From z/OS ACF2 STIG
Part of ITNT0040
Associated with IA controls: DCCS-1, ECCD-2, DCCS-2, ECCD-1
Digital certificates are a primary requirement for Secure Sockets Layer (i.e., SSL). The origin of a certificate, the Certificate Authority (i.e., CA), is crucial in determining if the certificate should be trusted. Failure to maintain a list of appropriate host-based CA certificates could result in unauthorized access to the host.
NOTE: The procedures in this checklist item presume the domain being reviewed is running all releases of z/OS, and use the ACP as the certificate store. Self-Signed Certificates If the domain being review is not a production system and is only used for test and development, this Self-Signed Certificates review can be skipped. a) From STIG ID ITCP0060, use the logonid(s) assigned to the TCP/IP address space(s) and issue the following ACF2 commands to list the certificate(s) associated with the TCPIP logonid(s): SET PROFILE(USER) DIVISION(CERTDATA) LIST LIKE(tcpip logonid.-) b) If no certificate information is found, there is NO FINDING. NOTE: Certificates are only valid when their Status is TRUST. Therefore, you may ignore certificates with the NOTRUST status during the following checks. c) If the digital certificate information indicates that the issuer's distinguished name leads to a DoD PKI Root Certificate Authority or EXTERNAL CERTIFICATION AUTHORITY(ECA), there is NO FINDING. Examples of an acceptable DoD CA are: DoD PKI Class 3 Root CA DoD PKI Med Root CA d) If the digital certificate information indicates it is a self-signed certificate and the Status is TRUST, this is a FINDING. An example of a self-signed certificate would be site information displayed as the issuer's distinguished name. e) Using the logonid(s) assigned to the TCP/IP address space(s), issue the following ACF2 commands to list any associated key rings: SET PROFILE(USER) DIVISION(KEYRING) LIST LIKE(tcpip logonid.-) For each Certificate Owner, issue the following ACF2 commands to list the certificate(s) associated with their logonid: SET PROFILE(USER) DIVISION(CERTDATA) LIST LIKE(cert owner logonid.-) f) If the digital certificate information indicates that the issuer's distinguished name leads to a DoD PKI Root Certificate Authority or EXTERNAL CERTIFICATION AUTHORITY(ECA), there is NO FINDING. g) If the digital certificate information indicates it is a self-signed certificate and the Status is TRUST, this is a FINDING. DoD PKI Root Certificate Authority If the domain being review is not a production system and is only used for test and development, this DoD PKI Root Certificate Authority review can be skipped. h) Issue the following ACF2 commands to list the Certificate Authorities: SET PROFILE(USER) DIVISION(CERTDATA) LIST LIKE(CERTAUTH.-) i) If no certificate information is found, there is NO FINDING. NOTE: Certificates are only valid when their Status is TRUST. Therefore, you may ignore certificates with the NOTRUST status during the following checks. j) If the digital certificate information indicates that all certificates lead to a DoD PKI Root Certificate Authority or EXTERNAL CERTIFICATION AUTHORITY(ECA), there is NO FINDING. Examples of an acceptable DoD CA are: DoD PKI Class 3 Root CA DoD PKI Med Root CA k) If the digital certificate information indicates that any certificate is from a non-DoD entity (e.g., Verisign, Thawte, IBM World Registry) and the Status is TRUST, this is a FINDING. Certificate Name Filtering l) If certificate name filtering is in use, collect documentation describing each active filter rule and written approval from the IAM to use the rule. m) Issue the following ACF2 commands to list the certificate name filters defined to ACF2: SET CONTROL(GSO) SHOW CERTMAP n) If no CERTMAP FILTERING TABLES are present, there is NO FINDING. NOTE: Certificate name filters are only valid when their Status is TRUST. Therefore, you may ignore filters with the NOTRUST status. o) If CERTMAP FILTERING TABLES are present and certificate name filters have a Status of TRUST, certificate name filtering is in use. p) If certificate name filtering is in use and filtering rules have been documented and approved by the IAM, there is NO FINDING. q) If certificate name filtering is in use and filtering rules have not been documented and approved by the IAM, this is a FINDING.
The IAO will ensure that for production environments, the list of Certificate Authorities considered trusted by the z/OS host are limited to those with a trust hierarchy that leads to a DOD PKI Root Certificate Authority or EXTERNAL CERTIFICATION AUTHORITY(ECA). The IAO will ensure that for production environments, self-signed certificates are not used. Certificate name filtering is a facility that allows multiple certificates to be mapped to a single ACP ID. Rather than matching a certificate stored in the ACP to look up an ID, certificate name filtering uses criteria rules stored in the ACP. A filter rule uses parts of the distinguished name of the certificate owner and/or issuer (CA) to determine an ID to assign to the user. Depending on the filter criteria, a large number of client certificates could map to a single ID. The IAO will ensure that certificate name filtering is not used unless the filtering rules have been documented to, and approved by, the IAM. Review the list of host-based CAs and ensure they are limited to those with a trust hierarchy that leads to a DOD PKI Root CA. Example commands to list he keyring and certdata: SET PROFILE(USER) DIVISION(KEYRING) LIST LIKE(tcpip logonid.-) SET PROFILE(USER) DIVISION(CERTDATA) LIST LIKE(cert owner logonid.-) Ensure any certificate name filtering rules in use are documented and approved by the IAM.
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer