FLAM Issue Tracker - FL5
View Issue Details
0000699FL55. FKME/FKM5public2015-06-23 14:102016-06-07 19:48
Mykhailo Moldavskyy 
Falk Reichbott 
normalfeaturehave not tried
resolvedwon't fix 
0000699: SAF-KeyRing support
Add Racf-KeyRing support for example PGP (conversion/encryption)
http://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.ichd100/gplfrd.htm [^]

The r_datlib service can be used to read entries from the key ring.

The key ring can contain clear key pairs, PKCS#11 tokens, ICSF label for EP11 tokens or CCA keys.

The SAF key ring support must be implemented on top of the P11 and CCA support, and simplifies siply the access to the key/token label.

The FKME for asymetric key exchange and signing used for FLAM5 archive, OpenPGP files or other encryption cabebilities must be extent to determine the current active key of the declared user based on the assigned SAF key ring.

This solution must be combatible with RACF, ACF2, Top Secret and other security server.
No tags attached.
related to 0000075resolved Falk Reichbott Add OpenPGP support to data conversions 
eml WG RACF-KeyRing-Support and PGP.eml (18,261) 2015-06-23 14:10
Issue History
2015-06-23 14:10Mykhailo MoldavskyyNew Issue
2015-06-23 14:10Mykhailo MoldavskyyStatusnew => assigned
2015-06-23 14:10Mykhailo MoldavskyyAssigned To => Falk Reichbott
2015-06-23 14:10Mykhailo MoldavskyyFile Added: WG RACF-KeyRing-Support and PGP.eml
2015-06-23 14:10Mykhailo MoldavskyyProduct Version => 5.1.06
2015-06-23 14:10Mykhailo MoldavskyyTarget Version => 5.1.08
2015-06-29 08:35Falk ReichbottView Statusprivate => public
2015-06-29 08:35Falk ReichbottSummaryRACF-KeyRing support => SAF-KeyRing support
2015-06-29 08:35Falk ReichbottDescription Updatedbug_revision_view_page.php?rev_id=235#r235
2015-06-29 09:11Falk ReichbottTarget Version5.1.08 => 5.1
2015-06-29 09:12Falk ReichbottRelationship addedrelated to 0000075
2015-07-09 18:48Falk ReichbottTarget Version5.1 => 5.1.09
2015-08-13 18:47Falk ReichbottTarget Version5.1.09 => 5.1.11
2015-10-29 10:15Falk ReichbottNote Added: 0000905
2015-10-29 10:15Falk ReichbottTarget Version5.1.11 => 5.2
2015-11-11 15:41Falk ReichbottCategory5. FKME => 5. FKME/FKM5
2016-06-07 19:48Falk ReichbottNote Added: 0000994
2016-06-07 19:48Falk ReichbottStatusassigned => resolved
2016-06-07 19:48Falk ReichbottFixed in Version => 5.1.13
2016-06-07 19:48Falk ReichbottResolutionopen => won't fix

Falk Reichbott   
2015-10-29 10:15   
This support makes key management very complex. It was mainly planed to get the keys managed with DKMS/EKMF. For DKMS/EKMF a direct support over DKMS/EKMF-API and UKDS7 is now planed. Based on that this support will only implemented on customer request.

Asspecial for OpenPGP a SUB-CA key in the PKDS is require as prerequisit to translate OpenPGP KeyFiles (Certificates) in X509 Certificates for SAF-KeyRings. This signature verification over the PGP key to generate then the signature over the X509 certificate, makes the whole process very complex.

It will be simpler and more secure, if the keys only managed by DKMS/EKMF and used by FLAM over ICSF/CCA, PKCS11 or some ohter supported HSM of DKMS/EKMF.
Falk Reichbott   
2016-06-07 19:48   
Is not required anymore