PKA key management extensions example

The following example provides additional illustration of the ICSF segment fields and keywords that you can use to place restrictions on how cryptographic keys can be used.

A DES key has been created for encrypting transactions between a Company and its Business Partner. The Business Partner's public key has previously been added to the PKDS for the purpose of exporting the DES key. The Company's security administrator wants to be sure that only the Business Partner's public key can be used to export the DES key that the Company and its Business Partner are sharing. There is already a profile covering the label of the RSA public key in the PKDS, but no profile covering the label of the new DES key. The security administrator needs to alter the profile for the RSA public key label, and define a new profile for the DES key label. The security administrator has also enabled the Symmetric Key Label Export Control to increase the level of authority needed to export symmetric keys, and so the profile covering the DES key is defined in the XCSFKEY class.

RALTER CSFKEYS RSA.BRADY.CASTLE ICSF(ASYMUSAGE(SECUREEXPORT NOHANDSHAKE))
RDEFINE XCSFKEY DES.BRADY.CASTLE ICSF(SYMEXPORTABLE(BYLIST) SYMEXPORTKEYS(RSA.BRADY.CASTLE)) UACC(NONE)
PERMIT DES.BRADY.CASTLE CL(XCSFKEY) ID(SAMPRTNR) UPDATE
SETROPTS RACLIST(CSFKEYS) REFRESH
SETROPTS RACLIST(XCSFKEY) REFRESH

Key Store Policy is active for both the CKDS and PKDS, so the security administrator only needs to enable the PKA Key Management Extensions control, and refresh the XFACILIT class in storage.

RDEFINE XFACILIT CSF.PKAEXTNS.ENABLE
SETROPTS RACLIST(XFACILIT) REFRESH

Later, the security administrator wants further restrictions on exporting the DES key that the Company and its Business Partner are sharing. The security administrator wants to bind an existing RSA public key to an identity, and allow export of the DES key only by the user and public key bound by a particular certificate. The security administrator creates the certificate for the RSA key, creates a SAF key ring, and adds the certificate to the key ring.

RACDCERT ID(BOBADMIN) GENCERT                                                +
         SUBJECTSDN(CN('Mister Ink Inc')O('Business Partner')C('uk'))        +
         WITHLABEL('Mister Ink')SIGNWITH(CERTAUTH LABEL(LocalCertauth'))     +
         KEYUSAGE(DOCSIGN)                                                   +
         NOTAFTER(DATE(2020-12-31))                                          +
         FROMICSF(RSA.BRADY.CASTLE)                                          +
RACDCERT ID(BOBADMIN) ADDRING(TRUSTD.KEY.EXPORTERS)
RACDCERT ID(BOBADMIN) CONNECT(LABEL('Mister Ink' RING(TRUSTD.KEY.EXPORTERS)  +
         USAGE(PERSONAL))
RALTER XCSFKEY DES.BRADY.CASTLE ICSF(NOSYMEXPORTKEYS                         +
         SYMEXPORTCERTS('/Mister Ink'))
SETROPTS RACLIST(XCSFKEY) REFRESH

Because the security administrator knows that only one certificate with the label "Mister Ink" will be present in the key ring, he does not specify the user ID portion of the string in the SYMEXPORTCERTS list. Note, however, that the security administrator still needs to include the forward slash ( / ) delimiter even though a user ID was not provided. Also note that the NOSYMEXPORTKEYS keyword is used to remove the SYMEXPORTKEYS list that had been previously defined.

The security administrator modifies the CSF.PKAEXTNS.ENABLE profile in the XFACILIT class to identify the SAF key ring as the certificate repository.

RDEFINE XFACILIT CSF.PKAEXTNS.ENABLE APPLDATA(TRUSTD.KEY.EXPORTERS)
SETROPTS RACLIST(XFACILIT) REFRESH

For more information on the ICSF fields and keywords, refer to Restricting asymmetric keys from being used in secure import and export operations, Restricting asymmetric keys from being used in handshake operations, and Placing restrictions on exporting symmetric keys.