As digital certificates become increasingly important in securing transactions on the Internet — with capabilities far beyond those of mere password protection — large enterprises are looking for a complete and scalable solution for managing these certificates. The PKI infrastructure is the standard for public-key cryptographic security, which is used to ensure the security of digital certificates. With the PKI infrastructure, digital certificates can provide the trusted infrastructure for security-rich transactions over the Internet. As part of the Security Server element of z/OS, PKI Services for z/OS, a base component, provides this same trusted infrastructure for security-rich, Web-based transactions. PKI Services for z/OS combines PKI encryption technology with the z/OS qualities of service, including availability and scalability.
What is PKI Services?
PKI Services allows you to establish a PKI infrastructure and serve as a certificate authority for your internal and external users, issuing and administering digital certificates in accordance with your own organization’s policies. Your users can use a PKI Services application to request and obtain certificates through their own Web browsers, while your authorized PKI administrators approve, modify, or reject these requests through their own Web browsers. The Web applications provided with PKI Services are highly customizable, and a programming exit is also included for advanced customization. You can allow automatic approval for certificate requests from certain users and add host IDs, such as RACF user IDs, to certificates you issue for certain users to provide additional authentication. You can also issue your own certificates for browsers, servers, and other purposes, such as virtual private network (VPN) devices, smart cards, and secure e-mail. PKI Services supports Public Key Infrastructure for X.509 version 3 (PKIX) and Common Data Security Architecture (CDSA) cryptographic standards. It also supports the following:
What is a certificate authority?
The certificate authority, commonly called a CA, acts as a trusted third party to ensure that users who engage in e-business can trust each other. A CA vouches for the identity of each party through the certificates it issues. In addition to proving the identity of the user, each certificate includes a public key that enables the user to verify and encrypt communications.
The trustworthiness of the parties depends on the trust that is placed in the CA that issued the certificates. To ensure the integrity of a certificate, the CA digitally signs the certificate as part of creating it, using its signing private key. Trying to alter a certificate invalidates the signature and renders it unusable.
The protection of the CA’s signing private key is critical to the integrity of the CA. For this reason, you should consider using ICSF to securely store your PKI Services CA’s private key.
As a CA using PKI Services, you can do the following:
What is PKI?
The public key infrastructure (PKI) provides applications with a framework for performing the following types of security-related activities:
The PKIX standard evolved from PKI to support the interoperability of applications that engage in e-business. Its main advantage is that it lets organizations conduct secure electronic transactions without regard for operating platform or application software package.
The PKIX implementation in PKI Services is based on the Common Data Security Architecture (CDSA) from Intel Corporation. CDSA supports multiple trust models, certificate formats, cryptographic algorithms, and certificate repositories. Its primary advantage is that it enables organizations to write PKI-compliant applications that support their business policies.