Giving the channel initiator the correct access rights on z/OS
The channel initiator (CHINIT) needs access to the key repository and to certain security profiles.
Granting the CHINIT access to read the key repository
PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID( userid ) ACCESS(UPDATE)
PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID( userid ) ACCESS(READ)
where userid is the user ID of the channel initiator address space.
Granting the CHINIT read access to the appropriate CSF* profiles
For hardware support provided through the Integrated Cryptographic Service Facility (ICSF) to be used, ensure your CHINIT user ID has read access to the appropriate CSF* profiles in the CSFSERV class by using the following command:
PERMIT csf-resource CLASS(CSFSERV) ID( userid ) ACCESS(READ)
where csf-resource is the name of the CSF* profile and userid is the user ID of the channel initiator address space.
- CSFDSG
- CSFDSV
- CSFPKD
- CSFPKE
- CSFPKI
- CSF1DVK
- CSF1GAV
- CSF1GKP
- CSF1SKE
- CSF1TRC
- CSF1TRD
If your certificate keys are stored in ICSF and your installation has established access control over keys stored in ICSF, ensure your CHINIT user ID has read access to the profile in the CSFKEYS class by using the following command:
PERMIT IRR.DIGTCERT. userid.* CLASS(CSFKEYS) ID( userid ) ACCESS(READ)
where userid is the user ID of the channel initiator address space.
Using the Integrated Cryptographic Service Facility (ICSF)
The channel initiator can use ICSF to generate a random number when seeding the password protection algorithm to obfuscate passwords flowing over client channels if TLS is not being used.
For further information, see Using the Integrated Cryptographic Service Facility (ICSF)