Administrator > Security

Passport to Compliance

How to authenticate identities and save money with digital certificates and System z

March | April 2008 | by Mary Moore

Illustration by Chris Gall

Security - How to authenticate identities and save money with digital certificates and System z

One of the most compelling standards for Internet security is the digital certificate that’s the electronic means of authenticating identities and keeping our private data secure through encryption. Whether the connections are between shoppers and a retail Web site, or between datacenters over secure connections such as VPNs, digital certificates are key instruments to provide the confidence for secure e-commerce. They can be used to secure remote access for business e-mail systems. They can be the authentication mechanism built into “smart cards” to sign legal documents electronically. To avoid social engineering attacks, they can be used to sign e-mail electronically. Certificates are also being deployed by many countries around the globe as the backbone of their national identity programs. It’s easy to predict a dramatic increase in digital certificates in the next few years.

The digital certificate ensures that each party is recognized in the initial handshake of a secure Internet connection and data can then be shipped in encrypted form using the cryptographic public key that’s included in the certificate. They’re also used to address other security issues like confidentiality, integrity and non-repudiation of the information that’s sent.

Role of the Certificate Authority

Behind every digital certificate there’s a certificate authority (CA)—the trusted party that issues and manages the certificate and provides the authentication. The role of the CA is to verify an applicant’s credentials when issuing a certificate and then to act as the third party to validate that the public key belongs to the certificate owner. This arrangement is typically referred to as a public key infrastructure (PKI). As a rule, digital certificates are valid for a set time period, typically one year, after which they need to be re-issued. This means proper attention must be paid to lifecycle management of certificates because if certificates are allowed to expire, business transactions relying on them will fail.

The use of digital certificates has increased dramatically over the past few years, with expectations of more rapid growth in the future. Predictably, the options for issuing digital certificates have also grown. There are third-party CAs who charge for their services, typically with a per-user or per-device charge. System platforms like Microsoft* and the IBM* z/OS* OS provide alternatives for creating an in-house CA that can significantly reduce costs.

Certificate Authority on z/OS

The IBM z/OS OS has concentrated on enterprise authentication mechanisms from its inception. As the secure data hub for demanding institutions and businesses worldwide, the focus has never changed. CA hosting was introduced into z/OS in 2000 as a direct response to requests from customers in the finance sector. They were looking for cost savings by bringing much of the CA hosting in-house and realized that the platform that would best meet their needs would be their mainframe. The mainframe’s reliability, availability and security features were the driving factors.

The solution is a no-charge feature of the z/OS system called z/OS PKI Services. This feature provides a Web interface for end users and administrators where digital certificates can be requested, retrieved, approved and rejected. The private/public key pair is generated by the cryptographic service provider (CSP) available in your workstation, or a smart card or token interface, where the key pairs are generated within the secure boundary of a smart card or token. z/OS PKI Services receives only the digital certificate request (in PKCS#10 format), containing the public key part. The private key part, used to prove your identity in a secure transaction, never leaves your computer, smart card or token. z/OS PKI Services takes advantage of the browser certificate management code to generate the key pair and install the certificate. No applet needs to be downloaded to the client side.

You can allow automatic approval for certificate requests from certain users and add host IDs, such as RACF* user IDs, to certificates you issue for certain users to provide additional authentication. You can also issue your own certificates for browsers, servers and other purposes, such as VPN devices, smart cards and secure e-mail. PKI Services supports Public Key Infrastructure for X.509 version 3 (PKIX) and Common Data Security Architecture cryptographic standards.