For services that are passed a label, the key store policy will
not affect the SAF check, so only Granular Keylabel Access Controls
and CSNDSYX Access Controls will have an effect:
Table 1. Key Store Policy (KSP) and Enhanced Keylabel
Access Control interactions (label) |
No CSNDSYX Access Controls for algorithm |
CSNDSYX Access Controls for algorithm |
No Granular Keylabel Access Controls |
Granular Keylabel Access Controls |
CSNDSYX: DATA key identifier |
Label SAF check is done against CSFKEYS |
Label SAF check is done against XCSFKEY |
n/a |
n/a |
CSNDSYX: RSA key identifier and all other services
passed a label |
n/a |
n/a |
Label SAF check is done against CSFKEYS for
READ access |
Label SAF check is done against CSFKEYS for
appropriate access |
For services that are passed a token:
Table 2. Key Store Policy (KSP) and Enhanced Keylabel Access Control
interactions (token) |
No KSP |
KSP / No CSNDSYX Access Controls for algorithm |
KSP / CSNDSYX Access Controls for algorithm |
KSP / No Granular Keylabel Access Controls |
KSP / Granular Keylabel Access Controls |
CSNDSYX: DATA key identifier |
No SAF check is done |
KSP SAF checks are done against CSFKEYS |
KSP SAF checks are done against XCSFKEY |
n/a |
n/a |
CSNDSYX: RSA key identifier and all other services
passed a label |
No SAF check is done |
n/a |
n/a |
KSP SAF checks are done against CSFKEYS |
KSP SAF checks are done against CSFKEYS |
Note: The levels used by Granular Keylabel
Access Controls will also be applied to KSP checks (that is, if the
CKDS labels matching a token were checked with UPDATE access, CSF-CKDS-DEFAULT
will also be checked with UPDATE access)