z/OS Cryptographic Services System SSL Programming
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


RACF CSFSERV resource requirements

z/OS Cryptographic Services System SSL Programming
SC14-7495-00

ICSF controls access to cryptographic services through the RACF® CSFSERV resource class. An application using System SSL that requires cryptographic support from ICSF must be authorized for the appropriate resources in the class, either explicitly or through a generic resource profile. For more information, see z/OS Cryptographic Services ICSF Administrator's Guide.

When the System SSL DLLs are loaded, System SSL determines what hardware is available by using the ICSF Query Algorithm callable service (CSFIQA). For this reason, make sure that the RACF user ID that starts the application can access the CSFIQA resource of the CSFSERV class. If the user ID that starts the SSL application cannot access the CSFIQA resource of the CSFSERV class, System SSL cannot retrieve information by using the CSFIQA callable service, and the informational message ICH408I (which indicates insufficient authorization) may be issued to the console. Although System SSL processing continues, System SSL might not be aware of all the hardware that is currently available.

The following tables summarize the CSFSERV resources required for each ICSF cryptographic function used by System SSL.

Table 1. CSFSERV resources required for hardware support through ICSF callable services
Function ICSF callable services z9 and z10 z196/z114 and zEC12
PKA (RSA) Encrypt

CSNDPKB
CSNDPKE

--
CSFPKE

--
CSFPKE
PKA (RSA) Decrypt

CSNDPKB
CSNDPKD

--
CSFPKD

--
CSFPKD
RSA Digital Signature Generation

CSNDPKB
CSNDPKI
CSNDDSG

--
CSFPKI
CSFDSG

--
CSFPKI
CSFDSG
RSA Digital Signature Verify

CSFDPKB
CSNDDSV

--
CSFDSV

--
CSFDSV
ECC Digital Signature Generation (private key in the PKDS)

CSNDDSG

CSFDSG
Table 2. CSFSERV resources required for ICSF PKCS #11 callable services support
Function ICSF PKCS #11 callable services CSFSERV resources required
ECC Key Generation

CSFPGKP
CSFPGAV
CSFPTRD

CSF1GKP
CSF1GAV
CSF1TRD
RSA/ECC Digital Signature Generation

CSFPTRC
CSFPPKS
CSFPTRD

CSF1TRC
CSF1PKS
CSF1TRD
ECC Digital Signature Verify

CSFPTRC
CSFPPKV
CSFPTRD

CSF1TRC
CSF1PKV
CSF1TRD
ECDH Derive Key

CSFPTRC
CSFPDVK
CSFPGAV
CSFPTRD

CSF1TRC
CSF1DVK
CSF1GAV
CSF1TRD
Diffie-Hellman in FIPS mode

CSFPTRC
CSFPDVK
CSFPGKP
CSFPGSK
CSFPGAV
CSFPTRD

CSF1TRC
CSF1DVK
CSF1GKP
CSF1GSK
CSF1GAV
CSF1TRD
AES-GCM Secret Key Decrypt

CSFPSKD
CSFPTRC
CSFPTRD

CSF1SKD
CSF1TRC
CSF1TRD
AES-GCM Secret Key Encrypt

CSFPSKE
CSFPTRC
CSFPTRD

CSF1SKE
CSF1TRC
CSF1TRD
Random Number Generation CSFPPRF CSFRNG
Secure PKCS #7 Make Enveloped Data Message

CSFPTRC
CSFPGSK
CSFPWPK
CSFPTRD

CSF1TRC
CSF1GSK
CSF1WPK
CSF1TRD
Secure PKCS #7 Read Enveloped Data Message CSFPPKS CSF1PKS
Secure PKCS #12 Private Key Export

CSFPGSK
CSFPWPK
CSFPTRC
CSFPTRD

CSF1GSK
CSF1WPK
CSF1TRC
CSF1TRD
RSA PKCS #11 Secure Key Decrypt CSFPPKS CSF1PKS
Parent topic: Using cryptographic features with System SSL

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014