Setting up profiles in the CSFSERV general resource class

To set up profiles in the CSFSERV general resource class, take these steps.
Note: The CSFSERV class grants access to the service if there is no profile. You can create a global generic profile to restrict access.
  1. Define appropriate profiles in the CSFSERV class:
        RDEFINE  CSFSERV profile-name  UACC(NONE)
                 other-optional-operands
    Where profile-name is the profile that is used to protect the resource. Table 1 lists the resources that are used by ICSF and PKDS #11 callable services. Table 2 shows the resource names that are used by ICSF TSO panels, utilities, and compatibility services for PCF macros.

    To determine which services are used by PKCS #11 services, see 'Controlling access to tokens' in Chapter 1 of z/OS Cryptographic Services ICSF Writing PKCS #11 Applications. Users must be SAF authorized to the CSFSERV profile for the services for PKCS #11 services to execute.

    Table 1. Resource names for ICSF callable services
    Resource name Callable service names Callable service description
    CSFAPG
    CSNBAPG
    CSNEAPG
    Authentication Parameter Generate
    CSFCKC
    CSNBCKC
    CSNECKC
    CVV Key Combine
    CSFCKI
    CSNBCKI
    CSNECKI
    Clear Key Import
    CSFCKM
    CSNBCKM
    CSNECKM
    Multiple Clear Key Import
    CSFCPA
    CSNBCPA
    CSNECPA
    Clear PIN Generate Alternate
    CSFCPE
    CSNBCPE
    CSNECPE
    Clear PIN Encrypt
    CSFCRC
    CSFCRC
    CSFCRC6
    Coordinated KDS Administration
    CSFCSG
    CSNBCSG
    CSNECSG
    VISA CVV Service Generate
    CSFCSV
    CSNBCSV
    CSNECSV
    VISA CVV Service Verify
    CSFCTT2
    CSNBCTT2
    CSNECTT2
    Ciphertext Translate2
    CSFCTT3
    CSNBCTT3
    CSNECTT3
    Ciphertext Translate2 (with ALET)
    CSFCVE
    CSNBCVE
    CSNECVE
    Cryptographic Variable Encipher
    CSFCVT
    CSNBCVT
    CSNECVT
    Control Vector Translate
    CSFDCM
    CSNBDCM
    CSNEDCM
    Derive ICC MK
    CSFDCO
    CSNBDCO
    CSNEDCO
    Decode
    CSFDEC
    CSNBDEC
    CSNEDEC
    Decipher
    CSFDEC1
    CSNBDEC1
    CSNEDEC1
    Decipher (with ALET)
    CSFDKG
    CSNBDKG
    CSNEDKG
    Diversified Key Generate
    CSFDKG2
    CSNBDKG2
    CSNEDKG2
    Diversified Key Generate2
    CSFDKM
    CSNBDKM
    CSNEDKM
    Data Key Import
    CSFDKX
    CSNBDKX
    CSNEDKX
    Data Key Export
    CSFDMP
    CSNBDMP
    CSNEDMP
    DK Migrate PIN
    CSFDPC
    CSNBDPC
    CSNEDPC
    DK PIN Change
    CSFDPCG
    CSNBDPCG
    CSNEDPCG
    DK PRW CMAC Generate
    CSFDDPG
    CSNBDDPG
    CSNEDDPG
    DK Deterministic PIN Generate
    CSFDPMT
    CSNBDPMT
    CSNEDPMT
    DK PAN Modify in Transaction
    CSFDPNU
    CSNBDPNU
    CSNEDPNU
    DK PRW Card Number Update
    CSFDPT
    CSNBDPT
    CSNEDPT
    DK PAN Translate
    CSFDRP
    CSNBDRP
    CSNEDRP
    DK Regenerate PRW
    CSFDPV
    CSNBDPV
    CSNEDPV
    DK PIN Verify
    CSFDRPG
    CSNBDRPG
    CSNEDRPG
    DK Random PIN Generate
    CSFDSG
    CSNDDSG
    CSNFDSG
    CSFPPS2
    CSFPPS26
    Digital Signature Generate

    PKCS #11 Private key structure sign

    CSFDSK
    CSNBDSK
    CSNEDSK
    Derive Session Key
    CSFDSV
    CSNDDSV
    CSNFDSV
    CSFPPV2
    CSFPPV26
    Digital Signature Verify

    PKCS #11 Public key structure verify

    CSFEAC
    CSNBEAC
    CSNEEAC
    EMV Transaction Service
    CSFECO
    CSNBECO
    CSNEECO
    Encode
    CSFEDH
    CSNDEDH
    CSNFEDH
    ECC Diffie-Hellman
    CSFENC
    CSNBENC
    CSNEENC
    Encipher
    CSFENC1
    CSNBENC1
    CSNEENC1
    Encipher (with ALET)
    CSFEPG
    CSNBEPG
    CSNEEPG
    Encrypted PIN Generate
    CSFESC
    CSNBESC
    CSNEESC
    EMV Scripting Service
    CSFEVF
    CSNBEVF
    CSNEEVF
    EMV Verification Functions
    CSFFPED
    CSNBFPED
    CSNEFPED
    FPE Decipher
    CSFFPEE
    CSNBFPEE
    CSNEFPEE
    FPE Encipher
    CSFFPET
    CSNBFPET
    CSNEFPET
    FPE Translate
    CSFGIM
    CSNBGIM
    CSNEGIM
    Generate Issuer MK
    CSFHMG
    CSNBHMG
    CSNEHMG
    HMAC Generate
    CSFHMG1
    CSNBHMG1
    CSNEHMG1
    HMAC Generate (with ALET)
    CSFHMV
    CSNBHMV
    CSNEHMV
    HMAC Verify
    CSFHMV1
    CSNBHMV1
    CSNEHMV1
    HMAC Verify (with ALET)
    CSFIQA
    CSFIQA
    CSFIQA6
    ICSF Query Algorithm
    CSFIQF
    CSFIQF
    CSFIQF6
    ICSF Query Facility
    CSFKDSL3
    CSFKDSL
    CSFKDSL6
    Key Data Set List
    CSFKDMR3
    CSFKDMR
    CSFKDMR6
    Key Data Set Metadata Read
    CSFKDMW3
    CSFKDMW
    CSFKDMW6
    Key Data Set Metadata Write
    CSFKDU3, 4
    CSFKDU
    CSFKDU6
    Key Dataset Update

    It is recommended that this profile is defined with UACC(NONE).

    CSFKET
    CSNBKET
    CSNEKET
    Key Encryption Translate
    CSFKEX
    CSNBKEX
    CSNEKEX
    Key Export
    CSFKGN
    CSNBKGN
    CSNEKGN
    Key Generate
    CSFKGN2
    CSNBKGN2
    CSNEKGN2
    Key Generate2
    CSFKIM
    CSNBKIM
    CSNEKIM
    Key Import
    CSFKPI
    CSNBKPI
    CSNEKPI
    Key Part Import
    CSFKPI2
    CSNBKPI2
    CSNEKPI2
    Key Part Import2
    CSFKRC
    CSNBKRC
    CSNEKRC
    Key Record Create
    CSFKRC2
    CSNBKRC2
    CSNEKRC2
    Key Record Create2
    CSFKRD
    CSNBKRD
    CSNEKRD
    Key Record Delete
    CSFKRR
    CSNBKRR
    CSNEKRR
    Key Record Read
    CSFKRR2
    CSNBKRR2
    CSNEKRR2
    Key Record Read2
    CSFKRW
    CSNBKRW
    CSNEKRW
    Key Record Write
    CSFKRW2
    CSNBKRW2
    CSNEKRW2
    Key Record Write2
    CSFKTR
    CSNBKTR
    CSNEKTR
    Key Translate
    CSFKTR2
    CSNBKTR2
    CSNEKTR2
    Key Translate2
    CSFKYT
    CSNBKYT
    CSNEKYT
    Key Test
    CSFKYT2
    CSNBKYT2
    CSNEKYT2
    Key Test2
    CSFKYTX
    CSNBKYTX
    CSNEKYTX
    Key Test Extended
    CSFMDG
    CSNBMDG
    CSNEMDG
    MDC Generate
    CSFMDG1
    CSNBMDG1
    CSNEMDG1
    MDC Generate (with ALET)
    CSFMGN
    CSNBMGN
    CSNEMGN
    MAC Generate
    CSFMGN1
    CSNBMGN1
    CSNEMGN1
    MAC Generate (with ALET)
    CSFMGN2
    CSNBMGN2
    CSNEMGN2
    MAC Generate2
    CSFMGN3
    CSNBMGN3
    CSNEMGN3
    MAC Generate2 (with ALET)
    CSFMPS
    CSFMPS
    CSFMPS6
    ICSF Multi-Purpose Service
    CSFMVR
    CSNBMVR
    CSNEMVR
    MAC Verify
    CSFMVR1
    CSNBMVR1
    CSNEMVR1
    MAC Verify (with ALET)
    CSFMVR2
    CSNBMVR2
    CSNEMVR2
    MAC Verify2
    CSFMVR3
    CSNBMVR3
    CSNEMVR3
    MAC Verify2 (with ALET)
    CSFOWH1
    CSNBOWH
    CSNEOWH
    CSFPOWH
    CSFPOWH6
    One-Way Hash Generate and PKCS #11 One-way hash, sign, or verify
    CSFOWH1 1
    CSNBOWH1
    CSNEOWH1
    One-Way Hash Generate (with ALET)
    CSFPCI
    CSFPCI
    CSFPCI6
    PCI Interface Callable Service
    CSFPCU
    CSNBPCU
    CSNEPCU
    PIN Change/Unblock
    CSFPEX
    CSNBPEX
    CSNEPEX
    Prohibit Export
    CSFPEXX
    CSNBPEXX
    CSNEPEXX
    Prohibit Export Extended
    CSFPFO
    CSNBPFO
    CSNEPFO
    Recover PIN From Offset
    CSFPGN
    CSNBPGN
    CSNEPGN
    Clear PIN Generate
    CSFPKD
    CSNDPKD
    CSNFPKD
    CSFPPD2
    CSFPPD26
    PKA Decrypt

    PKCS #11 Private key structure decrypt

    CSFPKE
    CSNDPKE
    CSNFPKE
    CSFPPE2
    CSFPPE26
    PKA Encrypt

    PKCS #11 Public key structure encrypt

    CSFPKG
    CSNDPKG
    CSNFPKG
    PKA Key Generate
    CSFPKI
    CSNDPKI
    CSNFPKI
    PKA Key Import
    CSFPKRC
    CSNDKRC
    CSNFKRC
    PKDS Record Create
    CSFPKRD
    CSNDKRD
    CSNFKRD
    PKDS Record Delete
    CSFPKRR
    CSNDKRR
    CSNFKRR
    PKDS Record Read
    CSFPKRW
    CSNDKRW
    CSNFKRW
    PKDS Record Write
    CSFPKT
    CSNDPKT
    CSNFPKT
    PKA Key Translate
    CSFPKTC
    CSNDKTC
    CSNFKTC
    PKA Key Token Change
    CSFPKX
    CSNDPKX
    CSNFPKX
    PKA Public Key Extract
    CSFPRR2
    CSNDKRR2
    CSNFKRR2
    PKDS Key Record Read2
    CSFPTR
    CSNBPTR
    CSNEPTR
    Encrypted PIN Translate
    CSFPTRE
    CSNBPTRE
    CSNEPTRE
    Encrypted PIN Translate Enhanced
    CSFPVR
    CSNBPVR
    CSNEPVR
    Encrypted PIN Verify
    CSFRKA
    CSNBRKA
    CSNERKA
    Restrict Key Attribute
    CSFRKD
    CSNDRKD
    CSNFRKD
    Retained Key Delete
    CSFRKL
    CSNDRKL
    CSNFRKL
    Retained Key List
    CSFRKX
    CSNDRKX
    CSNFRKX
    Remote Key Export
    CSFRNG2
    CSNBRNG
    CSNERNG
    CSFPPRF
    CSFPPRF6
    Random Number Generate (returning an 8-byte random number) and PKCS #11 Pseudo-random function
    CSFRNGL2
    CSNBRNGL
    CSNERNGL
    Random Number Generate (returning a random number of a length that is specified by the caller)
    CSFRRT 3, 4
    CSFRRT
    CSFRRT6
    Key Dataset Record Retrieve

    It is recommended that this profile is defined with UACC(NONE) and that no user is given access as it is for diagnostic purposes only.

    CSFSAD
    CSNBSAD
    CSNESAD
    Symmetric Algorithm Decipher
    CSFSAD1
    CSNBSAD1
    CSNESAD1
    Symmetric Algorithm Decipher (with ALET)
    CSFSAE
    CSNBSAE
    CSNESAE
    Symmetric Algorithm Encipher
    CSFSAE1
    CSNBSAE1
    CSNESAE1
    Symmetric Algorithm Encipher (with ALET)
    CSFSBC
    CSNDSBC
    CSNFSBC
    SET Block Compose
    CSFSBD
    CSNDSBD
    CSNFSBD
    SET Block Decompose
    CSFSKI
    CSNBSKI
    CSNESKI
    Secure Key Import
    CSFSKI2
    CSNBSKI2
    CSNESKI2
    Secure Key Import2
    CSFSKM
    CSNBSKM
    CSNESKM
    Multiple Secure Key Import
    CSFSKY
    CSNBSKY
    CSNESKY
    Secure Messaging for Keys
    CSFSPN
    CSNBSPN
    CSNESPN
    Secure Messaging for PINs
    CSFSXD
    CSNDSXD
    CSNFSXD
    Symmetric Key Export with Data
    CSFSYG
    CSNDSYG
    CSNFSYG
    Symmetric Key Generate
    CSFSYI
    CSNDSYI
    CSNFSYI
    Symmetric Key Import
    CSFSYI2
    CSNDSYI2
    CSNFSYI2
    Symmetric Key Import2
    CSFSYX
    CSNDSYX
    CSNFSYX
    Symmetric Key Export
    CSFTBC
    CSNDTBC
    CSNFTBC
    Trusted Block Create
    CSFTRV
    CSNBTRV
    CSNETRV
    Transaction Validation
    CSFT31I
    CSNBT31I
    CSNET31I
    TR-31 Import
    CSFT31X
    CSNBT31X
    CSNET31X
    TR-31 Export
    CSFUKD
    CSNBUKD
    CSNEUKD  
    Unique Key Derive
    CSFWRP
    CSFWRP
    CSFWRP6
    Key Token Wrap
    CSF1DVK
    CSFPDVK
    CSFPDVK6
    PKCS #11 Derive key
    CSF1DMK
    CSFPDMK
    CSFPDMK6
    PKCS #11 Derive multiple keys
    CSF1HMG
    CSFPHMG
    CSFPHMG6
    PKCS #11 Generate MAC
    CSF1GKP
    CSFPGKP
    CSFPGKP6
    PKCS #11 Generate key pair
    CSF1GSK
    CSFPGSK
    CSFPGSK6
    PKCS #11 Generate secret key
    CSF1GAV
    CSFPGAV
    CSFPGAV6
    PKCS #11 Get attribute value
    CSF1PKS
    CSFPPKS
    CSFPPKS6
    PKCS #11 Private key sign
    CSF1PKV
    CSFPPKV
    CSFPPKV6
    PKCS #11 Public key verify
    CSF1SKD
    CSFPSKD
    CSFPSKD6
    PKCS #11 Secret key decrypt
    CSF1SKE
    CSFPSKE
    CSFPSKE6
    PKCS #11 Secret key encrypt
    CSF1SAV
    CSFPSAV
    CSFPSAV6
    PKCS #11 Set attribute value
    CSF1TRC
    CSFPTRC
    CSFPTRC6
    PKCS #11 Token record create
    CSF1TRD
    CSFPTRD
    CSFPTRD6
    PKCS #11 Token record delete
    CSF1TRL
    CSFPTRL
    CSFPTRL6
    PKCS #11 Token record list
    CSF1UWK
    CSFPUWK
    CSFPUWK6
    PKCS #11 Unwrap key
    CSF1HMV
    CSFPHMV
    CSFPHMV6
    PKCS #11 Verify MAC
    CSF1WPK
    CSFPWPK
    CSFPWPK6
    PKCS #11 Wrap key

    1 If the CSF.CSFSERV.AUTH.CSFOWH.DISABLE resource is defined within the XFACILIT class, the SAF authorization check is disabled for this resource. Disabling the SAF check might improve the performance of your applications.

    2 If the CSF.CSFSERV.AUTH.CSFRNG.DISABLE resource is defined within the XFACILIT class, the SAF authorization check is disabled for this resource. Disabling the SAF check might improve the performance of your application.

    3 These services do not perform SAF authorization checks against key labels or handles (SAF classes CSFKEYS and CRYPTOZ). Therefore, any user ID that is permitted to use these services is able to access any KDS record. The level of access (read or update) depends on the operation of the service.

    4 Access to these services is denied if there is no covering profile in the CSFSERV class.

    Table 2. Resource names for ICSF TSO panels, utilities, and compatibility services for PCF macros
    Resource Name Utility and Callable Service Description
    CSFCMK Change master key utility, including the panel for a local change master key, the Coordinated KDS Administration service, and CSFEUTIL.
    CSFCONV PCF CKDS to ICSF CKDS conversion utility
    CSFCRC Coordinated KDS Administration
    CSFDKCS Master key entry utility
    CSFEDC Compatibility service for the PCF CIPHER macro
    CSFEMK Compatibility service for the PCF EMK macro
    CSFGKC Compatibility service for the PCF GENKEY macro
    CSFGKF Generate key fingerprint. Required by KGUP if key lifecycle auditing is enabled.
    CSFKGUP Key generation utility program
    CSFOPKL Operational key load
    CSFPCAD Cryptographic processors management (activate/deactivate)
    CSFPKDR PKDS reencipher and PKDS refresh utilities
    CSFPMCI Pass phrase master key/KDS initialization utility
    CSFREFR Refresh CKDS or PKDS utility, including the panels for a local refresh, the Coordinated KDS Administration service, and CSFEUTIL (CKDS) and CSFPUTIL (PKDS).
    CSFRENC Reencipher CKDS or PKDS utility, including the panels for a local refresh, the Coordinated KDS Administration service, and CSFEUTIL (CKDS) and CSFPUTIL (PKDS).
    CSFRSWS Administrative control functions utility (ENABLE)
    CSFRWP CKDS Conversion2 - rewrap option.
    CSFRTC Compatibility service for the CUSP or PCF RETKEY macro
    CSFSMK Set master key utility
    CSFSSWS Administrative control functions utility (DISABLE)
    CSFUDM User Defined Extensions (UDX) management functions
    Note:
    1. As with any RACF general resource profile, if you want to change the profile later, use the RALTER command. To change the access list, use the PERMIT command as described in the next step.
    2. If you have already started ICSF, you need to refresh the in-storage profiles. See Step 3.
    3. You can specify other operands, such as auditing (AUDIT operand), on the RDEFINE or RALTER commands.
    4. If the security administrator has activated generic profile checking for the CSFSERV class, you can create generic profiles that use the generic characters * and %. This is the same as with any RACF general resource class.
    For example, if generic profile checking is in effect, these profiles enable you to specify which users and jobs can use the Ciphertext Translate callable services. No other services can be used by any job on the system.
        RDEFINE  CSFSERV  CSFCTT*  UACC(NONE)
        RDEFINE  CSFSERV  CSFCTT%  UACC(NONE)
        RDEFINE  CSFSERV  *        UACC(NONE)             
  2. Give appropriate users (preferably groups) access to the profiles:
        PERMIT  profile-name  CLASS(CSFSERV) ID(groupid)  ACCESS(READ)
  3. When the profiles are ready to be used, ask the security administrator to activate the CSFSERV class and refresh the in-storage RACF profiles:
    SETROPTS RACLIST(CSFSERV) REFRESH
  4. If you want to disable SAF authorization checking for the CSFRNG services to potentially improve application performance:
    RDEF XFACILIT CSF.CSFSERV.AUTH.CSFRNG.DISABLE
    SETROPTS RACLIST(XFACILIT) REFRESH
  5. If you want to disable SAF authorization checking for the CSFOWH services to potentially improve application performance:
    RDEF XFACILIT CSF.CSFSERV.AUTH.CSFOWH.DISABLE
    SETROPTS RACLIST(XFACILIT) REFRESH