Restricting asymmetric keys from being used in secure import and export operations

Using the ASYMUSAGE field in the ICSF segment of CSFKEYS profiles enables you to restrict asymmetric keys covered by the profile from being used in secure import and export operations. In secure export operations, a symmetric key (AES or DES) is moved from encryption under a master key to encryption under an asymmetric key (RSA public key). In a secure import operation, the private key of an RSA key pair is used to move a symmetric key from encryption under the RSA public key to encryption under a master key. The following callable services all identify an asymmetric key (either the public or private key of an RSA key pair) to encrypt or decrypt a symmetric key. The callable services that perform secure import and export operations are:

Symmetric Key Generate (CSNDSYG and CSNFSYG)
Symmetric Key Export (CSNDSYX, CSNFSYX, CSNDSXD)
Symmetric Key Import (CSNDSYI and CSNFSYI) and Symmetric Key Import2 (CSNDSYI2 and CSNFSYI2)

For each of these services, a profile in the CSFKEYS class will control access to the asymmetric key. In addition to specifying user access to the key, the CSFKEYS profile can also specify information (in the ICSF segment of the profile) on how the key can be used. The ASYMUSAGE field of the ICSF segment enables you to specify whether an asymmetric key covered by the profile can participate in secure import or export operations. By specifying the NOSECUREEXPORT keyword in the ASYMUSAGE field, you restrict any asymmetric key covered by the profile from being used to encrypt or decrypt the symmetric key in these operations.

For example, the profile RSA.SAMMY.DIGSIG in class CSFKEYS covers an RSA key pair that should be used only for generating and verifying digital signatures and performing TLS/SSL handshakes. The following RALTER command modifies the profile to ensure that the public key of the RSA key pair is never used to export keys. The SETROPTS RACLIST command is used to refresh the profile in common storage.

RALTER CSFKEYS RSA.SAMMY.DIGSIG ICSF(ASYMUSAGE(NOSECUREEXPORT))
SETROPTS RACLIST(CSFKEYS) REFRESH

In order for the secure import/export restriction to take effect, you will need to enable the PKA Key Management Extensions control by creating a CSF.PKAEXTNS.ENABLE profile in class XFACILIT. In order to enable the PKA Key Management Extensions control, the Key Store Policy for both the CKDS and the PKDS must also be active. Refer to Enabling PKA key management extensions for more information.

When the PKA Key Management Extensions control is enabled, the default is to allow keys to participate in secure import and export operations. You can also explicitly specify this using the SECUREEXPORT keyword in the ASYMUSAGE field of a CSFKEYS profile. For example:

RALTER CSFKEYS RSA.SAMMY.EXPORT ICSF(ASYMUSAGE(SECUREEXPORT))
SETROPTS RACLIST(CSFKEYS) REFRESH

The ASYMUSAGE field can also contain the NOHANDSHAKE or HANDSHAKE keywords to specify whether keys covered by the profile can participate in handshake operations (as described in Restricting asymmetric keys from being used in handshake operations). These keywords can be specified along with the NOSECUREEXPORT or SECUREEXPORT keywords when entering the RDEFINE or RALTER command.

RALTER CSFKEYS RSA.SAMMY.EXPORT ICSF(ASYMUSAGE(SECUREEXPORT NOHANDSHAKE))
SETROPTS RACLIST(CSFKEYS) REFRESH