friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzajc_5.4.0.1/rzajcrolesprofiles.htm

260 lines
17 KiB
HTML
Raw Permalink Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Create and define roles and profiles" />
<meta name="abstract" content="Cryptographic Coprocessors use role-based access control. In a role-based system, you define a set of roles, which correspond to the classes of Coprocessor users. You can enroll each user by defining an associated user profile to map the user to one of the available roles." />
<meta name="description" content="Cryptographic Coprocessors use role-based access control. In a role-based system, you define a set of roles, which correspond to the classes of Coprocessor users. You can enroll each user by defining an associated user profile to map the user to one of the available roles." />
<meta name="DC.Relation" scheme="URI" content="rzajcsetup.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajcsecureaccess.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajccontrolvector.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzajcrolesprofiles" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Create and define roles and profiles</title>
</head>
<body id="rzajcrolesprofiles"><a name="rzajcrolesprofiles"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Create and define roles and profiles</h1>
<div><p>Cryptographic Coprocessors use role-based access control. In a
role-based system, you define a set of roles, which correspond to the classes
of Coprocessor users. You can enroll each user by defining an associated user
profile to map the user to one of the available roles.</p>
<p>The capabilities of a role are dependent on the access control points or
cryptographic hardware commands that are enabled for that role. You can then
use your Cryptographic Coprocessor to create profiles that are based on the
role you choose.</p>
<p>A role-based system is more efficient than one in which the authority is
assigned individually for each user. In general, you can separate the users
into just a few different categories of access rights. The use of roles allows
you to define each of these categories just once, in the form of a role.</p>
<p>The role-based access control system and the grouping of permissible commands
that you can use are designed to support a variety of security policies. In
particular, you can set up Cryptographic Coprocessors to enforce a dual-control,
split-knowledge policy. Under this policy no one person should be able to
cause detrimental actions other than a denial-of-service attack, once the
Cryptographic Coprocessor is fully activated. To implement this policy, and
many other approaches, you need to limit your use of certain commands. As
you design your application, consider the commands you must enable or restrict
in the access-control system and the implications to your security policy.</p>
<p>Every Cryptographic Coprocessor must have a role called the default role.
Any user that has not logged on to the Cryptographic Coprocessor will operate
with the capabilities defined in the default role. Users who only need the
capabilities defined in the default role do not need a profile. In most applications,
the majority of the users will operate under the default role, and will not
have user profiles. Typically, only security officers and other special users
need profiles.</p>
<div class="p">When Cryptographic Coprocessors are in an un-initialized state, the default
role has the following access control points enabled: <ul><li>PKA96 One Way Hash</li>
<li>Set Clock</li>
<li>Re-initialize Device</li>
<li>Initialize access control system roles and profiles</li>
<li>Change the expiration data in a user profile</li>
<li>Reset the logon failure count in a user profile</li>
<li>Read public access control information</li>
<li>Delete a user profile</li>
<li>Delete a role</li>
</ul>
</div>
<p>The default role is initially defined such that the functions permitted
are those functions that are related to access control initialization. This
guarantees that the Cryptographic Coprocessor will be initialized before you
do any useful cryptographic work. The requirement prevents security "accidents"
in which someone might accidentally leave authority intact when you put the
Coprocessor into service.</p>
<div class="note"><span class="notetitle">Note:</span> Read the <a href="codedisclaimer.htm#codedisclaimer">Code license and disclaimer information</a> for
important legal information.</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajcsetup.htm" title="Configuring your Cryptographic Coprocessor allows you to begin to use all of its cryptographic operations.">Configure the Cryptographic Coprocessor</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzajcsecureaccess.htm" title="Access control restricts the availability of system resources to only those users you have authorized to interact with the resources. The server allows you to control authorization of users to system resources.">Secure access</a></div>
<div><a href="rzajccontrolvector.htm" title="The function control vector tells the Cryptographic Coprocessor what key length to use to create keys. You cannot perform any cryptographic functions without loading a function control vector.">Load a function control vector</a></div>
</div>
</div><div class="nested1" xml:lang="en-us" id="definingroles"><a name="definingroles"><!-- --></a><h2 class="topictitle2">Defining roles</h2>
<div><p>The easiest and fastest way to define new roles (and redefine the default
role) is to use the Cryptographic Coprocessor configuration web-based utility
found off of the System Tasks page at http://<var class="varname">server-name</var>:2001.
The utility includes the Basic configuration wizard that is used when the
Coprocessor is in an un-initialized state. The Basic configuration wizard
can define either 1 or 3 administrative roles along with redefining the default
role. If the Coprocessor already has been initialized, then click on <span class="uicontrol">Manage
configuration</span> and then click on <span class="uicontrol">Roles</span> to
define new roles or change or delete existing ones. </p>
<p>If you would prefer to write your own application to manage roles, you
can do so by using the Access_Control_Initialization (CSUAACI) and Access_Control_Maintenance
(CSUAACM) API verbs. To change the default role in your Coprocessor, specify
"DEFAULT" encoded in ASCII into the proper parameter. You must pad this with
one ASCII space character. Otherwise, there are no restrictions on the characters
that you may use for role IDs or profile IDs.</p>
</div>
<div><div class="relref"><strong>Related reference</strong><br />
<div><a href="rzajccrtroleprfc.htm" title="Change this program example to suit your needs for creating a role or a profile for your Coprocessor.">Example: ILE C program for creating roles and profiles for your Coprocessor</a></div>
<div><a href="rzajcsetdefaultc.htm" title="Change this program example to suit your needs for enabling all access control points in the default role for your Coprocessor.">Example: ILE C program for enabling all access control points in the default role for your Coprocessor</a></div>
<div><a href="rzajccrtroleprfrpg.htm" title="Change this program example to suit your needs for creating roles and profiles for your Coprocessor.">Example: ILE RPG program for creating roles or profiles for your Coprocessor</a></div>
<div><a href="rzajcsetdefaultrpg.htm" title="Change this program example to suit your needs for enabling all access control points in the default role for your Coprocessor.">Example: ILE RPG program for enabling all access control points in the default role for your Coprocessor</a></div>
</div>
</div></div>
<div class="nested1" xml:lang="en-us" id="definingprofiles"><a name="definingprofiles"><!-- --></a><h2 class="topictitle2">Defining profiles</h2>
<div><p>After you create and define a role for your Coprocessor, you can create
a profile to use under this role. A profile allows users to access specific
functions for your Coprocessor that may not be enabled for the default role.</p>
<p>The easiest and fastest way to define new profiles is to use the Cryptographic
Coprocessor configuration web-based utility, located on the System
Tasks page at <samp class="codeph">http://<var class="varname">server-name</var>:2001</samp>.
The utility includes the Basic configuration wizard that is used when the
Coprocessor is in an un-initialized state. The Basic configuration wizard
can define either one or three administrative profiles. If the Coprocessor
has already been initialized, click <span class="menucascade"><span class="uicontrol">Manage configuration </span> &gt; <span class="uicontrol">Profiles</span></span> to define new profiles or change
or delete existing ones.</p>
<p>If you want to write your own application to manage profiles, you can use
the Access_Control_Initialization (CSUAACI) and Access_Control_Maintenance
(CSUAACM) API verbs.</p>
</div>
<div><div class="relref"><strong>Related reference</strong><br />
<div><a href="rzajcchgprofc.htm" title="Change this program example to suit your needs for changing an existing profile for your Coprocessor.">Example: ILE C program for changing an existing profile for your Coprocessor</a></div>
<div><a href="rzajcchgprofrpg.htm" title="Change this program example to suit your needs for changing an existing profile for your Coprocessor.">Example: ILE RPG program for changing an existing profile for your Coprocessor</a></div>
</div>
</div></div>
<div class="nested1" xml:lang="en-us" id="coprocessorforssl"><a name="coprocessorforssl"><!-- --></a><h2 class="topictitle2">Coprocessor for SSL</h2>
<div><div class="p">If you will be using the Coprocessor for SSL, the default role must at
least be authorized to the following access control points: <ul><li>Digital Signature Generate</li>
<li>Digital Signature Verify</li>
<li>PKA Key Generate</li>
<li>PKA Clone Key Generate</li>
<li>RSA Encipher Clear Data</li>
<li>RSA Decipher Clear Data</li>
<li>Delete Retained Key</li>
<li>List Retain Keys</li>
</ul>
</div>
<p>The Basic configuration wizard in the Cryptographic Coprocessor configuration
utility automatically redefines the default role such that it can be used
for SSL without any changes.</p>
<div class="p">To avoid security hazards, consider denying the following access control
points (also called cryptographic hardware commands) for the default role,
after you have set up all of the roles and profiles: <div class="note"><span class="notetitle">Note:</span> You should enable
only those access control points that are necessary for normal operations.
At a maximum, you should only enable specifically required functions. To determine
which access control points are required, refer to the CCA Basic Services
Guide. Each API lists the access control points that are required for that
API. If you do not need to use a particular API, consider disabling the access
control points that are required for it.</div>
<ul><li>Load first part of Master Key</li>
<li>Combine Master Key Parts</li>
<li>Set Master Key</li>
<li>Generate Random Master Key</li>
<li>Clear New Master Key Register</li>
<li>Clear Old Master Key Register</li>
<li>Translate CV</li>
<li>Set Clock <div class="attention"><span class="attentiontitle">Attention:</span> If you intend to disable the Set Clock
access control point from the default role, ensure that the clock is set before
you disable access. The clock is used by the Coprocessor when users try to
log on. If the clock is set incorrectly, users can not log on.</div>
</li>
<li>Re-initialize device</li>
<li>Initialize access control system</li>
<li>Change authentication data (for example, pass phrase)</li>
<li>Reset password failure count</li>
<li>Read Public Access Control Information</li>
<li>Delete user profile</li>
<li>Delete role</li>
<li>Load Function Control Vector</li>
<li>Clear Function Control Vector</li>
<li>Force User Logoff</li>
<li>Set EID</li>
<li>Initialize Master Key Cloning Control</li>
<li>Register Public Key Hash</li>
<li>Register Public Key, with Cloning</li>
<li>Register Public Key</li>
<li>PKA Clone Key Generate (Access control point required for SSL)</li>
<li>Clone-Information Obtain Parts 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12,
13, 14, 15</li>
<li>Clone-Information Install Parts 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12,
13, 14, 15</li>
<li>Delete retained key (Access control point required for SSL)</li>
<li>List retained keys (Access control point required for SSL)</li>
<li>Encipher Under Master Key</li>
<li>Data Key Export</li>
<li>Data Key Import</li>
<li>Re-encipher to Master Key</li>
<li>Re-encipher from Master Key</li>
<li>Load First Key Part</li>
<li>Combine Key Parts</li>
<li>Add Key Part</li>
<li>Complete Key part</li>
</ul>
</div>
<p>For the most secure environment, consider locking the access-control system
after initializing it. You can render the access-control system unchangeable
by deleting any profile that would allow use of the Access Control Initialization
or the Delete Role access control point. Without these access control points,
further changes to any role are not possible. With authority to use either
the Initialize Access Control or Delete Role access control points, one can
delete the DEFAULT role. </p>
<p>Deleting the DEFAULT role will cause the automatic recreation of the initial
DEFAULT role. The initial DEFAULT role permits setting up any capabilities.
Users with access to these access control points have unlimited authority
through manipulation of the access-control system. Before the Coprocessor
is put into normal operation, the access-control setup can be audited through
the use of the Access_Control_Maintenance (CSUAACM) and Cryptographic_Facility_Query
(CSUACFQ) API verbs. </p>
<p>If for any reason the status response is not as anticipated, the Coprocessor
should not be used for application purposes until it has been configured again
to match your security policy. If a role contains permission to change a pass
phrase, the pass phrase of any profile can be changed. You should consider
if passphrase changing should be permitted and, if so, which role(s) should
have this authority.</p>
<p>If any user reports an inability to log on, this should be reported to
someone other than (or certainly in addition to) an individual with pass phrase
changing permission. Consider defining roles so that dual-control is required
for every security sensitive operation to protect against a malicious insider
acting on his/her own. For example, consider splitting the following groups
of access control points between two or more roles. It is recommended that
one person should not be able to use all of the commands in the Master key
group, because this could represent a security risk.</p>
<div class="p">The Master key group consists of these access control points: <ul><li>Load 1st part of Master Key</li>
<li>Combine Master Key Parts</li>
<li>Set Master Key</li>
<li>Generate Random Master Key</li>
<li>Clear New Master Key Register</li>
<li>Clear Old Master Key Register</li>
</ul>
</div>
<p>By the same token, one person should not be authorized to all of the commands
in the Cloning key group.</p>
<p>The Cloning key group consists of these access control points:</p>
<ul><li>Initialize Master Key Cloning Control</li>
<li>Register Public Key Hash</li>
<li>Register Public Key, with Cloning</li>
<li>Register Public Key</li>
<li>PKA Clone Key Generate</li>
<li>Clone-Information Obtain Parts 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12,
13, 14, 15</li>
<li>Clone-Information Install Parts 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12,
13, 14, 15</li>
</ul>
<p>After you create and define a profile for your Coprocessor, you must load
a function control vector for your Coprocessor. Without the function control
vector, your Coprocessor cannot perform any cryptographic functions.</p>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink