You can use a System Authorization Facility such as z/OS Security
Server RACF to control which applications can use specific keys and
services. This can help you ensure that keys and services are used
only by authorized users and jobs. You can also use SAF to audit the
use of keys, services, and utilities. To use SAF to control access
to keys, services, and utilities, you create and maintain general
resource profiles in the CSFKEYS, XCSFKEY, CSFSERV, and CRYPTOZ classes.
- The CSFSERV class controls access to CCA and PKCS #11 services
and ICSF TSO panel utilities.
- The CSFKEYS class controls access to CCA cryptographic keys. You
create profiles in this class (based on the label by which the key
is defined in the CKDS or PKDS) to set access authority for the keys.
- The XCSFKEY class controls authorization checks when the symmetric
key export services are called. See Increasing the level of authority required to export symmetric keys for
additional information.
- The CRYPTOZ class controls access to and defines policy for cryptographic
information within PKCS #11 tokens. PKCS #11 tokens are used exclusively
by ICSF's PKCS #11 callable services. They are abstract containers
that hold keys, certificates, and other related cryptographic information.
PKCS #11 tokens are usually explicitly created and assigned to specific
applications. The profiles in the CRYPTOZ class determine this assignment
and indicate what operations are permitted for a specific PKCS #11
token.
If you are not the security administrator, you may need to ask
assistance from that person. To use the auditing capabilities of SAF,
you may need to ask for reports from a SAF auditor. Your installation's
security plan should show who is responsible for maintaining these
SAF profiles and auditing their use.