Key features

EC for Venafi includes the following key features for working with Venafi Trust Protection Platform (TPP):

Related topics

Getting-started

Web browser interface

EC for Venafi provides a web browser interface (UI)) that can be used to view information about:

  • Key rings on your LPARs
  • Certificates on your system
  • Running EC for Venafi agents 
  • Software versions of the agents

You can also use the web UI to view details of a specific certificate, delete certificates, and download and copy table information. For more information, see Using-the-web-browser-interface.

Certificate administration

(SPE2501)

You can use EC for Venafi to create certificates and certificate objects directly from the UI. You can create certificates on z/OS and certificate objects on TPP.

To create a certificate on z/OS, see Creating-certificates-on-z-OS

To create a certificate object on TPP, you must first perform the following tasks: 

To create the TPP certificate object, see Creating-certificate-objects-on-TPP.

Multiple key rings and site certificates

(SPE2407)

EC for Venafi supports connecting a certificate to multiple key rings on one LPAR. The key rings can be owned by the certificate owner or by other users. You can also create certificates that are not connected to any key ring at all. Unconnected certificates can be owned by one user and connected to one or more key rings owned by other users. This is useful if you want all your certificates to be owned by one user, but used by different tasks, running as different users.

By default, EC for Venafi creates all new certificates as personal certificates, but you can use the Force Site Certificate option in TPP to tell EC for Venafi to create new certificates as site certificates.

Important

Before version 2.3 SPE2407, if EC for Venafi created a certificate that would be connected to multiple key rings, owned by different users, on the same LPAR, EC for Venafi automatically created the certificate as a site certificate. Now EC for Venafi creates certificates as site certificates only if the Force Site Certificate option is set to Yes.

For more information, see Certificate and Application object management in "Configuring the TPP adaptable driver."

Certificate-only endpoints

(SPE2504)
EC for Venafi can connect managed certificates, which are used by applications running on z/OS, to key rings by using both the USAGE(PERSONAL) and USAGE(CERTAUTH) parameters. USAGE(CERTAUTH) is also applicable in the following use cases:

  • Applications A and B run on z/OS and must authenticate each other. You can use USAGE(CERTAUTH) to connect the certificate for application A to the key ring for application B and to connect the certificate for application B to the key ring for application A.
  • Applications A and B run on z/OS and must authenticate application C, which does not run on z/OS. You can use USAGE(CERTAUTH) to connect the certificate for application C to the key rings for applications A and B to enable authentication. 

When a certificate is installed on an LPAR and it is a USAGE(CERTAUTH) certificate in all of its connected key rings, EC for Venafi does not install its private key on the LPAR.

Important

This feature automates the connecting of end-entity (also called leaf) certificates to key rings. It does not connect root or issuing certificates. Root and issuing certificates must be connected manually to make sure that security administrators are aware of the certificate authorities used for trust.

SAN support

(SPE2504)
EC for Venafi supports Subject Alternative Names (SANs) in Certificate Signing Requests (CSRs) when you generate a private key on the External Security Manager (ESM) or in the Integrated Cryptographic Service Facility (ICSF). DNS, IP Address, Email Address, and URI SAN types are supported. Configure these SAN types in the TPP user interface with other certificate information.

RACF, Top Secret, and ACF2 restrict certificates to one SAN of each type. To add multiple SANs of the same type to a certificate, create the private key and CSR in TPP.

Important

TPP supports UPN SANs but ESMs do not. Because of this, EC for Venafi ignores UPN SANs in certificate objects whose private key and CSR were generated on the mainframe.

ICSF

(SPE2407)

EC for Venafi supports storing private keys in ICSF. This increases security because private keys cannot be exported in the clear (unencrypted and unprotected) from ICSF.

EC for Venafi does not support storing private keys in ICSF for certificates that must be installed on multiple LPARs.

RSA key sizes

EC for Venafi supports both 2048 bit and 4096 bit Rivest-Shamir-Adleman (RSA) keys. If you change the key size to 4096 bits for an existing certificate, by using the Key Strength (bits) option in TPP, EC for Venafi will process the certificate with the new key size when it is reinstalled on the system.

ECC keys

(SPE2407)

EC for Venafi supports Elliptic Curve Cryptography (ECC) keys. TPP supports National Institute of Standards and Technology (NIST) P curves with 256-, 384-, and 521-bit key lengths. RACF supports storing ECC keys in ICSF, but TSS and ACF2 support storing ECC keys in the ESM database only.

Certificate discovery

EC for Venafi can find user and site certificates on any LPAR running an EC for Venafi agent. When you perform onboard discovery with TPP, EC for Venafi locates the certificates and records the following information for each one:

  • LPAR on which the certificate is installed
  • Key ring to which the certificate is connected
  • Certificate label
  • Ownership information

EC for Venafi sends this information to TPP, which uses the information to create certificate and application objects for each certificate so that TPP can provision and manage them.

Certificate discovery is supported by all three major ESMs (RACF, Top Secret, and ACF2) and is performed on all configured LPARs.

For more information, see Using-certificate-discovery.

Bulk Insert utility

EC for Venafi provides a Bulk Insert utility, which you can use to generate multiple certificate and associated application objects by using a template and data file, rather than by creating the objects manually, one at a time. The Bulk Insert utility is installed with the TPP adaptable driver. You can run the utility on the TPP server, or copy the files to another computer in your network. For information about installing, configuring, and running the Bulk Insert utility, see the following topics:

Background processing

EC for Venafi performs background processing to search for expired digital certificates once every 24 hours at a time specified in the EC for Venafi configuration. 

If expired certificates are found, the agent issues the necessary RACF, TSS, or ACF2 commands to delete the expired certificates.

Audit logging

Agent components perform all of the main processing for EC for Venafi, and agents write the audit log details for each transaction. The gateway reports the system to which a transaction is routed.

The agent writes basic transactional information and any trace or diagnostic messages to RSSPRINT and Audit log messages to the SYSOUT data set RSVLmmdd. (where mmdd are the month and day).

Audit log messages might include the following information:

  • Date and time stamp
  • Transaction ID
  • Name of the target External Security Manager (ESM)
  • Operation requested by TPP
  • Variables supplied by TPP
  • RACF, TSS, or ACF2 commands issued
  • RACF, TSS, or ACF2 response messages
  • Response data returned to TPP

Email support

EC for Venafi can generate email notifications according to your needs. You can configure them to be sent to one or more recipients under the following conditions:

  • The transaction was completed successfully and a response received for the request.
  • The transaction failed and the request was canceled.
  • An expired certificate was discovered and the list of expired certificates and expiration dates is sent.

For more information, see the sections EmailProfile statement and EmailRecipients statement in Configuring-the-agent.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*