RACDCERT ADDTOKEN (Add token)

Purpose

Use the RACDCERT ADDTOKEN command to create a new z/OS® PKCS #11 token.

Issuing options

The following table identifies the eligible options for issuing the RACDCERT ADDTOKEN command:
As a RACF® TSO command? As a RACF operator command? With command direction? With automatic command direction? From the RACF parameter library?
Yes No No. (See rules.) No. (See rules.) No
Rules:
  • The RACDCERT command cannot be directed to a remote system using the AT or ONLYAT keyword.
  • The updates made to the RACF database by RACDCERT are eligible for propagation with automatic direction of application updates based on the RRSFDATA profiles AUTODIRECT.target-node.DIGTCERT.APPL and AUTODIRECT.target-node.DIGTRING.APPL, where target-node is the remote node to which the update is to be propagated.

Authorization required

To issue the RACDCERT ADDTOKEN command, you must have sufficient authority to the appropriate resource in the CRYPTOZ class. (No authority to resources in the FACILITY class is required.) If you do not have authority to create the specified token as determined by ICSF, the command stops and an error message is displayed.

Start of changeFor example, if you want userid JOHN to create a token with the name MYTOKEN and manage the objects in this token, you can enter commands such as the following:
  1. RDEFINE CRYPTOZ SO.MYTOKEN UACC(NONE)
  2. PERMIT SO.MYTOKEN CLASS(CRYPTOZ) ID(JOHN) ACCESS(CONTROL)
  3. RDEFINE CRYPTOZ USER.MYTOKEN UACC(NONE)
  4. PERMIT USER.MYTOKEN CLASS(CRYPTOZ) ID(John) ACCESS(CONTROL)
End of change

When your installation controls access to ICSF services and the CSFSERV class is active, you must also have READ access to the CSF1TRC resource in the CSFSERV class.

For authorization details about the CRYPTOZ and CSFSERV classes, see z/OS Cryptographic Services ICSF Administrator's Guide.

Related commands

  • To delete a token, see RACDCERT DELTOKEN.
  • To list a token, see RACDCERT LISTTOKEN.

)X SYNTAX
RACDCERT ADDTOKEN

Syntax

The complete syntax of the RACDCERT ADDTOKEN command is:

Note: The ID(certificate-owner) | SITE | CERTAUTH parameter is ignored for this RACDCERT function.

If you specify more than one RACDCERT function, only the last specified function is processed. Extraneous keywords that are not related to the function being performed are ignored.

If you do not specify a RACDCERT function, LIST is the default function.

For information on issuing this command as a RACF TSO command, see z/OS Security Server RACF Command Language Reference.

)O OPERANDS

Parameters

))ADDTOKEN(token-name)
The token-name value is the name of the token being created. This token must not already exist. For token name rules, see the Tokens subsection in the Overview of z/OS support for PKCS #11 in z/OS Cryptographic Services ICSF Writing PKCS #11 Applications.

Examples

Example Activity label Activity description
1 Operation User RACFADM wants to create tokens for two servers that have existing RACF certificates.
Known User RACFADM has SPECIAL authority. The RACF certificate for each server already exists.
Commands
RACDCERT ADDTOKEN(ftpsrv.ftp.server.pkcs11.token)
RACDCERT ADDTOKEN(websrv.web.server.pkcs11.token) 
Output None.