X-Account-Key: account1 X-UIDL: 8e642d0fb4d15e61e86cae81cc45d0b8 X-Mozilla-Status: 0001 X-Mozilla-Status2: 00000000 X-Mozilla-Keys: X-Envelope-From: X-Envelope-To: X-Delivery-Time: 1435059804 X-UID: 2286 Return-Path: Authentication-Results: strato.com 1; spf=none smtp.mailfrom="falk.reichbott@flam.de"; dkim=pass header.d=flam.de; domainkeys=none; dkim-adsp=pass header.from="falk.reichbott@flam.de" X-Strato-MessageType: email X-RZG-CLASS-ID: mi Received-SPF: none client-ip=2a01:238:20a:202:5300::12; helo="mo6-p00-ob.smtp.rzone.de"; envelope-from="falk.reichbott@flam.de"; receiver=smtp.rzone.de; identity=mailfrom; Received: from mo6-p00-ob.smtp.rzone.de ([IPv6:2a01:238:20a:202:5300::12]) by smtp.rzone.de (RZmta 37.7 OK) with ESMTPS id X03bebr5NBhO4pA (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve X9_62_prime256v1 with 256 ECDH bits, eq. 3072 bits RSA)) (Client CN "*.smtp.rzone.de", Issuer "TeleSec ServerPass DE-2" (verified OK)) (Client hostname verified OK) for ; Tue, 23 Jun 2015 13:43:24 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1435059804; l=15497; s=domk; d=flam.de; h=Content-Language:Content-Type:MIME-Version:Date:Subject:In-Reply-To: References:To:From; bh=rlbJGkX4KY2ZrfZhkDpQheUhulS1SuyUFUG0saqlK4M=; b=PZqxM83J2+OgF06Zcs1eWJq2vJqWIvPaaUeRx/70T3vPolXXXcuawu1MxZ305hf0c+5 tg7fdcRTwyHOYFcR3nNOV2zdwIGEW/e3L5kRCLRe2CVbTi5fcZ7M5/M1YR7s2XirKo76W UWVI9iHF5hqpbKUzOUE4iXHucm+x1s8R7Sw= X-RZG-AUTH: :Km0Ifg66fvamojsrVkOLiixzHk8jsML2FSTE93KO7IyFswW3hAMk2IEeCTYWeJM9mHXs X-RZG-CLASS-ID: mo00 Received: from FalkReichbott (limes.gw.tgnet.de [217.24.7.21]) by smtp.strato.de (RZmta 37.7 AUTH) with ESMTPA id u06879r5NBhOAgq for ; Tue, 23 Jun 2015 13:43:24 +0200 (CEST) From: "Falk Reichbott" To: "Mykahailo Moldavskyy" References: <009301d0ad96$dfd8ee60$9f8acb20$@flam.de> In-Reply-To: Subject: WG: RACF-KeyRing-Support and PGP Date: Tue, 23 Jun 2015 13:43:20 +0200 Organization: limes datentechnik gmbh Message-ID: <009f01d0ada9$cdafe780$690fb680$@flam.de> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_00A0_01D0ADBA.9139F000" X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQIbZL6eWTVo/mNPxLLqRCbqZ61WEwHJzY8QnRY7l1A= Content-Language: de This is a multipart message in MIME format. ------=_NextPart_000_00A0_01D0ADBA.9139F000 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Bitte mal in ein Issue f=FCr den RACF-KeyRing-Support eintragen =20 Von: Erik Pauner [mailto:EAP@dk.ibm.com] Im Auftrag von EMEA Crypto Competence Center Gesendet: Dienstag, 23. Juni 2015 12:53 An: Falk Reichbott Betreff: Re: RACF-KeyRing-Support and PGP =20 Hi Falk,=20 1) Using the R_datalib service it is possible to extract PKDS key = label information (and certificate) from a key ring (DataGetFirst and = DataGetNext) - with this information in hand you can use ICSF for signing=20 - I think normally you would require the certificate holding the = private key to be DEFAULT and usage as PERSONAL in the key ring=20 2) No, there is no special z/OS EF PgP certificates on z/OS=20 3) Currently DKMS agent uses the proprietary RACDCERT commands to = support RACF, which does not support ACF2 or TopSecreet (as the SAF R_datalib interface was not sufficient)=20 =20 Regards, Erik Pauner=20 ------------------------------------------------------------ Please direct replies and future enquiries to ccc@dk.ibm.com ------------------------------------------------------------ EMEA Crypto Competence Center, Copenhagen IBM Danmark ApS, Pr=F8vensvej 1, DK-2605 Br=F8ndby, Denmark CVR nr.: 65305216 Telephone: (+45) 2880 4441=20 A CCCC software package enclosed in this mail or made available to you = on the IBM QuickR website is governed by the import/export authorities in Denmark, USA and your country. In such cases the products have been = shipped under the Global National License DK001 (Internal Compliance Lincense) Serial No. DK6193, issued by the Danish Enterprise and Construction Authority and may be subject to restrictions if re-exported from your country.=20 From: "Falk Reichbott" =20 To: EMEA Crypto Competence Center/Denmark/IBM@IBMDK=20 Date: 23-06-2015 11:28=20 Subject: RACF-KeyRing-Support and PGP=20 _____ =20 Hi Team=20 =20 =20 We want to integrate RACF-KeyRing support for signature generation/verification and session key exchange. How can I use a public private key pair for the current user in a key ring. Is there an RACF callable service which can be used?=20 =20 There is currently no possibility in RACDCERT to import a = PGP-Certificate (PGP public key file) into a RACF key ring. The z/OS-EF provides a help function for this. Does DKMS-RACF-KeyRing-Support support this?=20 =20 IBM Canada implements DKMS for TSYS is this correct? I have recommend = DKMS and the answer was, that DKMS is currently implemented and will be used = for key management.=20 =20 TSYS are interested in FLAM and we plan to implement Key-Ring support, = but TSYS use ACF2 instead of RACF and we are looking for a solution where we = are independent of the security server (SAF=3DRACF/ACF2/TS).=20 =20 Is DKMS-RACF-KeyRing-Support independent of the used security server?=20 =20 =20 Mit freundlichen Gr=FC=DFen / Kind Regards=20 =20 Falk Reichbott=20 =20 Diplom Ingenieur f=FCr technische Informatik (BA)=20 Leiter der technischen Entwicklung f=FCr die Produktfamilien FLUC=AE, = FLIES=AE & FLAM=AE=20 =20 =20 limes datentechnik=AE gmbh=20 Louisenstrasse 21=20 D-61348 Bad Homburg v.d.H.=20 mobil: +49(0)1520-9827936=20 phone: +49(0)6172-5919-21=20 fax: +49(0)6172-5919-39=20 mailto: falk.reichbott@flam.de=20 web: www.flam.de & www.limes.de=20 =20 =20 Amtsgericht: Bad Homburg vor der H=F6he =96 HRB 3288 (gegr. 1985)=20 Gesch=E4ftsf=FChrer: Diplom-Mathematiker Heinz-Ulrich Wiebach, Ute = Wiebach=20 =20 =20 limes=AE: leistung im grenzbereich des machbaren. =96 limes=AE: = efficiency at the limit of possibility.=20 =20 Medmindre andet er angivet ovenfor: / Unless Otherwise Stated Above: IBM Danmark ApS Kongevejen 495 B 2840 Holte, Danmark CVR nr.: 65305216 ------=_NextPart_000_00A0_01D0ADBA.9139F000 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Bitte mal in ein Issue f=FCr den RACF-KeyRing-Support = eintragen

 

Von:<= /b> = Erik Pauner [mailto:EAP@dk.ibm.com] Im Auftrag von EMEA Crypto = Competence Center
Gesendet: Dienstag, 23. Juni 2015 = 12:53
An: Falk Reichbott
Betreff: Re: = RACF-KeyRing-Support and PGP

 

Hi = Falk,

1) Using the = R_datalib service it is possible to extract  PKDS key  label = information (and certificate) from a key ring (DataGetFirst and = DataGetNext) - with this information in hand you can use ICSF for = signing
  - I = think normally you would require the certificate holding the private key = to be DEFAULT and usage as PERSONAL in the key ring

2) No, there = is no special z/OS EF PgP certificates on z/OS

3) Currently = DKMS agent uses the proprietary RACDCERT commands to support RACF, which = does not support ACF2 or TopSecreet (as the SAF R_datalib interface was = not sufficient)
  =    
Regards, = Erik Pauner
-------------= -----------------------------------------------
Please direct replies = and future enquiries to ccc@dk.ibm.com
--------------------= ----------------------------------------
EMEA Crypto Competence = Center, Copenhagen
IBM Danmark ApS, Pr=F8vensvej 1, DK-2605 = Br=F8ndby, Denmark
CVR nr.: 65305216
Telephone: (+45) 2880 = 4441

A CCCC = software package enclosed in this mail or made available to you on the = IBM QuickR website is governed by the import/export authorities in = Denmark, USA and your country. In such cases the products have been = shipped under the Global National License DK001 (Internal Compliance = Lincense) Serial No. DK6193, issued by the Danish Enterprise and = Construction Authority and may be subject to restrictions if re-exported = from your country.



= From:        "Falk = Reichbott" <falk.reichbott@flam.de>
= To:        EMEA Crypto = Competence Center/Denmark/IBM@IBMDK
= Date:        23-06-2015 = 11:28
= Subject:        RACF-KeyRing-S= upport and PGP




Hi Team
 
 
We want to integrate = RACF-KeyRing support for signature generation/verification and session = key exchange. How can I use a public private key pair for the current = user in a key ring. Is there an RACF callable service which can be used? =
 
There is currently no = possibility in RACDCERT to import a PGP-Certificate (PGP public key = file) into a RACF key ring. The z/OS-EF provides a help function for = this. Does DKMS-RACF-KeyRing-Support support this?
 
IBM Canada implements DKMS = for TSYS is this correct? I have recommend DKMS and the answer was, that = DKMS is currently implemented and will be used for key = management.
 
TSYS are interested in FLAM = and we plan to implement Key-Ring support, but TSYS use ACF2 instead of = RACF and we are looking for a solution where we are independent of the = security server (SAF=3DRACF/ACF2/TS).
 
Is = DKMS-RACF-KeyRing-Support independent of the used security = server?
 
 
Mit freundlichen Gr=FC=DFen = / Kind Regards
 
Falk Reichbott =
  =
Diplom Ingenieur = f=FCr technische Informatik (BA)
Leiter der technischen = Entwicklung f=FCr die Produktfamilien FLUC=AE, FLIES=AE & = FLAM=AE
 
 
limes datentechnik=AE = gmbh
Louisenstrasse 21 =
D-61348 Bad = Homburg v.d.H.
mobil: = +49(0)1520-9827936
phone: = +49(0)6172-5919-21
fax: = +49(0)6172-5919-39
mailto: falk.reichbott@flam.de
web: = www.flam.de & www.limes.de =
  =
  =
Amtsgericht: Bad = Homburg vor der H=F6he – HRB 3288 (gegr. 1985)
Gesch=E4ftsf=FChrer: = Diplom-Mathematiker Heinz-Ulrich Wiebach, Ute Wiebach
 
  =
limes=AE: = leistung im grenzbereich des machbaren. – limes=AE: = efficiency at the limit of possibility.
 

Medmindre= andet er angivet ovenfor: / Unless Otherwise Stated Above:
IBM = Danmark ApS
Kongevejen 495 B
2840 Holte, Danmark
CVR nr.: = 65305216

------=_NextPart_000_00A0_01D0ADBA.9139F000--