Setting up profiles in the CSFSERV general resource class

To set up profiles in the CSFSERV general resource class, take these steps.

Note: The CSFSERV class grants access to the service if there is no profile. You can create a global generic profile to restrict access.

Define appropriate profiles in the CSFSERV class:

    RDEFINE  CSFSERV profile-name  UACC(NONE)
             other-optional-operands

Where profile-name is the profile that is used to protect the resource. Table 1 lists the resources that are used by ICSF and PKDS #11 callable services. Table 2 shows the resource names that are used by ICSF TSO panels, utilities, and compatibility services for PCF macros.

To determine which services are used by PKCS #11 services, see 'Controlling access to tokens' in Chapter 1 of z/OS Cryptographic Services ICSF Writing PKCS #11 Applications. Users must be SAF authorized to the CSFSERV profile for the services for PKCS #11 services to execute.

Table 1. Resource names for ICSF callable services
Resource name	Callable service names	Callable service description
CSFAPG	CSNBAPG CSNEAPG	Authentication Parameter Generate
CSFCKC	CSNBCKC CSNECKC	CVV Key Combine
CSFCKI	CSNBCKI CSNECKI	Clear Key Import
CSFCKM	CSNBCKM CSNECKM	Multiple Clear Key Import
CSFCPA	CSNBCPA CSNECPA	Clear PIN Generate Alternate
CSFCPE	CSNBCPE CSNECPE	Clear PIN Encrypt
CSFCRC	CSFCRC CSFCRC6	Coordinated KDS Administration
CSFCSG	CSNBCSG CSNECSG	VISA CVV Service Generate
CSFCSV	CSNBCSV CSNECSV	VISA CVV Service Verify
CSFCTT2	CSNBCTT2 CSNECTT2	Ciphertext Translate2
CSFCTT3	CSNBCTT3 CSNECTT3	Ciphertext Translate2 (with ALET)
CSFCVE	CSNBCVE CSNECVE	Cryptographic Variable Encipher
CSFCVT	CSNBCVT CSNECVT	Control Vector Translate
CSFDCM	CSNBDCM CSNEDCM	Derive ICC MK
CSFDCO	CSNBDCO CSNEDCO	Decode
CSFDEC	CSNBDEC CSNEDEC	Decipher
CSFDEC1	CSNBDEC1 CSNEDEC1	Decipher (with ALET)
CSFDKG	CSNBDKG CSNEDKG	Diversified Key Generate
CSFDKG2	CSNBDKG2 CSNEDKG2	Diversified Key Generate2
CSFDKM	CSNBDKM CSNEDKM	Data Key Import
CSFDKX	CSNBDKX CSNEDKX	Data Key Export
CSFDMP	CSNBDMP CSNEDMP	DK Migrate PIN
CSFDPC	CSNBDPC CSNEDPC	DK PIN Change
CSFDPCG	CSNBDPCG CSNEDPCG	DK PRW CMAC Generate
CSFDDPG	CSNBDDPG CSNEDDPG	DK Deterministic PIN Generate
CSFDPMT	CSNBDPMT CSNEDPMT	DK PAN Modify in Transaction
CSFDPNU	CSNBDPNU CSNEDPNU	DK PRW Card Number Update
CSFDPT	CSNBDPT CSNEDPT	DK PAN Translate
CSFDRP	CSNBDRP CSNEDRP	DK Regenerate PRW
CSFDPV	CSNBDPV CSNEDPV	DK PIN Verify
CSFDRPG	CSNBDRPG CSNEDRPG	DK Random PIN Generate
CSFDSG	CSNDDSG CSNFDSG CSFPPS2 CSFPPS26	Digital Signature Generate PKCS #11 Private key structure sign
CSFDSK	CSNBDSK CSNEDSK	Derive Session Key
CSFDSV	CSNDDSV CSNFDSV CSFPPV2 CSFPPV26	Digital Signature Verify PKCS #11 Public key structure verify
CSFEAC	CSNBEAC CSNEEAC	EMV Transaction Service
CSFECO	CSNBECO CSNEECO	Encode
CSFEDH	CSNDEDH CSNFEDH	ECC Diffie-Hellman
CSFENC	CSNBENC CSNEENC	Encipher
CSFENC1	CSNBENC1 CSNEENC1	Encipher (with ALET)
CSFEPG	CSNBEPG CSNEEPG	Encrypted PIN Generate
CSFESC	CSNBESC CSNEESC	EMV Scripting Service
CSFEVF	CSNBEVF CSNEEVF	EMV Verification Functions
CSFFPED	CSNBFPED CSNEFPED	FPE Decipher
CSFFPEE	CSNBFPEE CSNEFPEE	FPE Encipher
CSFFPET	CSNBFPET CSNEFPET	FPE Translate
CSFGIM	CSNBGIM CSNEGIM	Generate Issuer MK
CSFHMG	CSNBHMG CSNEHMG	HMAC Generate
CSFHMG1	CSNBHMG1 CSNEHMG1	HMAC Generate (with ALET)
CSFHMV	CSNBHMV CSNEHMV	HMAC Verify
CSFHMV1	CSNBHMV1 CSNEHMV1	HMAC Verify (with ALET)
CSFIQA	CSFIQA CSFIQA6	ICSF Query Algorithm
CSFIQF	CSFIQF CSFIQF6	ICSF Query Facility
CSFKDSL³	CSFKDSL CSFKDSL6	Key Data Set List
CSFKDMR³	CSFKDMR CSFKDMR6	Key Data Set Metadata Read
CSFKDMW³	CSFKDMW CSFKDMW6	Key Data Set Metadata Write
CSFKDU^{3, 4}	CSFKDU CSFKDU6	Key Dataset Update It is recommended that this profile is defined with UACC(NONE).
CSFKET	CSNBKET CSNEKET	Key Encryption Translate
CSFKEX	CSNBKEX CSNEKEX	Key Export
CSFKGN	CSNBKGN CSNEKGN	Key Generate
CSFKGN2	CSNBKGN2 CSNEKGN2	Key Generate2
CSFKIM	CSNBKIM CSNEKIM	Key Import
CSFKPI	CSNBKPI CSNEKPI	Key Part Import
CSFKPI2	CSNBKPI2 CSNEKPI2	Key Part Import2
CSFKRC	CSNBKRC CSNEKRC	Key Record Create
CSFKRC2	CSNBKRC2 CSNEKRC2	Key Record Create2
CSFKRD	CSNBKRD CSNEKRD	Key Record Delete
CSFKRR	CSNBKRR CSNEKRR	Key Record Read
CSFKRR2	CSNBKRR2 CSNEKRR2	Key Record Read2
CSFKRW	CSNBKRW CSNEKRW	Key Record Write
CSFKRW2	CSNBKRW2 CSNEKRW2	Key Record Write2
CSFKTR	CSNBKTR CSNEKTR	Key Translate
CSFKTR2	CSNBKTR2 CSNEKTR2	Key Translate2
CSFKYT	CSNBKYT CSNEKYT	Key Test
CSFKYT2	CSNBKYT2 CSNEKYT2	Key Test2
CSFKYTX	CSNBKYTX CSNEKYTX	Key Test Extended
CSFMDG	CSNBMDG CSNEMDG	MDC Generate
CSFMDG1	CSNBMDG1 CSNEMDG1	MDC Generate (with ALET)
CSFMGN	CSNBMGN CSNEMGN	MAC Generate
CSFMGN1	CSNBMGN1 CSNEMGN1	MAC Generate (with ALET)
CSFMGN2	CSNBMGN2 CSNEMGN2	MAC Generate2
CSFMGN3	CSNBMGN3 CSNEMGN3	MAC Generate2 (with ALET)
CSFMPS	CSFMPS CSFMPS6	ICSF Multi-Purpose Service
CSFMVR	CSNBMVR CSNEMVR	MAC Verify
CSFMVR1	CSNBMVR1 CSNEMVR1	MAC Verify (with ALET)
CSFMVR2	CSNBMVR2 CSNEMVR2	MAC Verify2
CSFMVR3	CSNBMVR3 CSNEMVR3	MAC Verify2 (with ALET)
CSFOWH¹	CSNBOWH CSNEOWH CSFPOWH CSFPOWH6	One-Way Hash Generate and PKCS #11 One-way hash, sign, or verify
CSFOWH1 ¹	CSNBOWH1 CSNEOWH1	One-Way Hash Generate (with ALET)
CSFPCI	CSFPCI CSFPCI6	PCI Interface Callable Service
CSFPCU	CSNBPCU CSNEPCU	PIN Change/Unblock
CSFPEX	CSNBPEX CSNEPEX	Prohibit Export
CSFPEXX	CSNBPEXX CSNEPEXX	Prohibit Export Extended
CSFPFO	CSNBPFO CSNEPFO	Recover PIN From Offset
CSFPGN	CSNBPGN CSNEPGN	Clear PIN Generate
CSFPKD	CSNDPKD CSNFPKD CSFPPD2 CSFPPD26	PKA Decrypt PKCS #11 Private key structure decrypt
CSFPKE	CSNDPKE CSNFPKE CSFPPE2 CSFPPE26	PKA Encrypt PKCS #11 Public key structure encrypt
CSFPKG	CSNDPKG CSNFPKG	PKA Key Generate
CSFPKI	CSNDPKI CSNFPKI	PKA Key Import
CSFPKRC	CSNDKRC CSNFKRC	PKDS Record Create
CSFPKRD	CSNDKRD CSNFKRD	PKDS Record Delete
CSFPKRR	CSNDKRR CSNFKRR	PKDS Record Read
CSFPKRW	CSNDKRW CSNFKRW	PKDS Record Write
CSFPKT	CSNDPKT CSNFPKT	PKA Key Translate
CSFPKTC	CSNDKTC CSNFKTC	PKA Key Token Change
CSFPKX	CSNDPKX CSNFPKX	PKA Public Key Extract
CSFPRR2	CSNDKRR2 CSNFKRR2	PKDS Key Record Read2
CSFPTR	CSNBPTR CSNEPTR	Encrypted PIN Translate
CSFPTRE	CSNBPTRE CSNEPTRE	Encrypted PIN Translate Enhanced
CSFPVR	CSNBPVR CSNEPVR	Encrypted PIN Verify
CSFRKA	CSNBRKA CSNERKA	Restrict Key Attribute
CSFRKD	CSNDRKD CSNFRKD	Retained Key Delete
CSFRKL	CSNDRKL CSNFRKL	Retained Key List
CSFRKX	CSNDRKX CSNFRKX	Remote Key Export
CSFRNG²	CSNBRNG CSNERNG CSFPPRF CSFPPRF6	Random Number Generate (returning an 8-byte random number) and PKCS #11 Pseudo-random function
CSFRNGL²	CSNBRNGL CSNERNGL	Random Number Generate (returning a random number of a length that is specified by the caller)
CSFRRT ^{3, 4}	CSFRRT CSFRRT6	Key Dataset Record Retrieve It is recommended that this profile is defined with UACC(NONE) and that no user is given access as it is for diagnostic purposes only.
CSFSAD	CSNBSAD CSNESAD	Symmetric Algorithm Decipher
CSFSAD1	CSNBSAD1 CSNESAD1	Symmetric Algorithm Decipher (with ALET)
CSFSAE	CSNBSAE CSNESAE	Symmetric Algorithm Encipher
CSFSAE1	CSNBSAE1 CSNESAE1	Symmetric Algorithm Encipher (with ALET)
CSFSBC	CSNDSBC CSNFSBC	SET Block Compose
CSFSBD	CSNDSBD CSNFSBD	SET Block Decompose
CSFSKI	CSNBSKI CSNESKI	Secure Key Import
CSFSKI2	CSNBSKI2 CSNESKI2	Secure Key Import2
CSFSKM	CSNBSKM CSNESKM	Multiple Secure Key Import
CSFSKY	CSNBSKY CSNESKY	Secure Messaging for Keys
CSFSPN	CSNBSPN CSNESPN	Secure Messaging for PINs
CSFSXD	CSNDSXD CSNFSXD	Symmetric Key Export with Data
CSFSYG	CSNDSYG CSNFSYG	Symmetric Key Generate
CSFSYI	CSNDSYI CSNFSYI	Symmetric Key Import
CSFSYI2	CSNDSYI2 CSNFSYI2	Symmetric Key Import2
CSFSYX	CSNDSYX CSNFSYX	Symmetric Key Export
CSFTBC	CSNDTBC CSNFTBC	Trusted Block Create
CSFTRV	CSNBTRV CSNETRV	Transaction Validation
CSFT31I	CSNBT31I CSNET31I	TR-31 Import
CSFT31X	CSNBT31X CSNET31X	TR-31 Export
CSFUKD	CSNBUKD CSNEUKD	Unique Key Derive
CSFWRP	CSFWRP CSFWRP6	Key Token Wrap
CSF1DVK	CSFPDVK CSFPDVK6	PKCS #11 Derive key
CSF1DMK	CSFPDMK CSFPDMK6	PKCS #11 Derive multiple keys
CSF1HMG	CSFPHMG CSFPHMG6	PKCS #11 Generate MAC
CSF1GKP	CSFPGKP CSFPGKP6	PKCS #11 Generate key pair
CSF1GSK	CSFPGSK CSFPGSK6	PKCS #11 Generate secret key
CSF1GAV	CSFPGAV CSFPGAV6	PKCS #11 Get attribute value
CSF1PKS	CSFPPKS CSFPPKS6	PKCS #11 Private key sign
CSF1PKV	CSFPPKV CSFPPKV6	PKCS #11 Public key verify
CSF1SKD	CSFPSKD CSFPSKD6	PKCS #11 Secret key decrypt
CSF1SKE	CSFPSKE CSFPSKE6	PKCS #11 Secret key encrypt
CSF1SAV	CSFPSAV CSFPSAV6	PKCS #11 Set attribute value
CSF1TRC	CSFPTRC CSFPTRC6	PKCS #11 Token record create
CSF1TRD	CSFPTRD CSFPTRD6	PKCS #11 Token record delete
CSF1TRL	CSFPTRL CSFPTRL6	PKCS #11 Token record list
CSF1UWK	CSFPUWK CSFPUWK6	PKCS #11 Unwrap key
CSF1HMV	CSFPHMV CSFPHMV6	PKCS #11 Verify MAC
CSF1WPK	CSFPWPK CSFPWPK6	PKCS #11 Wrap key

¹ If the CSF.CSFSERV.AUTH.CSFOWH.DISABLE resource is defined within the XFACILIT class, the SAF authorization check is disabled for this resource. Disabling the SAF check might improve the performance of your applications.

² If the CSF.CSFSERV.AUTH.CSFRNG.DISABLE resource is defined within the XFACILIT class, the SAF authorization check is disabled for this resource. Disabling the SAF check might improve the performance of your application.

³ These services do not perform SAF authorization checks against key labels or handles (SAF classes CSFKEYS and CRYPTOZ). Therefore, any user ID that is permitted to use these services is able to access any KDS record. The level of access (read or update) depends on the operation of the service.

⁴ Access to these services is denied if there is no covering profile in the CSFSERV class.

Table 2. Resource names for ICSF TSO panels, utilities, and compatibility services for PCF macros
Resource Name	Utility and Callable Service Description
CSFCMK	Change master key utility, including the panel for a local change master key, the Coordinated KDS Administration service, and CSFEUTIL.
CSFCONV	PCF CKDS to ICSF CKDS conversion utility
CSFCRC	Coordinated KDS Administration
CSFDKCS	Master key entry utility
CSFEDC	Compatibility service for the PCF CIPHER macro
CSFEMK	Compatibility service for the PCF EMK macro
CSFGKC	Compatibility service for the PCF GENKEY macro
CSFGKF	Generate key fingerprint. Required by KGUP if key lifecycle auditing is enabled.
CSFKGUP	Key generation utility program
CSFOPKL	Operational key load
CSFPCAD	Cryptographic processors management (activate/deactivate)
CSFPKDR	PKDS reencipher and PKDS refresh utilities
CSFPMCI	Pass phrase master key/KDS initialization utility
CSFREFR	Refresh CKDS or PKDS utility, including the panels for a local refresh, the Coordinated KDS Administration service, and CSFEUTIL (CKDS) and CSFPUTIL (PKDS).
CSFRENC	Reencipher CKDS or PKDS utility, including the panels for a local refresh, the Coordinated KDS Administration service, and CSFEUTIL (CKDS) and CSFPUTIL (PKDS).
CSFRSWS	Administrative control functions utility (ENABLE)
CSFRWP	CKDS Conversion2 - rewrap option.
CSFRTC	Compatibility service for the CUSP or PCF RETKEY macro
CSFSMK	Set master key utility
CSFSSWS	Administrative control functions utility (DISABLE)
CSFUDM	User Defined Extensions (UDX) management functions

Note:

As with any RACF general resource profile, if you want to change the profile later, use the RALTER command. To change the access list, use the PERMIT command as described in the next step.
If you have already started ICSF, you need to refresh the in-storage profiles. See Step 3.
You can specify other operands, such as auditing (AUDIT operand), on the RDEFINE or RALTER commands.
If the security administrator has activated generic profile checking for the CSFSERV class, you can create generic profiles that use the generic characters * and %. This is the same as with any RACF general resource class.

For example, if generic profile checking is in effect, these profiles enable you to specify which users and jobs can use the Ciphertext Translate callable services. No other services can be used by any job on the system.

    RDEFINE  CSFSERV  CSFCTT*  UACC(NONE)
    RDEFINE  CSFSERV  CSFCTT%  UACC(NONE)
    RDEFINE  CSFSERV  *        UACC(NONE)

Give appropriate users (preferably groups) access to the profiles:

    PERMIT  profile-name  CLASS(CSFSERV) ID(groupid)  ACCESS(READ)

When the profiles are ready to be used, ask the security administrator to activate the CSFSERV class and refresh the in-storage RACF profiles:
```
SETROPTS RACLIST(CSFSERV) REFRESH
```
If you want to disable SAF authorization checking for the CSFRNG services to potentially improve application performance:
```
RDEF XFACILIT CSF.CSFSERV.AUTH.CSFRNG.DISABLE
SETROPTS RACLIST(XFACILIT) REFRESH
```
If you want to disable SAF authorization checking for the CSFOWH services to potentially improve application performance:
```
RDEF XFACILIT CSF.CSFSERV.AUTH.CSFOWH.DISABLE
SETROPTS RACLIST(XFACILIT) REFRESH
```