|
Packit |
8681c6 |
THE ICSF TOKEN
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Overview
|
|
Packit |
8681c6 |
--------
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
The ICSF token is a clear-key, remote crypto token. The actual crypto operations
|
|
Packit |
8681c6 |
are performed remotely on a 390x server and all the PKCS#11 key objects are
|
|
Packit |
8681c6 |
stored remotely on the server.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
openCryptoki's ICSF token sends ICSF service calls to the remote server via
|
|
Packit |
8681c6 |
LDAP. Extensions to LDAP and the addition of a remote crypto plugin allow the
|
|
Packit |
8681c6 |
remote LDAP server to receive the request and interface with ICSF to service the
|
|
Packit |
8681c6 |
request. ICSF interfaces with the crypto hardware and the z/OS keystore to
|
|
Packit |
8681c6 |
service the request. Upon completion, the result is passed back through the same
|
|
Packit |
8681c6 |
channels.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
The PKCS#11 key objects are created or generated remotely. The remote z/OS
|
|
Packit |
8681c6 |
keystore stores all the created or generated key objects, allowing for
|
|
Packit |
8681c6 |
centralized storage and key management.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
The remote server's configuration is outside the scope of this README.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Please see XXXXX for more information on the z/OS LDAP server requirements and
|
|
Packit |
8681c6 |
remote crypto configuration.
|
|
Packit |
8681c6 |
For more information on ICSF PKCS#11, see "Writing PKCS#11 Applications" manual
|
|
Packit |
8681c6 |
at
|
|
Packit |
8681c6 |
http://www-01.ibm.com/support/docview.wss?uid=isg24664157d6cdc890485257a7c0054dc3d&aid=1.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Pre-requisites:
|
|
Packit |
8681c6 |
1. ICSF token communicates to the remote via LDAP.
|
|
Packit |
8681c6 |
On Linux install openldap, openldap-clients, and openldap-devel.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
2. You will also need lex and yacc packages installed.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
-----------------------------------------------------------------------
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
CONFIGURING THE ICSF TOKEN
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Some setup of the ICSF token must be done for openCryptoki before initializing
|
|
Packit |
8681c6 |
it with the pkcsconf utility.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
You will need,
|
|
Packit |
8681c6 |
- LDAP bind information
|
|
Packit |
8681c6 |
- The name of an ICSF token created on the remote server.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
LDAP Bind Information
|
|
Packit |
8681c6 |
---------------------
|
|
Packit |
8681c6 |
openCryptoki must bind and authenticate to the remote LDAP server. openCryptoki
|
|
Packit |
8681c6 |
supports the Simple and SASL authentication methods when authenticating with the
|
|
Packit |
8681c6 |
remote LDAP server to send an ICSF service request.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
You have the option of using,
|
|
Packit |
8681c6 |
1. existing LDAP config files for the information required to bind and
|
|
Packit |
8681c6 |
authenticate to the LDAP server.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
OR
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
2. you can give the information to openCryptoki to store and use when
|
|
Packit |
8681c6 |
binding and authenticating to LDAP server. This is done through the
|
|
Packit |
8681c6 |
pkcsiscf utility.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
The first option involves using an existing LDAP config file to bind and
|
|
Packit |
8681c6 |
authenticate to the remote server.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
When openCryptoki calls the openldap function to bind and authenticate, the
|
|
Packit |
8681c6 |
openldap function call will look for the ldaprc config file to acquire the
|
|
Packit |
8681c6 |
information it needs to bind and authenticate to the server.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
When using this option,
|
|
Packit |
8681c6 |
- with Simple authentication, you need to specify the authentication
|
|
Packit |
8681c6 |
mechanism as simple when adding the ICSF token into openCryptoki with the
|
|
Packit |
8681c6 |
pkcsicsf utility. You will also be prompted for the RACF password, which
|
|
Packit |
8681c6 |
will be securely stored on disk by openCryptoki for subsequent use.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
- with SASL authentication, you need to specify the authentication mechanism
|
|
Packit |
8681c6 |
as sasl when adding the ICSF token into opecryptoki with the pkcsicsf
|
|
Packit |
8681c6 |
utility. SASL does not require an RACF password, so you will not be
|
|
Packit |
8681c6 |
prompted for this information.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
**Note, when using the first option, users should have the same information in
|
|
Packit |
8681c6 |
their .ldaprc files.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
The second option, chooses to give openCryptoki the necessary ldap credentials
|
|
Packit |
8681c6 |
to store in an openCryptoki config file for subsequent use. With this option
|
|
Packit |
8681c6 |
the credentials are stored in one place for all who access openCryptoki's ICSF
|
|
Packit |
8681c6 |
token.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
When openCryptoki calls the openldap function to bind and authenticate, it will
|
|
Packit |
8681c6 |
pass along the information stored in the ICFS config file to the function call.
|
|
Packit |
8681c6 |
For example, when simple authentication, it will pass the BINDDN and URI found
|
|
Packit |
8681c6 |
in this config file to the function.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
When using this option,
|
|
Packit |
8681c6 |
- with Simple authentication, you need to specify the authentication
|
|
Packit |
8681c6 |
mechanism as simple, along with the BINDDN, and the URI when adding the
|
|
Packit |
8681c6 |
ICSF token into openCryptoki with the pkcsicsf utility. You will also be
|
|
Packit |
8681c6 |
prompted for the RACF password, which will be securely stored on disk for
|
|
Packit |
8681c6 |
subsequent use by openCryptoki.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
- with SASL authentication, you need to specify the authentication mechanism
|
|
Packit |
8681c6 |
as sasl, along with the CERT, CACERT, and KEY when adding the ICSF token
|
|
Packit |
8681c6 |
into openCryptoki with the pkcsiscf utility. SASL does not require an RACF
|
|
Packit |
8681c6 |
password, so you will not be prompted for it.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
When required, the RACF password is stored securely on disk for subsequent use
|
|
Packit |
8681c6 |
in /prefix/var/lib/opencryptoki/icsf/RACF.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
**Note: Setup of LDAP and SASL are outside the scope of this README.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
openCryptoki's ICSF token setup
|
|
Packit |
8681c6 |
-------------------------------
|
|
Packit |
8681c6 |
The installed opencryptoki.conf does not contain an entry for the ICSF token. An
|
|
Packit |
8681c6 |
entry is created upon setting up the ICSF token with the pkcsicsf utility.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
openCryptoki's ICSF token must first be set up with the pkcsiscf utility before
|
|
Packit |
8681c6 |
the token can be initialized with the pkcsconf utility.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Setup
|
|
Packit |
8681c6 |
-----
|
|
Packit |
8681c6 |
ICSF token(s) originate on the remote server. It is likely that they are created
|
|
Packit |
8681c6 |
and destroyed by the remote's system administrator. openCryptoki queries the
|
|
Packit |
8681c6 |
remote server for a list of the available ICSF tokens via the pkcsicsf utility.
|
|
Packit |
8681c6 |
The list returned may contain more than one remote token. Note, which token(s)
|
|
Packit |
8681c6 |
returned depend on the caller's SAF authority on the remote server.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
openCryptoki can only handle one remote ICSF token. If a list of tokens are
|
|
Packit |
8681c6 |
returned from the query, a single token must be chosen and installed into
|
|
Packit |
8681c6 |
openCryptoki with the pkcsicsf utility.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Upon adding the token into openCryptoki with the pkcsicsf utility, an ICSF token
|
|
Packit |
8681c6 |
entry will be created in the openCryptoki.conf file.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
For example,
|
|
Packit |
8681c6 |
slot 5 {
|
|
Packit |
8681c6 |
stdll = libpkcs11_icsf.so
|
|
Packit |
8681c6 |
confname = /usr/local/etc/opencryptoki/JML.conf
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Also, a separate ICSF token config file will be created,
|
|
Packit |
8681c6 |
/prefix/etc/opencryptoki/<tokenname>.conf, containing information required to
|
|
Packit |
8681c6 |
bind to the LDAP server if any was specified. It will also contain information
|
|
Packit |
8681c6 |
from the remote server about the particular ICSF token that was added.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
In this example, /usr/local/etc/opencryptoki/JML.conf was created. And since I
|
|
Packit |
8681c6 |
am using .ldaprc file, it only specifies the authentication method.
|
|
Packit |
8681c6 |
slot 5 {
|
|
Packit |
8681c6 |
TOKEN_NAME = "JML"
|
|
Packit |
8681c6 |
TOKEN_MANUFACTURE = "IBM"
|
|
Packit |
8681c6 |
TOKEN_MODEL = "ICSFModel"
|
|
Packit |
8681c6 |
TOKEN_SERIAL = "012345"
|
|
Packit |
8681c6 |
MECH = "SIMPLE"
|
|
Packit |
8681c6 |
}
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
And lastly, when using simple authentication, a secured RACF password file will
|
|
Packit |
8681c6 |
have been created.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
EXAMPLE OF HOW TO CONFIGURE THE ICSF TOKEN
|
|
Packit |
8681c6 |
------------------------------------------
|
|
Packit |
8681c6 |
First, get a list of the available tokens from the remote server. From the list
|
|
Packit |
8681c6 |
choose one token and add it into openCryptoki. After successfully adding the
|
|
Packit |
8681c6 |
ICSF token and any relatedinformation into openCryptoki, initialize the ICSF
|
|
Packit |
8681c6 |
token.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Examples to get a list of available tokens
|
|
Packit |
8681c6 |
-------------------------------------------
|
|
Packit |
8681c6 |
1. Using simple authentication and .ldaprc which has BINDDN and URI set in it,
|
|
Packit |
8681c6 |
get a list of the available tokens from the remote.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
pkcsicsf -l -m simple
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
you will be prompted for the racf passwd and the SO PIN.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
you should get a list of the available tokens from the remote
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
2. Using simple authentication and giving openCryptoki the credentials to use to
|
|
Packit |
8681c6 |
get a list of available tokens from the remote.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
pkcsicsf -l -b <binddn> -u <uri> -m simple
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
you will be prompted for the racf passwd and the SO PIN.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
you should get a list of the available tokens from the remote
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
3. Using sasl authentication and ldap configuration files, get list of available
|
|
Packit |
8681c6 |
tokens from the remote.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
pkcsicsf -l -m sasl
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
4. Using sasl authentication and giving openCryptoki the credentials to use to
|
|
Packit |
8681c6 |
get a list of available tokens from the remote.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
(TO DO)
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Examples to add a token into openCryptoki
|
|
Packit |
8681c6 |
----------------------------------------- 1. Using simple authentication and
|
|
Packit |
8681c6 |
.ldaprc which has BINDDN and URI set in it, add the token named, Foo.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
pkcsicsf -a Foo -m simple
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
you will be prompted for the racf passwd and the SO PIN.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
An entry for the token should have been added in the
|
|
Packit |
8681c6 |
/usr/local/etc/opencryptoki/opencryptoki.conf file AND
|
|
Packit |
8681c6 |
/usr/local/etc/opencryptoki/Foo.conf should have been created.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
The racf passwd should have been secured in
|
|
Packit |
8681c6 |
/usr/local/var/lib/opencryptoki/icsf/RACF.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
2. Using simple authentication and giving openCryptoki the credentials to use,
|
|
Packit |
8681c6 |
add the ICSF token named, Foo. In this case, the credentials (the BINDDN and
|
|
Packit |
8681c6 |
URI) will be stored in the Foo.conf file that will be created.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
pkcsicsf -a Foo -b <binddn> -u <uri> -m simple
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
pkcsicsf -l -b <binddn> -u <uri> -m simple
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
you will be prompted for the racf passwd and the SO PIN.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
An entry for the token should have been added in the
|
|
Packit |
8681c6 |
/usr/local/etc/opencryptoki/opencryptoki.conf file AND
|
|
Packit |
8681c6 |
/usr/local/etc/opencryptoki/Foo.conf should have been created.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
The racf passwd should have been secured in
|
|
Packit |
8681c6 |
/usr/local/var/lib/opencryptoki/icsf/RACF.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
3. Using sasl authentication and ldap configuration files to authenticate, add
|
|
Packit |
8681c6 |
an ICSF token named, Foo into openCryptoki.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
pkcsicsf -a Foo -m sasl
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
4. Using sasl authentication and giving openCryptoki the credentials to use to
|
|
Packit |
8681c6 |
get a list of available tokens from the remote. (TO DO)
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Configure openCryptoki
|
|
Packit |
8681c6 |
----------------------
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Now initialize the ICSF token and set the USER and SO PINs using the pkcsconf
|
|
Packit |
8681c6 |
utility.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
1. Start the pkcsslotd daemon
|
|
Packit |
8681c6 |
pkcsslotd
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
2. List the available tokens in openCryptoki
|
|
Packit |
8681c6 |
pkcsconf -t
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
3. Initialize the ICSF token.
|
|
Packit |
8681c6 |
NOTE: For this example, my ICSF token is listed in slot 5.
|
|
Packit |
8681c6 |
pkcsconf -I -c 5
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
You will be prompted for the SO PIN. The default SO PIN is 87654321
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
You will also be prompted to enter a unique token label. You can press
|
|
Packit |
8681c6 |
enter since this will be ignored. The label or name has already been
|
|
Packit |
8681c6 |
created on the remote server.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
4. Set the user pin
|
|
Packit |
8681c6 |
pkcsconf -u -c 5
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
you will be prompted to enter the SO PIN. Enter the default SO PIN,
|
|
Packit |
8681c6 |
87654321.
|
|
Packit |
8681c6 |
You will be prompted twice to enter the new user PIN. Enter 8 digits for
|
|
Packit |
8681c6 |
the new user pin. Remember it so you can use it later.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
6. Set a new SO PIN
|
|
Packit |
8681c6 |
pkcsconf -P -c 5
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
you will be prompted to enter the SO PIN. Enter the default SO PIN,
|
|
Packit |
8681c6 |
87654321.
|
|
Packit |
8681c6 |
You will then be prompted to enter the new SO PIN. Enter 8 digits for
|
|
Packit |
8681c6 |
the new SO PIN. Remember it for later use.
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
7. List the token and ensure it is ready.
|
|
Packit |
8681c6 |
pkcsconf -t -c 5
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
Sample output:
|
|
Packit |
8681c6 |
pkcsconf -t -c 5
|
|
Packit |
8681c6 |
Token #5 Info:
|
|
Packit |
8681c6 |
Label: JML
|
|
Packit |
8681c6 |
Manufacturer: IBM
|
|
Packit |
8681c6 |
Model: ICSF
|
|
Packit |
8681c6 |
Model Serial Number: 012345
|
|
Packit |
8681c6 |
Flags: 0x44D (RNG|LOGIN_REQUIRED|USER_PIN_INITIALIZED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED)
|
|
Packit |
8681c6 |
Sessions: 0/-2
|
|
Packit |
8681c6 |
R/W Sessions: -1/-2
|
|
Packit |
8681c6 |
PIN Length: 4-8
|
|
Packit |
8681c6 |
Public Memory: 0xFFFFFFFF/0xFFFFFFFF
|
|
Packit |
8681c6 |
Private Memory: 0xFFFFFFFF/0xFFFFFFFF
|
|
Packit |
8681c6 |
Hardware Version: 1.0
|
|
Packit |
8681c6 |
Firmware Version: 1.0
|
|
Packit |
8681c6 |
Time: 22:09:20
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
|
|
Packit |
8681c6 |
You are now done configuring the ICSF token into openCryptoki and its ready to
|
|
Packit |
8681c6 |
be used.
|