CCA access control points and ICSF utilities

For information about PKCS #11 access control points, see 'PKCS #11 Coprocessor Access Control Points' in z/OS Cryptographic Services ICSF Writing PKCS #11 Applications.

Access to utilities that are executed on the CCA coprocessor is through access control points (ACPs) in the ICSF role. To execute utilities on the coprocessor, access control points must be enabled for each service in the ICSF role. The TKE workstation allows you to enable or disable access control points.

A new or a zeroized coprocessor (or domain) comes with an initial set of access control points (ACPs) that are enabled by default. The table of access control points lists the default setting of each access control point.

When a firmware upgrade is applied to an existing cryptographic coprocessor, the upgrade may introduce new ACPs.

If a TKE workstation has been used to manage a cryptographic coprocessor, the firmware upgrade does not retroactively enable the new ACPs. These ACPs must be enabled via the TKE (or subsequent zeroize) in order to utilize the new support they govern.
If a TKE workstation has not been used to manage a cryptographic coprocessor, the firmware upgrade retroactively updates the new ACPs that would be enabled by default.

Note: Access control points for ICSF callable services are listed in appendix G of z/OS Cryptographic Services ICSF Application Programmer's Guide z/OS Cryptographic Services ICSF Application Programmer's Guide z/OS Cryptographic Services ICSF Application Programmer's Guide.