ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzalz_5.4.0.1/rzalzmgmtcntlsc.htm

220 lines
14 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Scenario: Use iSeries Navigator Management Central to sign objects" />
<meta name="abstract" content="This scenario describes a company that wants to sign objects that it packages and distributes to multiple systems. Based on the company's business needs and security goals, this scenario describes how to use iSeries Navigator's Management Central function to package and sign objects that they distribute to other systems." />
<meta name="description" content="This scenario describes a company that wants to sign objects that it packages and distributes to multiple systems. Based on the company's business needs and security goals, this scenario describes how to use iSeries Navigator's Management Central function to package and sign objects that they distribute to other systems." />
<meta name="DC.Relation" scheme="URI" content="rzalzscenariosoverview.htm" />
<meta name="DC.Relation" scheme="URI" content="rzalzmgmtcntrldetails.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzahu/rzahurazhudigitalcertmngmnt.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2004, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2004, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="mgmtcntlsc" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Scenario: Use iSeries Navigator Management Central to sign objects</title>
</head>
<body id="mgmtcntlsc"><a name="mgmtcntlsc"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Scenario: Use iSeries Navigator Management Central to sign objects</h1>
<div><p>This scenario describes a company that wants to sign objects that
it packages and distributes to multiple systems. Based on the company's business
needs and security goals, this scenario describes how to use iSeries™ Navigator's
Management Central function to package and sign objects that they distribute
to other systems.</p>
<div class="section"><h4 class="sectionscenariobar">Situation</h4><p>Your
company (MyCo, Inc.) develops applications that it distributes to multiple
systems in multiple locations within the company. As the network administrator,
you are responsible for ensuring that these applications are installed and
updated on all company servers. You currently use iSeries Navigator's <a href="../rzaih/rzaih1.htm">Management Central</a> function
to more easily package and distribute these applications and to perform other
administrative tasks for which you are responsible. However, you spend more
time than you like tracking down and correcting problems with these applications
because of unauthorized changes to objects. Consequently, you want to better
secure the integrity of these objects by digitally signing them. </p>
<p>You
have researched i5/OS™ object
signing capabilities and have learned that, beginning in V5R2, Management
Central allows you to sign objects when you package and distribute them. By
using Management Central you can meet your company's security goals efficiently
and relatively easily. You also decide to create a Local Certificate Authority
(CA) and use it to issue a certificate to sign objects. Using a certificate
issued by a Local CA for object signing limits the expense of using this security
technology because you do not need to purchase a certificate from a public
well-known CA.</p>
<p>This example serves as a useful introduction to the steps
involved in configuring and using object signing for applications that you
distribute to multiple company systems.</p>
</div>
<div class="section"><h4 class="sectionscenariobar">Scenario advantages</h4><div class="p">This
scenario has the following advantages: <ul><li>Using Management Central to package and sign objects reduces the amount
of time that you must spend to distribute signed objects to your company's
servers.</li>
<li>Using Management Central to sign objects in a package decreases the number
of steps that you must perform to sign objects because the signing process
is part of the packaging process. </li>
<li>Signing a package of objects allows you to more easily determine whether
objects have been changed after they have been signed. This may reduce some
of the troubleshooting that you do in the future to track down application
problems.</li>
<li>Using a certificate issued by a Local Certificate Authority (CA) to sign
objects makes signing objects less expensive to implement.</li>
</ul>
</div>
</div>
<div class="section"><h4 class="sectionscenariobar">Objectives</h4><p>In this
scenario, MyCo, Inc. wants to digitally sign applications that it distributes
to multiple systems within the company. As the network administrator at MyCo,
Inc, you already use Management Central for a number of administrative tasks.
Consequently, you want to extend your current use of Management Central to
sign the company applications that you distribute to other systems. </p>
<p>The
objectives for this scenario are as follows:</p>
<ul><li>Company applications must be signed with a certificate issued by a Local
CA to limit the costs of signing applications.</li>
<li>System administrators and other designated users must be able to easily
verify digital signatures on all servers to verify the source and authenticity
of company signed objects. To accomplish this, each server must have a copy
of both the company's signature verification certificate and the Local Certificate
Authority (CA) certificate in each server's *SIGNATUREVERIFICATION certificate
store.</li>
<li>Verifying the signatures on company applications allows administrators
and others to detect whether the content of the objects has changed since
they were signed.</li>
<li>Administrators must be able to use Management Central to package, sign,
and then distribute their applications to their systems.</li>
</ul>
</div>
<div class="section"><h4 class="sectionscenariobar">Details</h4><p>The following
figure illustrates the object signing and signature verification process for
implementing this scenario:</p>
<br /><img src="rzalz003.gif" alt="Fig. 2 Management Central object signing process illustration (text description follows figure)" /><br /><p>The figure illustrates the
following points relevant to this scenario:</p>
<p><strong>Central system (System
A)</strong></p>
<ul><li>System A runs i5/OS Version 5 Release 2 (V5R2). </li>
<li>System A serves as the central system from which Management Central functions
run, including packaging and distributing company applications.</li>
<li>System A has a Cryptographic Access Provider 128-bit for iSeries (5722AC3)
installed.</li>
<li>System A has Digital Certificate Manager (i5/OS option 34) and the IBM<sup>®</sup> HTTP Server
(5722DG1) installed and configured.</li>
<li>System A acts as the Local Certificate Authority (CA) and the object signing
certificate resides on this system.</li>
<li>System A is the primary object signing system for company applications.
Product object signing for customer distribution is accomplished on System
A by performing these tasks: <ol><li>Using DCM to create a Local CA and using the Local CA to create an object
signing certificate.</li>
<li>Using DCM to export a copy of the Local CA certificate and the signature
verification certificate to a file so that endpoint systems (System B, C,
D, and E) can verify signed objects.</li>
<li>Using Management Central to sign application objects and package them
with the verification certificate files.</li>
<li>Using Management Central to distribute signed application and certificate
files to endpoint systems.</li>
</ol>
</li>
</ul>
<p><strong>Endpoint systems (Systems B, C, D, and E)</strong></p>
<ul><li>System B and C run i5/OS Version 5 Release 2 (V5R2). </li>
<li>Sysetm D and E run i5/OS Version 5 Release 1 (V5R1).</li>
<li>System B, C, D, and E have Digital Certificate Manager (option 34) and IBM HTTP
Server (5722DG1) installed and configured.</li>
<li>System B, C, D, and E receive a copy of both the company's signature verification
certificate and the Local CA from the central system (System A) when the systems
receive the signed application. </li>
<li>DCM is used to create the *SIGNATUREVERIFICATION certificate store and
import the Local CA and verification certificates into this certificate store.</li>
</ul>
</div>
<div class="section"><h4 class="sectionscenariobar">Prerequisites and assumptions</h4><p>This
scenario depends on the following prerequisites and assumptions: </p>
<ol><li>All systems meet the <a href="../rzahu/rzahurzahureqdcmrequirements.htm">requirements</a> for installing and using Digital Certificate
Manager (DCM).</li>
<li>No one has previously configured or used DCM on any of the systems.</li>
<li>System A meets the requirements for installing and using iSeries Navigator
and Management Central.</li>
<li>The Management Central server must be running on all endpoint systems.</li>
<li>All systems have the highest level of Cryptographic Access Provider 128-bit
licensed program (5722-AC3) installed. </li>
<li>The default setting for the verify object signatures during restore (<a href="../rzakz/rzakzqvfyobjrst.htm ">QVFYOBJRST</a>)
system value on all scenario systems is 3 and has not been changed from this
setting. The default setting ensures that the server can verify object signatures
as you restore the signed objects. </li>
<li>The network administrator for System A must have *ALLOBJ user profile
special authority to sign objects, or the user profile must be authorized
to the object signing application. </li>
<li>The network administrator or anyone else who creates a certificate store
in DCM must have *SECADM and *ALLOBJ user profile special authorities.</li>
<li>System administrators or others on all other systems must have *AUDIT
user profile special authority to verify object signatures.</li>
</ol>
</div>
<div class="section"><h4 class="sectionscenariobar">Configuration task steps</h4><p>There
are two sets of tasks that you must complete to implement this scenario: One
set of tasks allows you to set up System A to use Management Central to sign
and distribute applications. The other set of tasks allows system administrators
and others to verify the signatures on these applications on all other servers.
Refer to the scenario details topic below for the steps to complete these
tasks.</p>
<p><strong>Object signing task steps</strong></p>
<p>To sign objects as described
in this scenario, refer to the scenario details topic below for steps to complete
each of the following tasks on System A :</p>
<a name="mgmtcntlsc__mgmtcntrlsteps"><!-- --></a><ol id="mgmtcntlsc__mgmtcntrlsteps"><li>Complete all prerequisite steps to install and configure all needed iSeries products</li>
<li>Use DCM to create a Local Certificate Authority (CA) to issue a private
object signing certificate. </li>
<li>Use DCM to create an application definition.</li>
<li>Use DCM to assign a certificate to the object signing application definition</li>
<li>Use DCM to export the certificates that other systems must use for verifying
object signatures You must export both a copy of the Local CA certificate
and a copy of the object signing certificate as a signature verification certificate
to a file.</li>
<li>Transfer the certificate files to each endpoint system on which you intend
to verify signatures.</li>
<li>Use iSeries Navigator
Management Central to sign the application objects</li>
</ol>
<p><strong>Signature verification task steps</strong></p>
<p>You need to complete
these signature verification configuration tasks on each endpoint system before
you use Management Central to transfer the signed application objects to them.
Signature verification configuration must be completed before you can successfully
verify signatures as you restore the signed objects on the endpoint systems.</p>
<p>On
each endpoint system, you must complete these tasks to verify signatures on
objects as this scenario describes:</p>
<ol><li>Use DCM to create the *SIGNATUREVERIFICATION certificate store </li>
<li>Use DCM to import the Local CA certificate and the signature verification
certificate</li>
</ol>
</div>
</div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="rzalzmgmtcntrldetails.htm">Scenario details: Use iSeries Navigator Management Central to sign objects</a></strong><br />
Complete the following task steps to configure Management Central to sign objects as this scenario describes.</li>
</ul>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzalzscenariosoverview.htm" title="Use this information to review scenarios that illustrate some typical situations for using object signing and signature verification capabilities. Each scenario also provides the configuration tasks you must perform to implement the scenario as described.">Object signing scenarios</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="../rzahu/rzahurazhudigitalcertmngmnt.htm">Digital Certificate Manager (DCM)</a></div>
</div>
</div>
</body>
</html>