For setting up profiles in the CRYPTOZ class for
PKCS #11 tokens and objects, see 'Controlling access to tokens' in
Chapter 1 of z/OS Cryptographic Services ICSF Writing PKCS #11 Applications.
To set up profiles in the CSFKEYS general resource class, take
these steps:
- Define appropriate profiles in the CSFKEYS class:
RDEFINE CSFKEYS label UACC(NONE)
other-optional-operands
where label is
the label by which the key is defined in the CKDS or PKDS. Note that
if an application uses a token instead of a key label, no authorization
checking is done on the use of the key.
Note: - As with any SAF profile, if you want to change the profile later,
use the RALTER command. To change the access list, use the PERMIT
command as described in the next step.
- If you have already started ICSF, you need to refresh the in-storage
profiles. See Step 3.
- You can specify other operands, such as auditing (AUDIT operand),
on the RDEFINE or RALTER commands.
- If the security administrator has activated generic profile checking
for the CSFKEYS class, you can create generic profiles using the generic
characters * and %. This is the same as any SAF general resource class.
- Give appropriate users (preferably groups) access to the profiles:
PERMIT profile-name CLASS(CSFKEYS)
ID(groupid) ACCESS(READ)
Notes: - READ authority is the default authority for access to PKDS and
CKDS labels for all usage. See Increasing the level of authority needed to modify key labels for
controls available to increase the authority for certain usages.
- For the exclusive purpose of requiring UPDATE instead of READ
authority when transferring a secure symmetric key from encryption
under the master key to encryption under an RSA key, you can define
profiles in the XCSFKEY class. Profiles in the XCSFKEY class are used
in authorization checks only when the Symmetric Key Export service
(CSNDSYX, CSNFSYX, or CSNDSXD) is called. See Increasing the level of authority required to export symmetric keys for
additional information.
- When the profiles are ready to be used, ask the security
administrator to activate the CSFKEYS class and refresh the in-storage
SAF profiles:
SETROPTS CLASSACT(CSFKEYS)
SETROPTS RACLIST(CSFKEYS) REFRESH