Enabling PKA key management extensions
The rules for cryptographic key usage defined in the ICSF segment of CSFKEYS and XCSFKEY profiles (described in Restricting asymmetric keys from being used in secure import and export operations, Restricting asymmetric keys from being used in handshake operations, and Placing restrictions on exporting symmetric keys) will not be in effect unless PKA Key Management Extensions are enabled. PKA Key Management Extensions cannot be enabled unless Key Store Policy is active for both the CKDS and PKDS.
Enabling any one of the following controls will activate Key Store
Policy for a CKDS:
- CSF.CKDS.TOKEN.CHECK.LABEL.WARN
- CSF.CKDS.TOKEN.CHECK.LABEL.FAIL
- CSF.CKDS.TOKEN.NODUPLICATES
Enabling any one of the following controls will activate Key Store
Policy for a PKDS:
- CSF.PKDS.TOKEN.CHECK.LABEL.WARN
- CSF.PKDS.TOKEN.CHECK.LABEL.FAIL
- CSF.PKDS.TOKEN.NODUPLICATES
The following table shows the controls for enabling PKA Key Management Extensions in either warning or fail mode. To enable one of the controls, create the appropriate profile in the XFACILIT class.
The existence of this resource profile in the XFACILIT class: | Does this: |
---|---|
CSF.PKAEXTNS.ENABLE.WARNONLY | Enables PKA Key Management Extensions in warning
mode. The ICSF segment of CSFKEYS or XCSFKEY profiles will be checked
to:
|
CSF.PKAEXTNS.ENABLE | Enables PKA Key Management Extensions in fail
mode. The ICSF segment of CSFKEYS or XCSFKEY profiles will be checked
to:
|
For example, you've already used the ICSF segment of profiles in
the CSFKEYS or XCSFKEY class to define various restrictions on how
keys covered by the profiles can be used. You're not certain that
all applications at your installation are using the keys according
to the new restrictions, and do not want to disrupt current work patterns
at your installation. For this reason, you decide to allow a warning
period during which you can identify noncompliant applications without
causing application failure. To do this, you would:
- Enable PKA Key Management Extensions in warning mode:
RDEFINE XFACILIT CSF.PKAEXTNS.ENABLE.WARNONLY SETROPTS RACLIST(XFACILIT) REFRESH
- Because you have enabled PKA Key Management Extensions in warning mode, ICSF will allow applications to use keys in ways that violate ICSF segment specifications. However, ICSF will generate SMF type 82 subtype 27 records for any violation. Using the information in these records, you can modify your installation's applications as needed.
- When you are ready to move to a stricter implementation of the
policy, you enable the PKA Key Management Extensions control for fail
mode, and disable the one for warning mode.
If you accidentally enable PKA Key Management Extensions in both warning and fail mode, the control for fail mode will take precedence.RDEFINE XFACILIT CSF.PKAEXTNS.ENABLE RDELETE XFACILIT CSF.PKAEXTNS.ENABLE.WARNONLY SETROPTS RACLIST(XFACILIT) REFRESH
As described in Identifying key certificates for symmetric key export, you can use the ICSF segment's SYMEXPORTCERTS
field to provide a list of certificate labels in a trusted certificate
repository (either a PKCS #11 token or a SAF key ring). This enables
you to specify that symmetric keys covered by a CSFKEYS or XCSFKEY
profile can be exported only by RSA public keys that are bound to
identities in the listed certificates. If using the SYMEXPORTCERTS
field to provide a list of certificate labels in a trusted certificate
repository, you will need to identify that trusted certificate repository
to ICSF. You do this using the APPLDATA field of the CSF.PKAEXTNS.ENABLE
profile. If the trusted key repository is a PKCS #11 token, it should
be identified in the APPLDATA field in the format *TOKEN*/PKCS-token-name.
If the trusted key repository is a SAF key ring, it should be identified
in the APPLDATA field in the format userID/key-ring-name.
For example, if the trusted key repository was a SAF key ring named
TRUSTED.KEY.EXPORTERS created by BOBADMIN, you would enter:
RDEFINE XFACILIT CSF.PKAEXTNS.ENABLE APPLDATA(BOBADMIN/TRUSTD.KEY.EXPORTERS)
SETROPTS RACLIST(XFACILIT) REFRESH
If an APPLDATA field
is not provided on the CSF.PKAEXTNS.ENABLE, the default certificate
repository is a PKCS #11 token named CSF.TRUSTED.KEYRING.