Setting up profiles in the CSFKEYS general resource class

For setting up profiles in the CRYPTOZ class for PKCS #11 tokens and objects, see 'Controlling access to tokens' in Chapter 1 of z/OS Cryptographic Services ICSF Writing PKCS #11 Applications.

To set up profiles in the CSFKEYS general resource class, take these steps:
  1. Define appropriate profiles in the CSFKEYS class: 
    
    RDEFINE  CSFKEYS label  UACC(NONE)
             other-optional-operands

    where label is the label by which the key is defined in the CKDS or PKDS. Note that if an application uses a token instead of a key label, no authorization checking is done on the use of the key.

    Note:
    1. As with any SAF profile, if you want to change the profile later, use the RALTER command. To change the access list, use the PERMIT command as described in the next step.
    2. If you have already started ICSF, you need to refresh the in-storage profiles. See Step 3.
    3. You can specify other operands, such as auditing (AUDIT operand), on the RDEFINE or RALTER commands.
    4. If the security administrator has activated generic profile checking for the CSFKEYS class, you can create generic profiles using the generic characters * and %. This is the same as any SAF general resource class.
  2. Give appropriate users (preferably groups) access to the profiles: 
        PERMIT  profile-name  CLASS(CSFKEYS)
            ID(groupid)  ACCESS(READ)
    Notes:
    • READ authority is the default authority for access to PKDS and CKDS labels for all usage. See Increasing the level of authority needed to modify key labels for controls available to increase the authority for certain usages.
    • For the exclusive purpose of requiring UPDATE instead of READ authority when transferring a secure symmetric key from encryption under the master key to encryption under an RSA key, you can define profiles in the XCSFKEY class. Profiles in the XCSFKEY class are used in authorization checks only when the Symmetric Key Export service (CSNDSYX, CSNFSYX, or CSNDSXD) is called. See Increasing the level of authority required to export symmetric keys for additional information.
  3. When the profiles are ready to be used, ask the security administrator to activate the CSFKEYS class and refresh the in-storage SAF profiles: 
        SETROPTS  CLASSACT(CSFKEYS)
    SETROPTS RACLIST(CSFKEYS) REFRESH
Parent topic: Controlling who can use cryptographic keys and services