Setting up profiles in the CSFKEYS general resource class

For setting up profiles in the CRYPTOZ class for PKCS #11 tokens and objects, see 'Controlling access to tokens' in Chapter 1 of z/OS Cryptographic Services ICSF Writing PKCS #11 Applications.

To set up profiles in the CSFKEYS general resource class, take these steps.
Note: The CSFKEYS class grants access to the key if there is no profile. You can create a global generic profile to restrict access.
  1. Define appropriate profiles in the CSFKEYS class: 
    
    RDEFINE  CSFKEYS label  UACC(NONE)
             other-optional-operands

    where label is the label by which the key is defined in the CKDS or PKDS.

    PKA private key tokens may optionally have a 64-byte private-key name field, where label is the label by which the key is defined in the CKDS or PKDS, or the optional 64-byte private-key name field of a PKA private key token.

    For RSA keys, if a private-key name exists, ICSF uses RACROUTE REQUEST=AUTH to verify access to the CSFKEYS profile of name private-key name prior to using the token in a callable service. For additional security, the processor also validates the entire private key token.

    Note:
    1. As with any SAF profile, if you want to change the profile later, use the RALTER command. To change the access list, use the PERMIT command as described in the next step.
    2. If you have already started ICSF, you need to refresh the in-storage profiles. See Step 3.
    3. You can specify other operands, such as auditing (AUDIT operand), on the RDEFINE or RALTER commands.
    4. If the security administrator has activated generic profile checking for the CSFKEYS class, you can create generic profiles using the generic characters * and %. This is the same as any SAF general resource class.
  2. Give appropriate users (preferably groups) access to the profiles: 
        PERMIT  profile-name  CLASS(CSFKEYS)
            ID(groupid)  ACCESS(READ)
    Notes:
    • READ authority is the default authority for access to PKDS and CKDS labels for all usage. See Increasing the level of authority needed to modify key labels for controls available to increase the authority for certain usages.
    • For the exclusive purpose of requiring UPDATE instead of READ authority when transferring a secure symmetric key from encryption under the master key to encryption under an RSA key, you can define profiles in the XCSFKEY class. Profiles in the XCSFKEY class are used in authorization checks only when the Symmetric Key Export service (CSNDSYX, CSNFSYX, or CSNDSXD) is called. See Increasing the level of authority required to export symmetric keys for additional information.
  3. When the profiles are ready to be used, ask the security administrator to activate the CSFKEYS class and refresh the in-storage SAF profiles: 
        SETROPTS  CLASSACT(CSFKEYS)
    SETROPTS RACLIST(CSFKEYS) REFRESH