Determining access to tokens not stored in the CKDS or PKDS

When the Key Token Authorization Checking control for a key store has been enabled and a token is passed to a callable service, ICSF will find the key label or labels associated with the passed token so that a SAF authority check can be performed. If, however, the token passed to the callable service is not in the key store, there will be no associated key label to find. By default, no authorization checking is performed on the use of the key, and the operation is allowed. If you enable the Default Key Label Checking control for the CKDS or PKDS, however, ICSF will use a default profile to determine user access to tokens that are not in the key store.

Separate controls are provided for enabling Default Key Label Checking for a CKDS or a PKDS, The Default Key Label Checking control will be enabled only if the Key Token Authorization Checking control for the appropriate key store is also enabled. Refer to Enabling access authority checking for key tokens for more information. To enable one the Default Key Label Checking controls, create the appropriate profile in the XFACILIT class.

For example, to enable the Default Key Label Checking control for a CKDS, you would:

1. Create the default profile CSF-CKDS-DEFAULT in the CSFKEYS class.

   RDEFINE CSFKEYS CSF-CKDS-DEFAULT UACC(NONE)

2. By defining the universal access authority (UACC) as NONE in the preceding step, the use of key tokens that do not reside in the key store has been prohibited. If necessary, however, you can give appropriate users (preferably groups) access in the CSF-CKDS-DEFAULT profile and refresh the CSFKEYS class in storage:

   PERMIT CSF-CKDS-DEFAULT CLASS(CSFKEYS) ID(group-id) ACCESS(READ)
   SETROPTS RACLIST(CSFKEYS) REFRESH

3. Create a profile for the CSF.CKDS.TOKEN.CHECK.DEFAULT.LABEL resource in the XFACILIT class, and refresh the XFACILIT class in storage.

   RDEFINE XFACILIT CSF.CKDS.TOKEN.CHECK.DEFAULT.LABEL
   SETROPTS RACLIST(XFACILIT) REFRESH