In addition to the CSFSERV class, CCA and PKCS #11 services and utilities are controlled by access control points in the domain role of all cryptographic coprocessors. Most access control points are enable by default. Some access control points are disabled by default for all users and require a TKE workstation to enable.
The access control points are listed in CCA access control points and ICSF utilities and Appendix G of z/OS Cryptographic Services ICSF Application Programmer's Guide. The PKCS #11 access control points are listed in Chapter 2 of z/OS Cryptographic Services ICSF Writing PKCS #11 Applications.
All access control points for ISPF, UDX, and callable services on the coprocessor can be enabled or disabled using the TKE workstation. A TKE workstation is required if you are using the Enterprise PKCS #11 coprocessor and PKCS #11 access control points may be enabled or disabled.
New access control points must be enabled before the new services are available. UDX support is dependent on access control points. If your installation wants to use UDX callable services, the corresponding access control point must be enabled.
For more information, see z/OS Cryptographic Services ICSF TKE Workstation User's Guide.