When the Key Token Authorization Checking control for a key store has been enabled and a token is passed to a callable service, ICSF will find the key label or labels associated with the passed token so that a SAF authority check can be performed. If, however, the token passed to the callable service is not in the key store, there will be no associated key label to find. By default, no authorization checking is performed on the use of the key, and the operation is allowed. If you enable the Default Key Label Checking control for the CKDS or PKDS, however, ICSF will use a default profile to determine user access to tokens that are not in the key store.
Separate controls are provided for enabling Default Key Label Checking for a CKDS or a PKDS, The Default Key Label Checking control will be enabled only if the Key Token Authorization Checking control for the appropriate key store is also enabled. Refer to Enabling access authority checking for key tokens for more information. To enable one the Default Key Label Checking controls, create the appropriate profile in the XFACILIT class.
The existence of this resource profile in the XFACILIT class: | Does this: |
---|---|
CSF.CKDS.TOKEN.CHECK.DEFAULT.LABEL | Specifies that ICSF should use the default profile CSF-CKDS-DEFAULT in the CSFKEYS class to determine user access to tokens that are not stored in the CKDS. This control is enabled only if the CSF.CKDS.TOKEN.CHECK.LABEL.WARN or CSF.CKDS.TOKEN.CHECK.LABEL.FAIL control is also enabled. |
CSF.PKDS.TOKEN.CHECK.DEFAULT.LABEL | Specifies that ICSF should use the default profile CSF-PKDS-DEFAULT in the CSFKEYS class to determine user access to tokens that are not stored in the PKDS. This control is enabled only if the CSF.PKDS.TOKEN.CHECK.LABEL.WARN or CSF.PKDS.TOKEN.CHECK.LABEL.FAIL control is also enabled. |
For example, to enable the Default Key Label Checking control for a CKDS, you would:
RDEFINE CSFKEYS CSF-CKDS-DEFAULT UACC(NONE)
PERMIT CSF-CKDS-DEFAULT CLASS(CSFKEYS) ID(group-id) ACCESS(READ)
SETROPTS RACLIST(CSFKEYS) REFRESH
RDEFINE XFACILIT CSF.CKDS.TOKEN.CHECK.DEFAULT.LABEL
SETROPTS RACLIST(XFACILIT) REFRESH