The rules for cryptographic key usage defined in the ICSF segment
of CSFKEYS and XCSFKEY profiles (described in Restricting asymmetric keys from being used in secure import and export operations, Restricting asymmetric keys from being used in handshake operations, and Placing restrictions on exporting symmetric keys)
will not be in effect unless PKA Key Management Extensions are enabled.
PKA Key Management Extensions cannot be enabled unless Key Store Policy
is active for both the CKDS and PKDS.
Enabling any one of the following controls will activate Key Store
Policy for a CKDS:
- CSF.CKDS.TOKEN.CHECK.LABEL.WARN
- CSF.CKDS.TOKEN.CHECK.LABEL.FAIL
- CSF.CKDS.TOKEN.NODUPLICATES
Enabling any one of the following controls will activate Key Store
Policy for a PKDS:
- CSF.PKDS.TOKEN.CHECK.LABEL.WARN
- CSF.PKDS.TOKEN.CHECK.LABEL.FAIL
- CSF.PKDS.TOKEN.NODUPLICATES
The following table shows the controls for enabling PKA Key Management
Extensions in either warning or fail mode. To enable one of the controls,
create the appropriate profile in the XFACILIT class.
Table 1. Key
Store Policy controls: The PKA Key Management Extensions controlsThe existence of this resource profile in the XFACILIT class: |
Does this: |
CSF.PKAEXTNS.ENABLE.WARNONLY |
Enables PKA Key Management Extensions in warning
mode. The ICSF segment of CSFKEYS or XCSFKEY profiles will be checked
to:- determine if a symmetric key can be exported, and, if so, which
asymmetric keys can be used in the operation to re-encrypt the symmetric
key.
- determine if an asymmetric key can be used in secure export and
import operations, or in handshake operations.
However, because this is warning mode, ICSF will allow the operation
to continue even if the ICSF segment indicates that the operation
is not allowed. |
CSF.PKAEXTNS.ENABLE |
Enables PKA Key Management Extensions in fail
mode. The ICSF segment of CSFKEYS or XCSFKEY profiles will be checked
to:- determine if a symmetric key can be exported, and, if so, which
asymmetric keys can be used in the operation to re-encrypt the symmetric
key.
- determine if an asymmetric key can be used in secure export and
import operations, or in handshake operations.
If the ICSF segment indicates that the operation is not allowed,
the service returns with an error. |
For example, you've already used the ICSF segment of profiles in
the CSFKEYS or XCSFKEY class to define various restrictions on how
keys covered by the profiles can be used. You're not certain that
all applications at your installation are using the keys according
to the new restrictions, and do not want to disrupt current work patterns
at your installation. For this reason, you decide to allow a warning
period during which you can identify noncompliant applications without
causing application failure. To do this, you would:
- Enable PKA Key Management Extensions in warning mode:
RDEFINE XFACILIT CSF.PKAEXTNS.ENABLE.WARNONLY
SETROPTS RACLIST(XFACILIT) REFRESH
- Because you have enabled PKA Key Management Extensions in warning
mode, ICSF will allow applications to use keys in ways that violate
ICSF segment specifications. However, ICSF will generate SMF type
82 subtype 27 records for any violation. Using the information in
these records, you can modify your installation's applications as
needed.
- When you are ready to move to a stricter implementation of the
policy, you enable the PKA Key Management Extensions control for fail
mode, and disable the one for warning mode.
RDEFINE XFACILIT CSF.PKAEXTNS.ENABLE
RDELETE XFACILIT CSF.PKAEXTNS.ENABLE.WARNONLY
SETROPTS RACLIST(XFACILIT) REFRESH
If you accidentally
enable PKA Key Management Extensions in both warning and fail mode,
the control for fail mode will take precedence.
As described in
Identifying key certificates for symmetric key export, you can use the ICSF segment's SYMEXPORTCERTS
field to provide a list of certificate labels in a trusted certificate
repository (either a PKCS #11 token or a SAF key ring). This enables
you to specify that symmetric keys covered by a CSFKEYS or XCSFKEY
profile can be exported only by RSA public keys that are bound to
identities in the listed certificates. If using the SYMEXPORTCERTS
field to provide a list of certificate labels in a trusted certificate
repository, you will need to identify that trusted certificate repository
to ICSF. You do this using the APPLDATA field of the CSF.PKAEXTNS.ENABLE
profile. If the trusted key repository is a PKCS #11 token, it should
be identified in the APPLDATA field in the format *TOKEN*/
PKCS-token-name.
If the trusted key repository is a SAF key ring, it should be identified
in the APPLDATA field in the format
userID/
key-ring-name.
For example, if the trusted key repository was a SAF key ring named
TRUSTED.KEY.EXPORTERS created by BOBADMIN, you would enter:
RDEFINE XFACILIT CSF.PKAEXTNS.ENABLE APPLDATA(BOBADMIN/TRUSTD.KEY.EXPORTERS)
SETROPTS RACLIST(XFACILIT) REFRESH
If an APPLDATA field
is not provided on the CSF.PKAEXTNS.ENABLE, the default certificate
repository is a PKCS #11 token named CSF.TRUSTED.KEYRING.