Support all types of keyrings used within the z/OS ecosystem.

zowe / community

Zowe Community - Sub-projects, Squads, Contribution Guidelines, Meeting Minutes, and more

53 stars 42 forks source link

Support all types of keyrings used within the z/OS ecosystem. #1851

Open JirkaAichler opened 1 year ago

JirkaAichler commented 1 year ago

Some customers are requesting support for different keyring types that are used in their mainframe security environments. They are interested primarily in the JCECCARACFKS keyring format.

What Zowe components support keyring? How difficult would be to implement it?

It should be simple to update Java-based applications:

Java 8 docs https://www.ibm.com/docs/en/sdk-java-technology/8?topic=components-java-cryptography-extension-common-cryptographic-architecture-jcecca
Java 11 docs (I know it is not supported but it provides better documentation than Java 8) https://www.ibm.com/docs/en/semeru-runtime-ce-z/11?topic=security-guide https://public.dhe.ibm.com/software/Java/Java11/IBMJCECCA/JSSEzOSRefGuide.html

rudatp commented 1 year ago

I'm upvoting this request. We have customers using hardware private keys in RACF/Top Secret (ICSF), and just for ZOWE they have to create soft keys and are not happy about it.

Joe-Winchester commented 1 year ago

Some related ICSF details in https://github.com/zowe/zss/issues/597.

balhar-jakub commented 11 months ago

We have another customer that would benefit from the ICSF support.

nkocsis commented 11 months ago

@MarkAckert Mark, do you think that the Marist system could be setup to support this hardware (ICSF) ?

MarkAckert commented 11 months ago

I believe we have CSFSERV configured on the Marist boxes with some access already in place; we can update user permissions on the box and stc permissions through ZWESECUR. Do we have a test case we can run to verify its working? And is this just an ESM configuration change to get this working, or is it paired with a code change?

JirkaAichler commented 11 months ago

The best way to validate the configuration is by generating an ICSF key ring.

I could not find any good documentation. This is probably the best that I found:

https://www.ibm.com/docs/en/sklmfz/1.1.0?topic=certificates-example-using-jceracfks-jceccaracfks-keystore-zos

rudatp commented 11 months ago

We have a test installation with private keys in ICSF. Which build/version is needed? Mine is a bit outdated, but I can update it quickly and test it.

nkocsis commented 11 months ago

I'm not sure if we have the code ready for this "feature". I'll leave it up to others to reply @1000TurquoisePogs @achmelo @balhar-jakub

1000TurquoisePogs commented 11 months ago

correct, the code is not ready for testing of zlux. i would love to make the code available to @rudatp soon to know where to go next.

balhar-jakub commented 10 months ago

We have another customer looking for JCECCARACF keyring stored in the ICSF.

balhar-jakub commented 10 months ago

The latest discussion on the topic during the ZAC call discussed that:

Sean Grady will reach out to his colleague who could have the environment
Joe Winchester will also sync on the environment available for testing the certificates.