Key features
Web browser interface
EC for Venafi provides a web browser interface (UI)) that can be used to view information about:
- Key rings on your LPARs
- Certificates on your system
- Running EC for Venafi agents
- Software versions of the agents
You can also use the web UI to view details of a specific certificate, delete certificates, and download and copy table information. For more information, see Using-the-web-browser-interface.
Certificate administration
You can use EC for Venafi to create certificates and certificate objects directly from the UI. You can create certificates on z/OS and certificate objects on TPP.
To create a certificate on z/OS, see Creating-certificates-on-z-OS.
To create a certificate object on TPP, you must first perform the following tasks:
- Configure TPP server statement
- Configure the TPP REST API
- Obtain an API token
- Create folders on TPP
- Create an ESM profile
To create the TPP certificate object, see Creating-certificate-objects-on-TPP.
Multiple key rings and site certificates
EC for Venafi supports connecting a certificate to multiple key rings on one LPAR. The key rings can be owned by the certificate owner or by other users. You can also create certificates that are not connected to any key ring at all. Unconnected certificates can be owned by one user and connected to one or more key rings owned by other users. This is useful if you want all your certificates to be owned by one user, but used by different tasks, running as different users.
By default, EC for Venafi creates all new certificates as personal certificates, but you can use the Force Site Certificate option in TPP to tell EC for Venafi to create new certificates as site certificates.
For more information, see Certificate and Application object management in "Configuring the TPP adaptable driver."
ICSF
EC for Venafi supports storing private keys in ICSF. This increases security because private keys cannot be exported in the clear (unencrypted and unprotected) from ICSF.
EC for Venafi does not support storing private keys in ICSF for certificates that must be installed on multiple LPARs.
RSA key sizes
EC for Venafi supports both 2048 bit and 4096 bit RSA keys. If you change the key size to 4096 bits for an existing certificate, by using the Key Strength (bits) option in TPP, EC for Venafi will process the certificate with the new key size when it is reinstalled on the system.
ECC keys
EC for Venafi supports Elliptic Curve Cryptography (ECC) keys. TPP supports National Institute of Standards and Technology (NIST) P curves with 256-, 384-, and 521-bit key lengths. RACF supports storing ECC keys in ICSF, but TSS and ACF2 support storing ECC keys in the ESM database only.
Certificate discovery
EC for Venafi can find user and site certificates on any LPAR running an EC for Venafi agent. When you perform onboard discovery with TPP, EC for Venafi locates the certificates and records the following information for each one:
- LPAR on which the certificate is installed
- Key ring to which the certificate is connected
- Certificate label
- Ownership information
EC for Venafi sends this information to TPP, which uses the information to create certificate and application objects for each certificate so that TPP can provision and manage them.
Certificate discovery is supported by all three major ESMs (RACF, Top Secret, and ACF2) and is performed on all configured LPARs.
For more information, see Using-certificate-discovery.
Bulk Insert utility
EC for Venafi provides a Bulk Insert utility, which you can use to generate multiple certificate and associated application objects by using a template and data file, rather than by creating the objects manually, one at a time. The Bulk Insert utility is installed with the TPP adaptable driver. You can run the utility on the TPP server, or copy the files to another computer in your network. For information about installing, configuring, and running the Bulk Insert utility, see the following topics:
Background processing
EC for Venafi performs background processing to search for expired digital certificates once every 24 hours at a time specified in the EC for Venafi configuration.
If expired certificates are found, the agent issues the necessary RACF, TSS, or ACF2 commands to delete the expired certificates.
Audit logging
Agent components perform all of the main processing for EC for Venafi, and agents write the audit log details for each transaction. The gateway reports the system to which a transaction is routed.
The agent writes basic transactional information and any trace or diagnostic messages to RSSPRINT and Audit log messages to the SYSOUT data set RSVLmmdd. (where mmdd are the month and day).
Audit log messages might include the following information:
- Date and time stamp
- Transaction ID
- Name of the target External Security Manager (ESM)
- Operation requested by TPP
- Variables supplied by TPP
- RACF, TSS, or ACF2 commands issued
- RACF, TSS, or ACF2 response messages
- Response data returned to TPP
Email support
EC for Venafi can generate email notifications according to your needs. You can configure them to be sent to one or more recipients under the following conditions:
- The transaction was completed successfully and a response received for the request.
- The transaction failed and the request was canceled.
- An expired certificate was discovered and the list of expired certificates and expiration dates is sent.
For more information, see the sections EmailProfile statement and EmailRecipients statement in Configuring-the-agent.