: //rsclweb.com
-Original Message-
From: IBM Mainframe Discussion List On Behalf Of
Radoslaw Skorupka
Sent: 18 January 2024 22:32
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: I hate to be a pain (Cross-Posted)
Is ICSF xKDS file a VSAM? Yes.
So, why to keep the keys in CKDS/PKDS instead of RACFdb?
1. B
U] On
Behalf Of Farley, Peter
Sent: Wednesday, January 17, 2024 1:38 PM
To:IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: I hate to be a pain (Cross-Posted)
On z/OS isn't that the ICSF CKDS VSAM file?
Peter
From: IBM Mainframe Discussion List On Behalf Of
Steve Beaver
Sent: Wednesday, January 17, 20
I gotta plead guilty to this. I know the basickest of basics about Unix
security, mostly from reading "The Cuckoo's Egg" multiple times; I've also hit
the manuals occasionally, but I'm woefully ignorant and I know it.
I guess it helps that I know it, but it'll be better still to learn more.
--
> Files in Unix are pretty unsecure. ...
That's the popular wisdom.
I could argue that the evidence is circumstantial, even coincidental.
(Bad rap because of bad practice by OTHER PEOPLE.)
But I'll back down.
What Itschak said about USS/Unix being unfamiliar to mainframe security
teams is r
My H'penth
Files in Unix are pretty unsecure. I feel that any keystore in Unix is an
exposure.
With ICSF you can define a public/private key pair, and protect them with a
SAF profile such as
RDEFINE CSFKEYS label...
You then give people access to the label, and hence to the key(s).
I think it
Rick,
You blond the messenger. STIGs are developed by DISA. We only automate the
process. This is why I am very familiar with the STIG rules.
Btw, unix file system is less understood and maintained by the mainframe
security teams, so the risk is built in uss security (if you do not use
external se
On 1/18/24 02:53, ITschak Mugzach wrote:
see below the relevant STIG (V8r11)- TSS0-ES-000100:
IBM z/OS for PKI-based authentication must use ICSF or the ESM to store
keys.
Why?
(And I realize that YOU are not making this up, so don't take any
challenge personally.)
Any keys or Certificat
see below the relevant STIG (V8r11)- TSS0-ES-000100:
IBM z/OS for PKI-based authentication must use ICSF or the ESM to store
keys.
Any keys or Certificates must be managed in ICSF or the external security
manager and not in UNIX files.
ITschak Mugzach
*|** IronSphere Platform* *|* *Information S
UA.EDU] On
Behalf Of Phil Smith III
Sent: Wednesday, January 17, 2024 3:22 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: I hate to be a pain (Cross-Posted)
Itschak Mugzach wrote:
>The STIG does not allow a uss keystore.
Ummmkay? I see no mention of a STIG here. But as I said, I'm even SWAGg
Itschak Mugzach wrote:
>The STIG does not allow a uss keystore.
Ummmkay? I see no mention of a STIG here. But as I said, I'm even SWAGging what
he really wants/needs.
--
For IBM-MAIN subscribe / signoff / archive access instruc
Phil
The STIG does not allow a uss keystore.
ITschak
*| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere
Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux
and IBM I **| *
*|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|*
*Sky
If you mean certificates for TLS, the USS gskkyman utility is great for
testing/verification. Nothing wrong with it for production, but most sites in
my experience are happier with the certs in SAF (RACF/ACF2/TSS) for production.
The beauty of gskkyman is that it's isolated AND discrete. With SA
Cross-Posted)
On z/OS isn't that the ICSF CKDS VSAM file?
Peter
From: IBM Mainframe Discussion List On Behalf Of
Steve Beaver
Sent: Wednesday, January 17, 2024 1:32 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: I hate to be a pain (Cross-Posted)
This is not may area of expertise, and I can't fi
On z/OS isn't that the ICSF CKDS VSAM file?
Peter
From: IBM Mainframe Discussion List On Behalf Of
Steve Beaver
Sent: Wednesday, January 17, 2024 1:32 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: I hate to be a pain (Cross-Posted)
This is not may area of expertise, and I can't find a
equ...@listserv.ua.edu>
Date: Wednesday, January 17, 2024 at 1:32 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: I hate to be a pain (Cross-Posted)
This is not may area of expertise, and I can't find a YOUTUBE or a step by step
checklist How does one create a keystore on zOS? Reg
I use keyrings - but not every product supports these.
I think you can Java programs in USS.
You need to know what your application/server supports
Colin
On Wed, 17 Jan 2024 at 18:32, Steve Beaver <
050e0c375a14-dmarc-requ...@listserv.ua.edu> wrote:
> This is not may area of expertise, and I
This is not may area of expertise, and I can't find a YOUTUBE or a step by
step checklist
How does one create a keystore on zOS?
Regards,
Steve
--
For IBM-MAIN subscribe / signoff / archive access instructio
17 matches
Mail list logo