Using the ASYMUSAGE field in the ICSF segment of CSFKEYS profiles enables you to restrict asymmetric keys covered by the profile from being used in secure import and export operations. In secure export operations, a symmetric key (AES or DES) is moved from encryption under a master key to encryption under an asymmetric key (RSA public key). In a secure import operation, the private key of an RSA key pair is used to move a symmetric key from encryption under the RSA public key to encryption under a master key. The following callable services all identify an asymmetric key (either the public or private key of an RSA key pair) to encrypt or decrypt a symmetric key. The callable services that perform secure import and export operations are:
For each of these services, a profile in the CSFKEYS class will control access to the asymmetric key. In addition to specifying user access to the key, the CSFKEYS profile can also specify information (in the ICSF segment of the profile) on how the key can be used. The ASYMUSAGE field of the ICSF segment enables you to specify whether an asymmetric key covered by the profile can participate in secure import or export operations. By specifying the NOSECUREEXPORT keyword in the ASYMUSAGE field, you restrict any asymmetric key covered by the profile from being used to encrypt or decrypt the symmetric key in these operations.
RALTER CSFKEYS RSA.SAMMY.DIGSIG ICSF(ASYMUSAGE(NOSECUREEXPORT))
SETROPTS RACLIST(CSFKEYS) REFRESH
In order for the secure import/export restriction to take effect, you will need to enable the PKA Key Management Extensions control by creating a CSF.PKAEXTNS.ENABLE profile in class XFACILIT. In order to enable the PKA Key Management Extensions control, the Key Store Policy for both the CKDS and the PKDS must also be active. Refer to Enabling PKA key management extensions for more information.
RALTER CSFKEYS RSA.SAMMY.EXPORT ICSF(ASYMUSAGE(SECUREEXPORT))
SETROPTS RACLIST(CSFKEYS) REFRESH
The ASYMUSAGE field can
also contain the NOHANDSHAKE or HANDSHAKE keywords to specify whether
keys covered by the profile can participate in handshake operations
(as described in Restricting asymmetric keys from being used in handshake operations). These keywords
can be specified along with the NOSECUREEXPORT or SECUREEXPORT keywords
when entering the RDEFINE or RALTER command.RALTER CSFKEYS RSA.SAMMY.EXPORT ICSF(ASYMUSAGE(SECUREEXPORT NOHANDSHAKE))
SETROPTS RACLIST(CSFKEYS) REFRESH