The following example provides additional illustration of the ICSF segment fields and keywords that you can use to place restrictions on how cryptographic keys can be used.
RALTER CSFKEYS RSA.BRADY.CASTLE ICSF(ASYMUSAGE(SECUREEXPORT NOHANDSHAKE))
RDEFINE XCSFKEY DES.BRADY.CASTLE ICSF(SYMEXPORTABLE(BYLIST) SYMEXPORTKEYS(RSA.BRADY.CASTLE)) UACC(NONE)
PERMIT DES.BRADY.CASTLE CL(XCSFKEY) ID(SAMPRTNR) UPDATE
SETROPTS RACLIST(CSFKEYS) REFRESH
SETROPTS RACLIST(XCSFKEY) REFRESH
RDEFINE XFACILIT CSF.PKAEXTNS.ENABLE
SETROPTS RACLIST(XFACILIT) REFRESH
RACDCERT ID(BOBADMIN) GENCERT +
SUBJECTSDN(CN('Mister Ink Inc')O('Business Partner')C('uk')) +
WITHLABEL('Mister Ink')SIGNWITH(CERTAUTH LABEL(LocalCertauth')) +
KEYUSAGE(DOCSIGN) +
NOTAFTER(DATE(2020-12-31)) +
FROMICSF(RSA.BRADY.CASTLE) +
RACDCERT ID(BOBADMIN) ADDRING(TRUSTD.KEY.EXPORTERS)
RACDCERT ID(BOBADMIN) CONNECT(LABEL('Mister Ink' RING(TRUSTD.KEY.EXPORTERS) +
USAGE(PERSONAL))
RALTER XCSFKEY DES.BRADY.CASTLE ICSF(NOSYMEXPORTKEYS +
SYMEXPORTCERTS('/Mister Ink'))
SETROPTS RACLIST(XCSFKEY) REFRESH
Because the security administrator
knows that only one certificate with the label "Mister Ink"
will be present in the key ring, he does not specify the user ID portion
of the string in the SYMEXPORTCERTS list. Note, however, that the
security administrator still needs to include the forward slash (
/ ) delimiter even though a user ID was not provided. Also note that
the NOSYMEXPORTKEYS keyword is used to remove the SYMEXPORTKEYS list
that had been previously defined.RDEFINE XFACILIT CSF.PKAEXTNS.ENABLE APPLDATA(TRUSTD.KEY.EXPORTERS)
SETROPTS RACLIST(XFACILIT) REFRESH
For more information on the ICSF fields and keywords, refer to Restricting asymmetric keys from being used in secure import and export operations, Restricting asymmetric keys from being used in handshake operations, and Placing restrictions on exporting symmetric keys.