Restricting asymmetric keys from being used in handshake operations

Using the ASYMUSAGE field in the ICSF segment of CSFKEYS profiles enables you to restrict asymmetric keys covered by the profile from being used in handshake operations. The following callable services all identify an asymmetric key to be used in a handshake operation. The callable services that perform handshake operations are:

For each of these services, a profile in the CSFKEYS class will control access to the asymmetric key used to generate/verify a digital signature, or encrypt/decrypt a clear key value. In addition to specifying user access to the key, the CSFKEYS profile can also specify information (in the ICSF segment of the profile) on how the key can be used. The ASYMUSAGE field of the ICSF segment enables you to specify whether an asymmetric key covered by the profile can participate in handshake operations. By specifying the NOHANDSHAKE keyword in the ASYMUSAGE field, you restrict any key covered by the profile from being used in handshake operations. For example, the profile RSA.SAMMY.EXPORT in class CSFKEYS covers an RSA key pair intended for exporting and importing symmetric keys. The following RALTER command modifies the profile to ensure that the RSA keys are not used in handshake operations. The SETROPTS RACLIST command is used to refresh the profile in common storage.
RALTER CSFKEYS RSA.SAMMY.EXPORT ICSF(ASYMUSAGE(NOHANDSHAKE))
SETROPTS RACLIST(CSFKEYS) REFRESH

In order for the restriction on handshake operations to take effect, you will need to enable the PKA Key Management Extensions control by creating a CSF.PKAEXTNS.ENABLE profile in class XFACILIT. In order to enable the PKA Key Management Extensions control, the Key Store Policy for both the CKDS and the PKDS must also be active. Refer to Enabling PKA key management extensions for more information.

When the PKA Key Management Extensions control is enabled, the default is to allow keys to participate in handshake operations. You can also explicitly specify this using the HANDSHAKE keyword in the ASYMUSAGE field of profiles in the CSFKEYS class. For example:
RALTER CSFKEYS RSA.SAMMY.EXPORT ICSF(ASYMUSAGE(HANDSHAKE))
SETROPTS RACLIST(CSFKEYS) REFRESH
The ASYMUSAGE field can also contain the NOSECUREEXPORT or SECUREEXPORT keywords to specify whether keys covered by the profile can participate in secure import and export operations (as described in Restricting asymmetric keys from being used in secure import and export operations). These keywords can be specified along with the NOHANDSHAKE or HANDSHAKE keywords when entering the RDEFINE or RALTER command.
RALTER CSFKEYS RSA.SAMMY.EXPORT ICSF(ASYMUSAGE(NOSECUREEXPORT HANDSHAKE))
SETROPTS RACLIST(CSFKEYS) REFRESH