Skip to Main Content
IBM Z Hardware and Operating Systems Ideas Portal


This is the public portal for all IBM Z Hardware and Operating System related offerings. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Future consideration
Categories Crypto HW
Created by Guest
Created on Jul 28, 2021

Add Certificate trust verification in CSNDDSV service

Currently the option to verify the trust of a certificate is possible only by adding the CA and Intermediate CA certificates using TKE into ICSF adaptor. This is new and overhead for the limited ICSF admin team. Add option to verify the signature in the certificate in CSNDDSV service by accepting the Certificate and CA certificate as inputs.

Idea priority Medium
  • Guest
    Reply
    |
    Apr 12, 2022

    Apologies for the delay, I have somehow missed the final update.

    Here is how I visualize the service to be used for CA trust validation.

    Leaf to be validated only against the Intermediate-n certificate.

    Change inputs to the API

    Intermediate-n becomes leaf and validated against intermediate-n-1

    Loop thru the ICSF API calls with intermediate certificates till validation is complete with CA root certificate.

    1) Currently I am working to implement TR34 Remote Key Loading and both the EPP vendors have only 2-layer chain. (leaf, intermediate and root). These certificates are passed to us via Email.

    2) I have been advised by my Mainframe Security Services team that the Intermediate and Root certificates can be loaded into TKE using a USB stick, but as per company policy we are not able to load the certificates received via email into USB.

    Not validating the CA trust anchor due to the above limitation poses a higher risk than validating it by the application itself.

    Thanks,

    Kalai


  • Guest
    Reply
    |
    Jan 19, 2022

    Thank you for this update. Please sketch this out in a bit more detail for me. Exactly what would be passed in to the service?
    The use case as I understand it is:
    =Objects=
    --'leaf': CRL or X.509 signed object is desired to be validated against a CA trust anchor
    --'intermediate-n': certificates that form a chain from the CA trust anchor to the leaf
    --'CA trust anchor': self-signed certificate that forms the base of the chain.
    =API=
    -inputs mentioned:
    --leaf
    --CA trust anchor

    QUESTIONS:
    (1) How are the intermediate-n objects passed? Are these received in an envelope with the 'leaf' that is passed to the API? Or will this always be a shallow 2-layer chain?
    (2) Please help me understand the HSM value-add. If the trust anchor is not loaded securely to the HSM using a TKE, limiting the scope of 'acceptance' to what is securely loaded, how is the secure boundary helping? In some cases there is a regulatory benefit. A convenience benefit is not a 'bad' answer either - I just want to understand the request.

  • Guest
    Reply
    |
    Jan 19, 2022

    One additional justification is that for TR34 services, we use Certificate Revocation List from Certificate Authority in CSNDT34B, CSNDT34D services. If there is any integrity issue with the CRL, then it will be rejected by the EPP during the BIND, REBIND and Key Loading process which means the ATM will remain out of service causing a service downtime.

    If the CSNDDSV service can accept the CRL in PEM/DER format as input data and validate the Hash and Signature using the CA certificate, we could avoid the last minute failures.

  • Guest
    Reply
    |
    Aug 16, 2021

    We consider this a valid request and will add it to our list of work for prioritization.

  • Guest
    Reply
    |
    Aug 11, 2021

    Thanks for the clarification about the PCI compliance on loading the CA certificate using TKE. My thinking was to give autonomous to application programmer to do the trust verification by going thru loops until all the certificates in the chain is validated. This combined with the PKI-NONE rule array parameter will remove the dependency on ICSF admin team.

  • Guest
    Reply
    |
    Aug 6, 2021

    Please consider and respond on the interface update that is desired. In general it is noted and understood that we need multi-certificate PKCS#7 support. For your further comment about accepting CA certificates, please clarify if you mean intermediate CA certificates in the chain or mean to also include the CA Root certificate (trust anchor)? There are 2 ways to do it:
    (1) PCI compliant: Passing a trust anchor to the service un-secured is not compliant. In current code, a trust anchor has to have been loaded under dual control from a TKE. However, we don't care where in the chain the anchor is. So if you want to load a much more general CA cert to the card and pass some intermediate certs, this would be good support to add in our firmware. We currently let you pass 1 cert through the interface. There are a few ways to pass multiple certs: concatenated together (naive); or structured (pkcs7).
    (2) Not compliant: The security of the extra certificates passed is meaningless unless they have loaded a trust anchor under dual control. There is no security difference between: (1) untrusted leaf certificate versus (2) 1 untrusted leaf certificate and N untrusted intermediate/CA certificates. It doesn't matter if the chain terminates in a self-signed cert from some CA - they're all passed un-secured through the API. However, there is a convenience benefit: if you get a grab-bag of certs in a pkcs#7 from your partner, we would be parsing it out instead of you.

  • Guest
    Reply
    |
    Aug 3, 2021

    Due to processing by IBM, this request was reassigned to have the following updated attributes:
    Brand - Servers and Systems Software
    Product family - Z and LinuxONE Systems Hardware
    Product - Z and LinuxONE Systems Hardware
    Component - Crypto HW
    Operating system - IBM z/OS
    Source - None

    For recording keeping, the previous attributes were:
    Brand - Servers and Systems Software
    Product family - z Systems Software
    Product - z/OS
    Component - ICSF
    Operating system - IBM z/OS
    Source - None