Using panel.exe to show the active role and ACPs
You can use the panel.exe utility to list the name of the role for the current domain, to show all the ACP settings for that role, and to query the setting of a particular ACP for that role.
Each domain of the coprocessor has a role assigned which defines the capabilities of every application running in that domain. Installations that make use of a Trusted Key Entry (TKE) workstation can configure the role for each domain to enable or disable capabilities. A capability is called an access control point, or ACP for short.
The role visible to and used by a domain is called the default role for that domain.
The 8-byte name of the role depends on the number of the domain and the generation of the cryptographic coprocessor. An example of a name is
DFLT0035 for domain 35 on a CEX5C or higher adapter (derived from the
DFLTXXXX style of naming, introduced with the CEX5C support on z13® systems).
Invoke panel.exe for particular purposes as follows:
To list the role for the domain:
# panel.exe --list-roles
panel.exe legacy syntax
# panel.exe -mrl
The output is the same in both interface versions:
Showing returned list of ROLEs: [DFLT0019] --------------------------- API CALL details: CSUAACM [LSTROLES] card [DV73R354] number of items [1] ---------------------------
Data explained:
The only visible role to this domain has the 8 byte ASCII name DFLT0019, where
19 stands for domain 19. For more information on roles, see z/OS Cryptographic Services.
DEFALTXX/DFLTXXXX
roles for each domain. You cannot see further administrative roles. Also, on IBM Z®, you cannot create or use
multiple roles for use by different applications on one domain. If you require different roles for
applications, these applications must use different domains, because all
applications in a domain share the same permissions granted by the
DEFALTXX/DFLTXXXX role. To show the ACPs for that role:
# panel.exe --show-role --role "DFLT0019" # panel.exe --show-role --role=DFLT0019
panel.exe legacy syntax
# panel.exe -mrp "DEFALT02"
The output is the same in both interface versions:
Showing returned ROLE DATA: API CALL details: CSUAACM [GET-ROLE ] card [DV73R354] ROLE [DFLT0019] size [208] version: [0001] comment: [System default role ] authstr: [0000] time range: [00:00] - [00:00] DOW: [fe] ACP Segments for role: 5 ACP Segment [0] has [31] Bytes for bits [0x0008 - 0x00ff] [ 03 f0 ] << ACP bits [0x0008 - 0x0017] [ ff 70 ] << ACP bits [0x0018 - 0x0027] <…data continues…>
Output explanation:
The shown output is a parsed version of the role and access control point data structures described in Access control data structures, to make it human-accessible. The size of the entire returned data structure is 208 bytes, for the role with ID DFLT0019.
The authstr, time range, and DOW fields are meaningless for a default role like this.
There are five ACP segments to be shown. The start of the data for the first or 0th segment is shown, it has 31 bytes of data that specify ACPs from offset 0x0008 to 0x00ff. Then each of those 31 bytes is shown in hexadecimal at left, with information at right to indicate the ACP bits that correspond to that hexadecimal byte. This information is useful to understand the role structure or to check your own program that might try to pull and process the same information.
Example:
[ 03 f0 ] << ACP bits [0x0008 – 0x0017]

Figure 1 shows how to interpret the output from
the command panel.exe --show-role --role=DFLT0019. For example, you
can see that ACP X'000E' is enabled for role DFLT0019.
To query a particular ACP value for that role
(ENABLED means 1, DISABLED means 0)
# panel.exe --query-acps --role=DFLT0019 --acps=0x0204 # panel.exe --query-acps --role "DFLT0019" --acps 0x0204
panel.exe legacy syntax
# panel.exe -mrq "DEFALT02" 0x0204
The output is the same in both interface versions:
Role ID [DFLT0019]: ACP [0x0204] is [ENABLED]