Top Secret

 View Only
  • 1.  Digital Certificates

    Posted Nov 05, 2019 06:20 PM
    We are starting to use digital certificates and I have a few questions concerning the upload of the certificates from the PC to the mainframe.  
    We use FTP line commands to FTP the Digicerts from the PC to the mainframe. 

    1. How is it that the binary digicerts must use an of LREC=256? however  the digicerts with BER-encoded, PKCS-7 BER-encoded and PEM encoded use an of LREC=84? 
    The documentation for Top Secret only specifies the following information for the DCDSN that the Digicerts will be FTP into:
    physical sequential data set (DSORG=PS), variable blocked data set (RECFM=VB) and fully qualified name without enclosed quotes (LREC=84)  BER-encoded, PKCS-7 BER-encoded,  or PEM encoded.  PEM certificates must be transported to MVS as TEXT and other forms transported as binary.  

    2.  Are there any resources out there that would explain the differences between the digicerts; such as private; public key pairs and root CA that needs to be added to the CERTAUTH in Top Secret?

    Just asking.  In the process of configuring SSL/TLS for a new application to ensure the Mainframe is properly secured.

    Thanks.


  • 2.  RE: Digital Certificates
    Best Answer

    Posted Nov 06, 2019 08:46 AM
    Michael,

    I have never seen that binary files should use a different LRECL. It has been my experience that all datasets should use RECFM=VB and LRECL=84. My rule of thumb is that if the TSS command does not allocate the dataset, then you should always pre-allocate any datasets that will receive your certificate material from FTP. If you are unsure that your certificate material in the dataset is viable then run a CHKCERT command against it.

    If you let FTP allocate the output dataset for you then that almost always never works out in your favor.

    There are a number of IBM publications (for RACF) that explain the certificate components and processing as they pretty much mimic each other. When you list an ACID and view the DIGICERT data you need to look for the Private Key Type and Size information to know which it is. If you generate the Private key in TSS, generate a CSR (signing request) and then import back the signed certificate (from your CA - Certificate Authority) you will find 2 entries (and will need a different DIGICERT name for each). If you import into TSS just a Private/Public key pair (PKCS12 package) then there will only be one DIGICERT.

    For CERTAUTH (root and Intermedate certificates) you will only ever import in public keys that you have obtained from a known source and you set usage as CERTAUTH. If you are using self-signed certificate issuers that you build on your mainframe then you are in control of those. (We do not use any self-signed issuers here.)  

    Hope this helps.

    Paul


  • 3.  RE: Digital Certificates

    Posted Nov 06, 2019 10:33 AM
    Paul,​

    Your reply simplifies other documentation explanations that I have read and it does help.

    Thank you. 

    Mike.