UCF STIG Viewer Logo

IBM z/OS, for PKI-based authentication, must use the ICSF or ESM for key management.


Overview

Finding ID Version Rule ID IA Controls Severity
V-223811 RACF-SH-000060 SV-223811r816951_rule Medium
Description
Without mapping the certificate used to authenticate to the user account, the ability to determine the identity of the individual user or group will not be available for forensic analysis.
STIG Date
IBM z/OS RACF Security Technical Implementation Guide 2022-12-14

Details

Check Text ( C-25484r816950_chk )
Any keys or Certificates must be managed in ICSF or the external security manager and not in UNIX files.

From the ISPF Command Shell enter:
OMVS
enter
find / -name *.kdb
and
find / -name *.jks

If any files are present, this is a finding.
Fix Text (F-25472r811014_fix)
Define all Keys/Certificates to ICSF or the security database.

Remove all .kdb and .jks key files.