Signature Verification

Signature verification, also known as module verification, is only required to support FIPS mode and can optionally be ignored for non-FIPS mode operations.

The process to achieve signature verification is best described by the IBM document, z/OS Cryptographic Services System Secure Sockets Layer Programming, in the chapter covering module verification. However, an overview is provided here.

Your system might already meet some or all of these requirements for signature verification:
  • IBM's Security Level 3 FMID must be installed.
  • The RACF PROGRAM class must be active.
  • The IBM root CA must be marked trusted.
  • The FACILITY class profile IRR.PROGRAM.SIGNATURE.VERIFICATION must be activated.
  • A key ring for the code signing CA must be present or created.
  • PROGRAM class profiles must be defined for those System SSL modules that must be indicated as signed.
  • The user ID associated with the running EMS client must be authorized to read the PROGRAM secured modules.

Sample JCL

A sample setup JCL, based on IBM documentation, is provided as follows:

Data Set: <USERHLQ>.JCL

Member: SSLRACFA

Before implementing the sample, ensure that it is appropriate for your requirements and intentions.

You must change the user ID RACFADM to the user ID required to perform RACF security administration. Next, you have to find the user ID associated with the EMS client batch job or started task and authorize it to use the programs just secured that will be used by the EMS client.

Data Set: <USERHLQ>.JCL

Member: SSLCODES

Note: The preceding members must be executed in the following order:
  1. SSLRACFA
  2. SSLCODES
  3. SSLGCERT