Advertisement
find the first unused serial number before issuing a new certificate, to avoid
attempting to issue two certificates with duplicate serial numbers. Also, a new
utility is planned to allow you to post existing certificates in LDAP, avoiding the
need to post them manually. Additionally, another new utility will be designed
to allow you to post updates to Certificate Revocation Lists (CRLs) immediately
when you need to, rather than waiting for the interval you have specified.
Last, PKI Services performs certain tasks, such as removing old or expired
certificates and requests, and processing certificate expiration notification
warning messages, once a day. These housekeeping tasks have historically
consumed considerable processing time when you have a large number of
certificates. A new PKI Services design is intended to markedly improve the
performance and reduce the processing time of these tasks and additionally
allow you to specify the time of day and days of the week this task will be run.
– PKI Services is planned to support passing the reason a certificate request
was rejected from the administrator to the requester in the rejection e-mail.
Also, PKI Services will be designed to support custom extensions to X.509
Version 3 certificates; for example, creating a Domain Controller certificate
with an extension called Certificate Template Name, with an OID, and with BMP
data "DomainController" for use with Microsoft Exchange or Smart Card Login.
Last, PKI Services is planned to allow you to create a certificate with a Subject
Alternate Name that contains multiple instances of each of the General Name
forms support. For example, more than one IP address may be specified where
only one was allowed before.
– Certificate Management Protocol (CMP) is an Internet protocol used to manage
X.509 digital certificates described by RFC 4210, which uses the Certificate
Request Message Format (CRMF) described by RFC 4211. In z/OS V1.12, PKI
Services is planned to provide support for parts of the CMP standard, allowing
CMP clients to communicate with PKI Services to request, revoke, suspend, and
resume certificates. This is intended to allow you to use CMP in a centralized
certificate generation model.
– Elliptic Curve Cryptography (ECC). See more information below.
• RACDCERT enhancements include:
– The RACF RACDCERT command is planned to be enhanced to support the
creation of certificates with expiration dates in the far future to give greater
flexibility on certificate validity period for customers.
– RACF and PKI Services will be designed to support longer distinguished names
in digital certificates. This is intended to support your use of certificates with
very long distinguished names.
– Elliptic Curve Cryptography (ECC). See more information below.
• In 2009, the U.S. National Institute of Standards and Technology (NIST) published
an IPv6 profile that requires support of certain cryptographic suites as defined
in RFC 4869, Suite B Cryptography Suites for IPsec. One of the technologies
referenced was Elliptic Curve Cryptography (ECC), which is regarded as providing
stronger cryptography with smaller key sizes than RSA cryptography. This type
of cryptography is expected to be attractive for use with small devices such as
mobile devices and smart cards, that have limited computing power. In z/OS
V1.12, PKI Services is planned to allow you to create and sign certificates with
ECC keys in addition to RSA keys. In z/OS V1.12, System SSL is planned to
provide support for ECC-related data structures, signing data, and verifying signed
data using ECDSA (Elliptic Curve Digital Signature Algorithm). This is intended to
allow exploiters of z/OS System SSL to import ECC style certificates and private
keys into key database files or PKCS#11 tokens and use ECDSA certificates in
signing and verifying operations. In z/OS V1.12, the RACF RACDCERT command is
planned to allow you to create and sign certificates with ECC keys, in addition to
RSA and DSA keys.
• A discrete general resource profile with generic characters (*,%,&) in its
name, defined in a class enabled for generics (GENCMD or GENERIC), is
often called a "ghost" profile. Such profiles are not referenced by RACF for
authorization checking. However, when defined, they can confuse and annoy RACF
administrators and system programmers. In z/OS V1.12, RACF is planned to
provide a new NOGENERIC keyword for the RDELETE command to enable you to
delete these profiles. Also a GENERIC=N option is planned for R_admin DELETE.
cms.
IBM United States Software Announcement
210-008
IBM is a registered trademark of International Business Machines Corporation
15
Advertisement
