The security administrator should create a RACF® profile to protect the data set that contains the token data set. It is important to protect this data set, because keys in the token data set are not encrypted.
The security administrator needs to grant the appropriate access authority to users for accessing tokens and objects, by defining profiles in the CRYPTOZ class. For more information, see Controlling token access and key policy.
The security administrator controls access to the PKCS #11 callable services by defining profiles in the CSFSERV class. For information about defining profiles in the CSFSERV class, see z/OS Cryptographic Services ICSF Administrator's Guide. For a list of the resource names for token services, see Table 2.
If PKCS #11 services must run in compliance with the FIPS 140-2 standard, then the security administrator must ensure that the digital signature of the load module containing the z/OS PKCS #11 services is verified when ICSF starts. This must be done to satisfy FIPS 140-2 requirements. Refer to Requiring signature verification for ICSF module CSFINPV2, and z/OS Security Server RACF Security Administrator's Guide for more information.
To use Secure Key PKCS #11, an active Enterprise PKCS #11 coprocessor is required. For the steps necessary to activate the Enterprise PKCS #11 coprocessors, see 'Managing Crypto Express4 Features on an IBM zEnterprise BC12 and EC12' in z/OS Cryptographic Services ICSF Administrator's Guide.