Tokens are containers that hold digital certificates and keys. z/OS® supports both clear and secure keys in the PKCS #11 tokens that are provided and managed by ICSF. You can use RACF® in the following ways to define and manage certain certificate objects in a token (certificates, public keys, and private keys).

• You can use the following RACDCERT command functions:
  • ADDTOKEN: Defines a new empty token.
  • DELTOKEN: Deletes an existing token and all its contents.
  • LISTTOKEN: Displays information about the objects that are contained in the token.
  • BIND: Connects a RACF certificate, its public key, and (in some cases) its private key, to an existing token.
  • UNBIND: Removes a certificate and its keys from an existing token.
  • IMPORT: Adds a certificate to RACF from an existing token.
  See z/OS Security Server RACF Command Language Reference for syntax and usage information about these functions of the RACDCERT command.
• You can authorize applications to use the R_datalib (IRRSDL00 or IRRSDL64) callable service to read and extract token information. For details, see "RACF Authorization" for R_datalib (IRRSDL00 or IRRSDL64) in z/OS Security Server RACF Callable Services.
• You can use resources in the CRYPTOZ class to control access to tokens. See "Controlling access to tokens" in z/OS Cryptographic Services ICSF Writing PKCS #11 Applications.

Because tokens are managed by ICSF, not RACF, other applications can use ICSF functions to change tokens without updating the certificate information in the RACF database. Similarly, RACF changes to digital certificates already bound to a token are not reflected in the token information that is maintained by ICSF. Therefore, the following restrictions apply: