can manage an arbitrarily named object -- not the object >*itself*, but access using the name -- then at least in theory, key >names could be stored as resources in RACF, and thus access controlled >by RACF. > >Does that make more sense? Yes, and as Hayim noted that's exactly how standard crypto on z/OS (via ICSF) works. Keys have associated labels, and ICSF controls access to those labels using RACF (or other ESM, presumably). An application such as ICSF uses RACROUTE REQUEST=AUTH or FASTAUTH to do the access checking. Administrators define profiles in RACF to protect the resource names (e.g., key labels) presented by the application on its RACROUTE requests. Administrators or system programmers define the necessary resource class to RACF, if the application uses a resource class not provided by RACF among the standard classes. Of course, you would also need to worry about where you store the keys themselves. If your application stores them as UNIX files, with one key per file, then in theory you could also let the system perform access control on those files, if you run the application thread under the client user's security identity. Generally that's a poor way to store encryption keys, in my opinion, but that's a mechanism that could work, depending on exactly how your application runs (which we don't know yet). -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
