Using the ASYMUSAGE field in the ICSF segment of CSFKEYS profiles
enables you to restrict asymmetric keys covered by the profile from
being used in handshake operations. The following callable services
all identify an asymmetric key to be used in a handshake operation.
The callable services that perform handshake operations are:
- Digital Signature Generate (CSNDDSG and CSNFDSG)
- Digital Signature Verify (CSNDDSV and CSNFDSV)
- PKA Encrypt (CSNDPKE and CSNFPKE)
- PKA Decrypt (CSNDPKD and CSNFPKD)
For each of these services, a profile in the CSFKEYS class will
control access to the asymmetric key used to generate/verify a digital
signature, or encrypt/decrypt a clear key value. In addition to specifying
user access to the key, the CSFKEYS profile can also specify information
(in the ICSF segment of the profile) on how the key can be used. The
ASYMUSAGE field of the ICSF segment enables you to specify whether
an asymmetric key covered by the profile can participate in handshake
operations. By specifying the NOHANDSHAKE keyword in the ASYMUSAGE
field, you restrict any key covered by the profile from being used
in handshake operations. For example, the profile RSA.SAMMY.EXPORT
in class CSFKEYS covers an RSA key pair intended for exporting and
importing symmetric keys. The following RALTER command modifies the
profile to ensure that the RSA keys are not used in handshake operations.
The SETROPTS RACLIST command is used to refresh the profile in common
storage.
RALTER CSFKEYS RSA.SAMMY.EXPORT ICSF(ASYMUSAGE(NOHANDSHAKE))
SETROPTS RACLIST(CSFKEYS) REFRESH
In order for the restriction on handshake operations to take effect,
you will need to enable the PKA Key Management Extensions control
by creating a CSF.PKAEXTNS.ENABLE profile in class XFACILIT. In order
to enable the PKA Key Management Extensions control, the Key Store
Policy for both the CKDS and the PKDS must also be active. Refer to Enabling PKA key management extensions for more information.
When the PKA Key Management Extensions control is enabled, the
default is to allow keys to participate in handshake operations. You
can also explicitly specify this using the HANDSHAKE keyword in the
ASYMUSAGE field of profiles in the CSFKEYS class. For example:
RALTER CSFKEYS RSA.SAMMY.EXPORT ICSF(ASYMUSAGE(HANDSHAKE))
SETROPTS RACLIST(CSFKEYS) REFRESH
The ASYMUSAGE field can also contain the NOSECUREEXPORT or SECUREEXPORT
keywords to specify whether keys covered by the profile can participate
in secure import and export operations (as described in
Restricting asymmetric keys from being used in secure import and export operations). These keywords can be specified along with the NOHANDSHAKE
or HANDSHAKE keywords when entering the RDEFINE or RALTER command.
RALTER CSFKEYS RSA.SAMMY.EXPORT ICSF(ASYMUSAGE(NOSECUREEXPORT HANDSHAKE))
SETROPTS RACLIST(CSFKEYS) REFRESH