Use these steps to control access to the ICSF cryptographic
support.
Procedure
Perform the following steps to set up profiles in the
CSFSERV resource class:
- Determine the SAF profiles that you will use within the
CSFSERV resource class:
- You must permit the IKED and the NSSD to the CSFIQF
profile.
- If you have CP Assist for Cryptographic Function (CPACF)
enabled on your processors and you want to take advantage of it, you
must have ICSF started but you do not need to grant permission to
any SAF profiles.
- If you do not have CPACF enabled, but you do have a
cryptographic coprocessor, in order to take advantage of it you must
perform the following steps:
- Permit TCP/IP, and all affected network applications that will
send or receive traffic protected by IP security, to the following
profiles:
- CSFCKI
- CSFCKM (used only for Triple DES)
- CSFDEC1
- CSFENC1
- CSFOWH1
- Permit the IKED and the NSSD to the following profiles:
- If you are using AES encryption in TCP/IP for manual
or dynamic tunnels, then you must permit TCP/IP and all affected network
applications that will send or receive IP security-protected traffic
to the following profiles:
- If you are using AES encryption in the IKED for dynamic
tunnels, then you must permit the IKED to the following profiles:
- If you are using SHA2 or AES-XCBC authentication in
TCP/IP, then you must permit TCP/IP and all affected network applications
that will send or receive IP security-protected traffic to the following
profiles:
- CSF1HMG
- CSF1TRC
- CSF1TRD
- CSFMGN1
- If you are using SHA2 or AES-XCBC authentication in
the IKED, then you must permit the IKED to the following profiles:
- CSF1HMG
- CSF1TRC
- CSF1TRD
- CSFOWH
- If you are using Diffie-Hellman groups 19, 20, or 21
in the IKED, then you must permit the IKED to the following profiles:
- CSF1DVK
- CSF1GAV
- CSF1GKP
- CSF1TRC
- CSF1TRD
- If you are using digital signature authentication in
the IKED, then you must permit the IKED to the following profiles:
- If you are using digital signature authentication in
the NSSD, then you must permit the NSSD to the following profiles:
- CSF1HMG
- CSF1TRC
- CSF1TRD
- CSFDSG
- CSFDSV
- CSFMGN
- CSFOWH
- CSFPKI
- If you are using elliptic curve signature authentication
in the NSSD, then you must permit the NSSD to the following profiles:
- If you have enabled FIPS 140 support in TCP/IP, then
TCP/IP and all affected network applications that will send or receive
IP security-protected traffic (such as the Ping command and DB2®, for example) must be permitted
to the following profiles:
- CSF1HMG
- CSF1SKD
- CSF1SKE
- CSF1TRC
- CSF1TRD
- CSFRNG
- If you have enabled FIPS 140 support in TCP/IP and you
are using manual tunnels, then the z/OS® Communications
Server Policy Agent must be permitted to the CSF1TRC profile.
- If you have enabled FIPS 140 support in the IKED, then
you must permit the IKED to the following profiles:
- CSF1DMK
- CSF1DVK
- CSF1HMG
- CSF1SKD
- CSF1SKE
- CSF1TRC
- CSF1TRD
- CSFOWH
- Define the appropriate profiles in the CSFSERV class:
RDEFINE CSFSERV profile-name UACC(NONE)
- Give TCP/IP access to the appropriate profiles:
PERMIT profile-name CLASS(CSFSERV) ID(stackname) ACCESS(READ)
- For network applications that run under a specific user
ID (such as the Ping command or DB2,
for example), give access to the user ID to the appropriate profiles:
PERMIT profile-name CLASS(CSFSERV) ID (userid)
- Activate the CSFSERV class and refresh the in-storage RACF® profiles:
SETROPTS CLASSACT(CSFSERV)
SETROPTS RACLIST(CSFSERV) REFRESH
- Set the MAXLEN ICSF/MVS installation option to 65535 or
greater because this is the maximum TCP/IP packet size. The MAXLEN
installation option for hardware cryptography determines the maximum
length that can be used to encrypt and decrypt data using ICSF/MVS.