In addition to using profiles in the CSFKEYS class (and, when Symmetric
Key Label Export is enabled, the XCSFKEY class) to identify which
users have permission to certain cryptographic keys, you can also
enable the PKA Key Management Extensions control so that CSFKEYS and
XCSFKEY profiles can place restrictions on how keys are used. For
example, you can:
- Restrict an asymmetric key from being used in secure export and
import operations.
- Restrict an asymmetric key from being used in handshake operations.
- Restrict a symmetric key from being exported (transferred from
encryption under a master key to encryption under an application-supplied
RSA public key). Alternatively, you can allow the symmetric key to
be exported, but only by certain public keys (as indicated by a list
of key labels), or only by public keys bound to certain identities
(as indicated by a list of certificates in either a PKCS #11 token,
or a SAF key ring).
Setting restrictions such as these can help ensure that keys
are used only for intended purposes, regardless of who has access
to the keys. For example, if you have an RSA key pair intended only
for generating and verifying digital signatures, you can set a restriction
to ensure that the public key of this key pair is never used to export
a symmetric key.
You place restrictions on cryptographic keys using the ICSF segment
of the CSFKEYS or XCSFKEY class profiles that cover the keys. After
you have modified the profiles with the restrictions you want to place
on the keys, you can enable the PKA Key Management Extensions control
by creating a CSF.PKAEXTNS.ENABLE profile in class XFACILIT. You can
also enable PKA Key Management Extensions in warning mode by creating
a CSF.PKAEXTNS.ENABLE.WARNONLY profile in class XFACILIT. In order
to enable PKA Key Management Extensions, Key Store Policy must be
active for both the CKDS and the PKDS. For more information, refer
to Enabling PKA key management extensions.