System SSL: Ensure all RACF user IDs that start SSL applications in non-FIPS mode can access the CSFRNG resource of the CSFSERV class

Description

Before z/OS V2.1, System SSL always used its own random number generation support available in software. As of z/OS V2R1, System SSL now exploits ICSF random number generation support if ICSF is available. In order to utilize ICSF when the random number generation service is protected by a RACF resource profile (CSFRNG), the userid under which the application is executing must have at least READ access to the resource profile. If the application is not FIPS enabled the processing is able to fall back to a software implementation and allow the application to continue (as a result, you might receive RACF unauthorized messages). If the application is FIPS enabled, it will fail.

If the user ID that starts the SSL application cannot access the CSFRNG resource of the CSFSERV class, System SSL will not be able to use the PKCS #11 Pseudo-random function callable service, and the informational message ICH408I (which indicates insufficient authorization) may be issued to the console. Although System SSL processing will continue, your application will be using System SSL's random number generation and will not be exploiting the random number generation capability provided by ICSF software or the Crypto Express3 Coprocessor card or the Crypto Express4 Coprocessor card.

Table 1 provides more details about this migration action. Use this information to plan your changes to the system.

Table 1. Information about this migration action
Element or feature:	Cryptographic Services.
When change was introduced:	z/OS V2R1.
Applies to migration from:	z/OS V1R13.
Timing:	Before the first IPL of z/OS V2R2.
Is the migration action required?	Yes, if the following conditions are true: Your installation uses ICSF. The CSFSERV general resource class is active. A profile covering the CSFRNG resource of the CSFSERV class is defined and does not grant READ access to all users.
Target system hardware requirements:	ICSF might use one of multiple techniques to derive the random content. For both FIPS certified random content and for non-FIPS certified random content, the availability of CCA and/or PKCS #11 coprocessors enables ICSF to derive the random content without imposing significant CPU overhead on the system. Either type of coprocessor can be exploited for non-FIPS certified content, but only a PKCS #11 coprocessor can be used to avoid CPU cycles for FIPS certified random content. Installations might want to plan for CCA and/or PKCS #11 coprocessor availability to avoid potentially excessive CPU cycles being exhausted on random number content generation.
Target system software requirements:	None.
Other system (coexistence or fallback) requirements:	None.
Restrictions:	None.
System impacts:	The system issues informational message ICH408I that indicates insufficient authorization might be issued to the console.
Related IBM Health Checker for z/OS check:	None

Steps to take

If your installation uses ICSF, you should ensure that any RACF user ID that will start SSL applications can access the CSFRNG callable service. This includes the SSL started task (GSKSRVR), and the gskkyman and gsktrace utilities.

Determine if the CSFSERV class is active. If active, this class restricts access to the ICSF programming interface. If it is not active, access to the ICSF programming interface (and specifically the CSFRNG callable service) is unrestricted. No configuration is necessary.
To determine which RACF classes are currently active, enter the SETROPTS command with the LIST parameter specified:
```
SETROPTS LIST
```
If the SETROPTS LIST command shows that the CSFSERV class is active, identify the profile that covers the CSFRNG resource. This could be a discrete profile named CSFRNG or, if generic profile checking is activated, a generic profile.
To determine if a profile has been defined to protect the CSFRNG resource, enter the following RLIST command:
```
RLIST CSFSERV CSFRNG
```
When you enter this command, RACF lists information for the discrete resource profile CSFRNG. If there is no matching discrete profile, RACF will list the generic profile that most closely matches the resource name.
If the RLIST command output revealed that there is a discrete or generic profile defined that covers the CSFRNG resource, examine the command output to ensure that all RACF user IDs that may start System SSL applications have at least READ access to the CSFRNG resource. If necessary, use the PERMIT command to give the appropriate users or groups access. For example, if a discrete profile CSFRNG exists, the following command would give user BAILEY access.
```
PERMIT CSFRNG CLASS(CSFSERV) ID(BAILEY) ACCESS(READ)
```
If you do make any changes, refresh the in-storage RACF profiles for the CSFSERV class:
```
SETROPTS RACLIST(CSFSERV) REFRESH
```

Reference information

For more information, see the following references:

For more information about System SSL use of ICSF callable services, see z/OS Cryptographic Services System SSL Programming
For more information on the ICSF installation options file, see z/OS Cryptographic Services ICSF System Programmer's Guide
For more information about the ICSF CSFSERV resource class and the Installation Option Display panel, see z/OS Cryptographic Services ICSF Administrator's Guide.