RACF CSFSERV resource requirements

ICSF controls access to cryptographic services through the RACF CSFSERV resource class. An application using System SSL that requires cryptographic support from ICSF must be authorized for the appropriate resources in the class, either explicitly or through a generic resource profile. For more information, see z/OS Cryptographic Services ICSF Administrator's Guide.

When the System SSL DLLs are loaded, System SSL determines what hardware is available by using the ICSF Query Algorithm callable service (CSFIQA). For this reason, make sure that the RACF user ID that starts the application can access the CSFIQA resource of the CSFSERV class. If the user ID that starts the SSL application cannot access the CSFIQA resource of the CSFSERV class, System SSL cannot retrieve information by using the CSFIQA callable service, and the informational message ICH408I (which indicates insufficient authorization) may be issued to the console. Although System SSL processing continues, System SSL might not be aware of all the hardware that is currently available.

The following tables summarize the CSFSERV resources required for each ICSF cryptographic function used by System SSL.

Table 1. CSFSERV resources required for hardware support through ICSF callable services
Function ICSF callable services CSFSERV resources required
ECC Digital Signature Generation (private key in the PKDS)
CSNDDSG
CSFDSG
PKA (RSA) Decrypt
CSNDPKB
CSNDPKD
--
CSFPKD
PKA (RSA) Encrypt
CSNDPKB
CSNDPKE
--
CSFPKE
RSA Digital Signature Generation
CSNDPKB
CSNDPKI
CSNDDSG
--
CSFPKI
CSFDSG
RSA Digital Signature Verify
CSFDPKB
CSNDDSV
--
CSFDSV
RSASSA-PSS Digital Signature Generation (private key in PKDS) CSNDDSG CSFDSG
Table 2. CSFSERV resources required for ICSF PKCS #11 callable services support
Function ICSF PKCS #11 callable services CSFSERV resources required
Start of changeAdding, managing, retrieving, or validating certificates with an associated private key from a version 2 key or request databaseEnd of change
CSFPGSK
CSFPGAV
CSFPTRD
CSF1GSK
CSF1GAV
CSF1TRD
AES-GCM Secret Key Decrypt
CSFPSKD
CSFPTRC
CSF1SKD
CSF1TRC
AES-GCM Secret Key Encrypt
CSFPSKE
CSFPTRC
CSF1SKE
CSF1TRC
ChaCha20 Secret Key Decrypt
CSFPSKD
CSFPTRC
CSF1SKD
CSF1TRC
ChaCha20 Secret Key Encrypt
CSFPSKE
CSFPTRC
CSF1SKE
CSF1TRC
Diffie-Hellman in FIPS mode
CSFPTRC
CSFPDVK
CSFPGKP
CSFPGSK
CSFPGAV
CSFPTRD
CSF1TRC
CSF1DVK
CSF1GKP
CSF1GSK
CSF1GAV
CSF1TRD
ECC Digital Signature Generation
CSFPTRC
CSFPPKS
CSFPTRD
CSF1TRC
CSF1PKS
CSF1TRD
ECC Digital Signature Verify
CSFPTRC
CSFPPKV
CSFPTRD
CSF1TRC
CSF1PKV
CSF1TRD
ECC Key Generation
CSFPGKP
CSFPGAV
CSFPTRD
CSF1GKP
CSF1GAV
CSF1TRD
ECDH Derive Key
CSFPTRC
CSFPDVK
CSFPGAV
CSFPTRD
CSF1TRC
CSF1DVK
CSF1GAV
CSF1TRD
PKA (RSA) Decrypt in FIPS mode CSFPPD2 CSFPKD
PKA (RSA) Encrypt in FIPS mode CSFPPE2 CSFPKE
Start of changePKCS #12 encryption key generation (PBES2 - PBKDF2)End of change
CSFPGSK
CSFPGAV
CSFPTRD
CSF1GSK
CSF1GAV
CSF1TRD
Random Number Generation CSFPPRF CSFRNG
Start of changeStart of changeRSA Digital Signature Generate in FIPS modeEnd of changeEnd of change Start of changeCSFPPS2End of change Start of changeCSFDSGEnd of change
RSA Digital Signature Verify in FIPS mode CSFPPV2 CSFDSV
RSA PKCS #11 Secure Key Decrypt CSFPPKS CSF1PKS
RSASSA-PSS Digital Signature Generate
CSFPOWH
CSFPTRC
CSFPTRD
CSFOWH
CSF1TRC
CSF1TRD
RSASSA-PSS Digital Signature Verify
CSFPOWH
CSFPTRC
CSFPTRD
CSFOWH
CSF1TRC
CSF1TRD
Secure PKCS #12 Private Key Export
CSFPGSK
CSFPWPK
CSFPTRC
CSFPTRD
CSF1GSK
CSF1WPK
CSF1TRC
CSF1TRD
Secure PKCS #7 Make Enveloped Data Message
CSFPTRC
CSFPGSK
CSFPWPK
CSFPTRD
CSF1TRC
CSF1GSK
CSF1WPK
CSF1TRD
Secure PKCS #7 Read Enveloped Data Message CSFPPKS CSF1PKS