Enabling duplicate key label checking

A key token could be stored in a key store within multiple key records and so could be associated with multiple key labels. When the Key Token Authorization Checking control is enabled for the key store, duplicate tokens can cause problems because all labels that are associated with a key token passed to an ICSF callable service will be used to determine user access to that token. Although you may deliberately restrict access to a token by one of the labels associated with it, a user might still have access to the token through another label. You can enable the Duplicate Key Token Checking control for the CKDS or PKDS to prevent applications from storing duplicate tokens in the key store. When enabled, ICSF services that update the key store will check for duplicate tokens. ICSF will not allow a key token to be written to the key store if it matches a token that is already stored. The Duplicate Key Token Checking controls do not rely on SAF authorization checks against CSFKEYS class profiles. Instead, the callable services that update the key store will verify that a duplicate token does not already exist within the key store.
Note: Enabling the Duplicate Key Token Checking control for the CKDS or PKDS ensures only that no duplicate keys are added to the key store. To identify any duplicate key tokens that may already exist in a CKDS or PKDS, use the CSFDUTIL utility program. The CSFDUTIL utility program generates a report of all duplicate keys in either a CKDS or a PKDS.

Separate controls are provided for enabling Duplicate Key Token Checking for a CKDS or a PKDS. To enable either of the Duplicate Key Token Checking controls, create the appropriate profile in the XFACILIT class.

Table 1. Key Store Policy controls: The Duplicate Key Token Checking controls
The existence of this resource profile in the XFACILIT class: Does this:
CSF.CKDS.TOKEN.NODUPLICATES Activates Key Store Policy for CKDS. Enables Duplicate Key Token Checking for the CKDS. ICSF will prevent an application from creating a new key record (with a new key label) for a token that is already stored in the CKDS.
CSF.PKDS.TOKEN.NODUPLICATES Activates Key Store Policy for PKDS. Enables Duplicate Key Token Checking for the PKDS. ICSF will prevent an application from creating a new key record (with a new key label) for a token that is already stored in the PKDS.
For example, to ensure that duplicate tokens are not stored in either the CKDS or PKDS, you would enter the following commands:
RDEFINE XFACILIT CSF.CKDS.TOKEN.NODUPLICATES
RDEFINE XFACILIT CSF.PKDS.TOKEN.NODUPLICATES
SETROPTS RACLIST(XFACILIT) REFRESH