As digital certificates become increasingly important in securing transactions on the Internet — with capabilities far beyond those of mere password protection — large enterprises are looking for a complete and scalable solution for managing these certificates. The PKI infrastructure is the standard for public-key cryptographic security, which is used to ensure the security of digital certificates. With the PKI infrastructure, digital certificates can provide the trusted infrastructure for security-rich transactions over the Internet. As part of the Security Server element of z/OS, PKI Services for z/OS, a base component, provides this same trusted infrastructure for security-rich, Web-based transactions. PKI Services for z/OS combines PKI encryption technology with the z/OS qualities of service, including availability and scalability.
PKI Services allows you to establish a PKI infrastructure and serve as a certificate authority for your internal and external users, issuing and administering digital certificates in accordance with your own organization’s policies. Your users can use a PKI Services application to request and obtain certificates through their own Web browsers, while your authorized PKI administrators approve, modify, or reject these requests through their own Web browsers. The Web applications provided with PKI Services are highly customizable, and a programming exit is also included for advanced customization. You can allow automatic approval for certificate requests from certain users and add host IDs, such as RACF user IDs, to certificates you issue for certain users to provide additional authentication. You can also issue your own certificates for browsers, servers, and other purposes, such as virtual private network (VPN) devices, smart cards, and secure e-mail. PKI Services supports Public Key Infrastructure for X.509 version 3 (PKIX) and Common Data Security Architecture (CDSA) cryptographic standards. It also supports the following:
- The delivery of certificates through the Secure Sockets Layer (SSL) for use with applications that are accessed from a Web browser or Web server.
- The delivery of certificates that support the Internet Protocol Security standard (IPSEC) for use with secure VPN applications or IPSEC-enabled devices.
- The delivery of certificates that support Secure Multipurpose Internet Mail Extensions (S/MIME), for use with secure e-mail applications.
- The delivery of certificates through the Simple Certificate Enrollment Protocol (SCEP) which enables devices to request and renew certificate automatically.
The certificate authority, commonly called a CA, acts as a trusted third party to ensure that users who engage in e-business can trust each other. A CA vouches for the identity of each party through the certificates it issues. In addition to proving the identity of the user, each certificate includes a public key that enables the user to verify and encrypt communications.
The trustworthiness of the parties depends on the trust that is placed in the CA that issued the certificates. To ensure the integrity of a certificate, the CA digitally signs the certificate as part of creating it, using its signing private key. Trying to alter a certificate invalidates the signature and renders it unusable.
The protection of the CA’s signing private key is critical to the integrity of the CA. For this reason, you should consider using ICSF to securely store your PKI Services CA’s private key.
As a CA using PKI Services, you can do the following:
- Track certificates you issue with an issued certificate list (ICL) that contains a copy of each certificate, indexed by serial number
- Track revoked certificates using certificate revocation lists (CRLs). When a certificate is revoked, PKI Services updates the CRL during the next periodic update. Just as it signs certificates, the CA digitally signs all CRLs to vouch for their integrity
- Track revoked certificates using Online Certificate Status Protocol (OCSP). The current certificate status is returned to the requestor, the OCSP client.
The public key infrastructure (PKI) provides applications with a framework for performing the following types of security-related activities:
- Authenticate all parties that engage in electronic transactions
- Authorize access to sensitive systems and repositories
- Verify the author of each message through its digital signature
- Encrypt the content of all communications
The PKIX standard evolved from PKI to support the interoperability of applications that engage in e-business. Its main advantage is that it lets organizations conduct secure electronic transactions without regard for operating platform or application software package.
The PKIX implementation in PKI Services is based on the Common Data Security Architecture (CDSA) from Intel Corporation. CDSA supports multiple trust models, certificate formats, cryptographic algorithms, and certificate repositories. Its primary advantage is that it enables organizations to write PKI-compliant applications that support their business policies.
||More information about PKI