A Key Store Policy is made up of a number of controls. Each Key Store Policy control is a resource in the XFACILIT class. The existence of a profile for a particular resource in the XFACILIT class enables that control. A Key Store Policy applies only to encrypted keys in a CKDS or PKDS.
| The following Key Store Policy controls: | Consist of the following XFACILIT class resources: | Description: |
|---|---|---|
| Key Token Authorization Checking controls Verifies, when an application passes a callable service a key token instead of a key label, that the user has authority to the key token in the CKDS or PKDS. It does this by identifying the key label associated with the passed token. |
CSF.CKDS.TOKEN.CHECK.LABEL.WARN | Activates Key Store Policy for CKDS. Enables Key Token Authorization Checking for the CKDS in warning mode. In this mode, a failing authorization check will result in a warning, but the operation will be allowed to continue. |
| CSF.CKDS.TOKEN.CHECK.LABEL.FAIL | Activates Key Store Policy for CKDS. Enables Key Token Authorization Checking for the CKDS in fail mode. In this mode, ICSF does not allow the operation to continue when the authorization check fails. The service returns with an error. | |
| CSF.PKDS.TOKEN.CHECK.LABEL.WARN | Activates Key Store Policy for PKDS. Enables Key Token Authorization Checking for the PKDS in warning mode. In this mode, a failing authorization check will result in a warning, but the operation will be allowed to continue. | |
| CSF.PKDS.TOKEN.CHECK.LABEL.FAIL | Activates Key Store Policy for PKDS. Enables Key Token Authorization Checking for the PKDS in fail mode. In this mode, ICSF does not allow the operation to continue when the authorization check fails. The service returns with an error. | |
| Default Key Label Checking controls Specifies that ICSF should use a default profile to determine application access to tokens that are not stored in the CKDS or PKDS. Can be enabled only if the Key Token Authorization Checking control for the appropriate key store is also enabled. |
CSF.CKDS.TOKEN.CHECK.DEFAULT.LABEL | Requires an active Key Store Policy for CKDS. Specifically, this control can be enabled only if the CSF.CKDS.TOKEN.CHECK.LABEL.WARN or CSF.CKDS.TOKEN.CHECK.LABEL.FAIL control is also enabled. Specifies that ICSF should use the default profile CSF-CKDS-DEFAULT in the CSFKEYS class to determine user access to tokens that are not stored in the CKDS. |
| CSF.PKDS.TOKEN.CHECK.DEFAULT.LABEL | Requires an active Key Store Policy for PKDS. Specifically, this control can be enabled only if the CSF.PKDS.TOKEN.CHECK.LABEL.WARN or CSF.PKDS.TOKEN.CHECK.LABEL.FAIL control is also enabled. Specifies that ICSF should use the default profile CSF-PKDS-DEFAULT in the CSFKEYS class to determine user access to tokens that are not stored in the PKDS. | |
| Duplicate Key Token Checking controls Prevents applications from storing duplicate tokens in the CKDS or PKDS. |
CSF.CKDS.TOKEN.NODUPLICATES | Activates Key Store Policy for CKDS. Enables Duplicate Key Token Checking for the CKDS. ICSF will prevent an application from creating a new key record (with a new key label) for a token that is already stored in the CKDS. |
| CSF.PKDS.TOKEN.NODUPLICATES | Activates Key Store Policy for PKDS. Enables Duplicate Key Token Checking for the PKDS. ICSF will prevent an application from creating a new key record (with a new key label) for a token that is already stored in the PKDS. | |
| Granular Key Label Access controls Increases the level of access authority required to create, write to, or delete a key label. |
CSF.CSFKEYS.AUTHORITY.LEVELS.WARN | Enables Granular Key Label Access in warning mode. In this mode, a warning will be issued if the user does not have UPDATE authority (if creating a label), or CONTROL authority (if writing to or deleting a label). As long as the user has READ authority, however, ICSF will allow the operation to continue. Does not require an active Key Store Policy for CKDS or PKDS. However, if a key token is passed to a callable service instead of a key label, ICSF will, in order to initiate a SAF authorization check, rely on an active Key Store Policy for the appropriate key store. |
| CSF.CSFKEYS.AUTHORITY.LEVELS.FAIL | Enables Granular Key Label Access in fail mode. In this mode, ICSF will not allow a key label to be modified if the user does not have UPDATE authority (if creating a label), or CONTROL authority (if writing to or deleting a label). The service returns with an error. Does not require an active Key Store Policy for CKDS or PKDS. However, if a key token is passed to a callable service instead of a key label, ICSF will, in order to initiate a SAF authorization check, rely on an active Key Store Policy for the appropriate key store. | |
| Symmetric Key Label Export controls Specifies that profiles in the XCSFKEY class (instead of profiles in the CSFKEYS class) should be used to determine access to AES or DES keys that an application is attempting to export using the Symmetric Key Export (CSNDSYX, CSNFSYX, or CSNDSXD) callable service. This allows you to control access to AES and DES keys for the purpose of key export separately from the access allowed to the keys for other purposes. |
CSF.XCSFKEY.ENABLE.AES | Enables Symmetric Key Label Export for AES keys. Specifies that profiles in the XCSFKEY class should determine access to an AES key when an application is attempting to export it using the Symmetric Key Export (CSNDSYX, CSNFSYX, or CSNDSXD) callable service. Does not require an active Key Store Policy for CKDS or PKDS. However, if a key token is passed to the callable service instead of a key label, ICSF will, in order to initiate the SAF authorization check, rely on an active Key Store Policy for CKDS. |
| CSF.XCSFKEY.ENABLE.DES | Enables Symmetric Key Label Export for DES keys. Specifies that profiles in the XCSFKEY class should determine access to a DES key when an application is attempting to export it using the Symmetric Key Export (CSNDSYX, CSNFSYX, or CSNDSXD) callable service. Does not require an active Key Store Policy for CKDS or PKDS. However, if a key token is passed to the callable service instead of a key label, ICSF will, in order to initiate the SAF authorization check, rely on an active Key Store Policy for CKDS. | |
| PKA Key Management Extensions control Specifies that the ICSF segment of profiles in the CSFKEYS class (and the XCSFKEY class when a Symmetric Key Label Export control is enabled) will be checked to determine additional restrictions on how keys covered by the profile can be used. |
CSF.PKAEXTNS.ENABLE.WARNONLY | Requires an active Key Store Policy for CKDS
and PKDS. Enables PKA Key Management Extensions in warning mode.
The ICSF segment of CSFKEYS or XCSFKEY profiles will be checked to:
|
| CSF.PKAEXTNS.ENABLE | Requires an active Key Store Policy for CKDS
and PKDS. Enables PKA Key Management Extensions in fail mode.
The ICSF segment of CSFKEYS or XCSFKEY profiles will be checked to:
|
|
| Key Archive Use control Specifies that ICSF allows an application to use the key material of a CKDS, PKDS, or TKDS record that has been archived. |
CSF.KDS.KEY.ARCHIVE.USE | Enables the Key Archive Use control. ICSF will not fail a service request using the label of an archived CKDS, PKDS, or TKDS record. |