Signature Verification
Signature verification, also known as Module Verification, is only required to support FIPS mode and can optionally be ignored for non-FIPS mode operations.
Your system might already meet some or all of the following requirements for signature verification:
- IBM's Security Level 3 FMID must be installed.
- The RACF PROGRAM class must be active.
- The IBM root CA must be marked trusted.
- The FACILITY class profile IRR.PROGRAM.SIGNATURE.VERIFICATION must be activated.
- A key ring for the code signing CA must be present or created.
- The PROGRAM class profiles must be defined for those System SSL modules that must be indicated as signed.
- The user ID associated with the running EMS client must be authorized to read the PROGRAM secured modules.
Note: For more information about the best process to achieve signature verification, see the IBM documentation, SSL Programming, in the chapter covering module verification.
Sample JCL
The following sample setup JCL is based on IBM documentation. Before implementing the sample, ensure that it is appropriate for your requirements and intentions.
You must change the user ID RACFADM to the use the ID needed to perform RACF security administration.
Next, find the user ID associated with the EMS client batch job or started task and authorize it to use the programs just secured which will be used by the EMS client.
Copyright © 2022. Cloud Software Group, Inc. All Rights Reserved.