GitHubContribute in GitHub: Edit online

RACF Reference for UKO

The following table lists and describes the RACF resources that require to be accessed.

Security profiles relevant for UKO
Resource Class Applies to Description
KMG.EKMF.KMGPRACF FACILITY Access to run a UKO Agent. The UKO Agent started task user ID must have READ access to this resource.
KMG.EKMF.KMGPRACF.<task-user> FACILITY Access for a UKO client user to connect to a specific UKO Agent which executes using the <task-user> as user ID. READ access is required.
KMG.EKMF.NOCV FACILITY This allows management of NO-CV keys. Both the UKO task-user and UKO <client-user> requires READ access
KMG.EKMF.LNKCRYOFF FACILITY This allows a connection to the UKO Agent to be in clear, that is, not encrypted. It is required initially if the DES link encryption method is being set up. The task user must have READ access to allow the UKO client to connect without link encryption. If the use of the Diffie-Hellman link encryption is planned, then define the resource from the beginning with no access to any client or agent.
KMG.EKMF.AUDITOFF FACILITY This allows a UKO <client-user> to specify that the UKO audit records are not written to SMF. This is only required for the initial setup.
Both the <task-user> and <client-user> need READ access to allow the UKO client to disable logging to SMF.
KMG.EKMF.SMF FACILITY The UKO <task-user> needs READ access to the profile, and AUDIT(ALL(READ)) must be applied to the profile to force SMF records to be written by RACF, when a resource is accessed.
KMG.WS.AUTHOFF XFACILIT Web, WS Access to allow the KMGPARM option &WS-AUTH(OFF). The task user must have READ access to allow &WS-AUTH(OFF).
When &WS-AUTH(OFF) is specified, the hash value of the EKMF workstation signature key is not checked.
KMG.WS.<64hex-EKMSws-sha256> XFACILIT Web, WS The profile describes a specific client (EKMF Workstation or UKO), where <64hex-EKMSws-sha256> is the 64 hex character SHA-256 value of the client's public ECC signature key token. The <task-user> must have READ access for the client to connect using the Diffie-Hellman link encryption. See Diffie-Hellman Link Encryption.
KMG.WEBCLIENT.<client-id> XFACILIT Web Access to the UKO Agent to use and assign the user id in &WEBCLIENT (KMGPARMS) to UKO client requests. Note: This user id is a SAF user id and is referred to as the <client-user> in this document.
KMG.LG.<64hex-EKMSws-sha256> XFACILIT Web Access to trust the UKO client signature key to assign the &WEBCLIENT (KMGPARMS) user id during LG (Logon). KMG.WS.<64hex-EKMSws-sha256> is still also required.
KMG.EKMF.BROWSER.<task-user> FACILITY Browser Access for a UKO client user to connect to a specific UKO Agent using an EKMF browser. READ access is required.
&SYS-ECCSIGN-PREFIX.<task-user> CSFKEYS &SYS-ECCSIGN-PREFIX is specified in the KMGPARM options of the Agent. The Agent's <task-user> needs access to the corresponding key label (CONTROL if ICSF granular key label access control is enabled, otherwise READ). For example:
&SYS-ECCSIGN-PREFIX(EKMF.SYSTEM.ECCSIGN)
and UKO Agent <task-user> of 'EKMF'
results in a PKDS key label of EKMF.SYSTEM.ECCSIGN.EKMF
&SYS-RSAKEK-PREFIX.<task-user> CSFKEYS &SYS-RSAKEK-PREFIX is specified in the KMGPARM options of the Agent. The Agent's <task-user> needs access to the corresponding key label (CONTROL if ICSF granular key label access control is enabled, otherwise READ). For example:
&SYS-RSAKEK-PREFIX(EKMF.SYSTEM.RSAKEK)
and UKO Agent <task-user> of 'EKMF'
results in a PKDS key label of EKMF.SYSTEM.RSAKEK.EKMF
CSF-CKDS-DEFAULT CSFKEYS If the ICSF key store policy CSF.CKDS.TOKEN.CHECK.DEFAULT.LABEL is active then the CSFKEYS resource named CSF-CKDS-DEFAULT must be permitted to the UKO Agent user id (CONTROL if ICSF granular key label access control is enabled, otherwise READ)
KMGPRACF APPL WS, Web When the UKO client user logs on to the UKO Agent, a check for the KMGPRACF resource is done in the APPL class. If KMGPRACF is defined in the APPL class, then the UKO client user ID needs READ access.