Setting up profiles in the CSFSERV general resource class
- Define appropriate profiles in the CSFSERV class:
RDEFINE CSFSERV profile-name UACC(NONE) other-optional-operands
Where profile-name is the profile that is used to protect the resource. Table 1 lists the resources that are used by ICSF and PKDS #11 callable services. Table 2 shows the resource names that are used by ICSF TSO panels, utilities, and compatibility services for PCF macros.To determine which services are used by PKCS #11 services, see 'Controlling access to tokens' in Chapter 1 of z/OS Cryptographic Services ICSF Writing PKCS #11 Applications. Users must be SAF authorized to the CSFSERV profile for the services for PKCS #11 services to execute.
Table 1. Resource names for ICSF callable services Resource name Callable service names Callable service description CSFAPG CSNBAPG
CSNEAPGAuthentication Parameter Generate CSFCKC CSNBCKC
CSNECKCCVV Key Combine CSFCKI CSNBCKI
CSNECKIClear Key Import CSFCKM CSNBCKM
CSNECKMMultiple Clear Key Import CSFCPA CSNBCPA
CSNECPAClear PIN Generate Alternate CSFCPE CSNBCPE
CSNECPEClear PIN Encrypt CSFCRC CSFCRC
CSFCRC6Coordinated KDS Administration CSFCSG CSNBCSG
CSNECSGVISA CVV Service Generate CSFCSV CSNBCSV
CSNECSVVISA CVV Service Verify CSFCTT2 CSNBCTT2
CSNECTT2Ciphertext Translate2 CSFCTT3 CSNBCTT3
CSNECTT3
Ciphertext Translate2 (with ALET) CSFCVE CSNBCVE
CSNECVECryptographic Variable Encipher CSFCVT CSNBCVT
CSNECVTControl Vector Translate CSFDCM CSNBDCM
CSNEDCMDerive ICC MK CSFDCO CSNBDCO
CSNEDCODecode CSFDEC CSNBDEC
CSNEDECDecipher CSFDEC1 CSNBDEC1
CSNEDEC1Decipher (with ALET) CSFDKG CSNBDKG
CSNEDKGDiversified Key Generate CSFDKG2 CSNBDKG2
CSNEDKG2Diversified Key Generate2 CSFDKM CSNBDKM
CSNEDKMData Key Import CSFDKX CSNBDKX
CSNEDKXData Key Export CSFDMP CSNBDMP
CSNEDMPDK Migrate PIN CSFDPC CSNBDPC
CSNEDPCDK PIN Change CSFDPCG CSNBDPCG
CSNEDPCGDK PRW CMAC Generate CSFDDPG CSNBDDPG
CSNEDDPGDK Deterministic PIN Generate CSFDPMT CSNBDPMT
CSNEDPMTDK PAN Modify in Transaction CSFDPNU CSNBDPNU
CSNEDPNUDK PRW Card Number Update CSFDPT CSNBDPT
CSNEDPTDK PAN Translate CSFDRP CSNBDRP
CSNEDRPDK Regenerate PRW CSFDPV CSNBDPV
CSNEDPVDK PIN Verify CSFDRPG CSNBDRPG
CSNEDRPGDK Random PIN Generate CSFDSG CSNDDSG
CSNFDSG
CSFPPS2
CSFPPS26Digital Signature Generate PKCS #11 Private key structure sign
CSFDSK CSNBDSK
CSNEDSKDerive Session Key CSFDSV CSNDDSV
CSNFDSV
CSFPPV2
CSFPPV26Digital Signature Verify PKCS #11 Public key structure verify
CSFEAC CSNBEAC
CSNEEACEMV Transaction Service CSFECO CSNBECO
CSNEECOEncode CSFEDH CSNDEDH
CSNFEDHECC Diffie-Hellman CSFENC CSNBENC
CSNEENCEncipher CSFENC1 CSNBENC1
CSNEENC1Encipher (with ALET) CSFEPG CSNBEPG
CSNEEPGEncrypted PIN Generate CSFESC CSNBESC
CSNEESCEMV Scripting Service CSFEVF CSNBEVF
CSNEEVFEMV Verification Functions CSFFPED CSNBFPED
CSNEFPEDFPE Decipher CSFFPEE CSNBFPEE
CSNEFPEEFPE Encipher CSFFPET CSNBFPET
CSNEFPETFPE Translate CSFGIM CSNBGIM
CSNEGIMGenerate Issuer MK CSFHMG CSNBHMG
CSNEHMGHMAC Generate CSFHMG1 CSNBHMG1
CSNEHMG1HMAC Generate (with ALET) CSFHMV CSNBHMV
CSNEHMVHMAC Verify CSFHMV1 CSNBHMV1
CSNEHMV1HMAC Verify (with ALET) CSFIQA CSFIQA
CSFIQA6ICSF Query Algorithm CSFIQF CSFIQF
CSFIQF6ICSF Query Facility CSFKDSL3 CSFKDSL
CSFKDSL6Key Data Set List CSFKDMR3 CSFKDMR
CSFKDMR6Key Data Set Metadata Read CSFKDMW3 CSFKDMW
CSFKDMW6Key Data Set Metadata Write CSFKDU3, 4 CSFKDU
CSFKDU6Key Dataset Update It is recommended that this profile is defined with UACC(NONE).
CSFKET CSNBKET
CSNEKETKey Encryption Translate CSFKEX CSNBKEX
CSNEKEXKey Export CSFKGN CSNBKGN
CSNEKGNKey Generate CSFKGN2 CSNBKGN2
CSNEKGN2Key Generate2 CSFKIM CSNBKIM
CSNEKIMKey Import CSFKPI CSNBKPI
CSNEKPIKey Part Import CSFKPI2 CSNBKPI2
CSNEKPI2Key Part Import2 CSFKRC CSNBKRC
CSNEKRCKey Record Create CSFKRC2 CSNBKRC2
CSNEKRC2Key Record Create2 CSFKRD CSNBKRD
CSNEKRDKey Record Delete CSFKRR CSNBKRR
CSNEKRRKey Record Read CSFKRR2 CSNBKRR2
CSNEKRR2Key Record Read2 CSFKRW CSNBKRW
CSNEKRWKey Record Write CSFKRW2 CSNBKRW2
CSNEKRW2Key Record Write2 CSFKTR CSNBKTR
CSNEKTRKey Translate CSFKTR2 CSNBKTR2
CSNEKTR2Key Translate2 CSFKYT CSNBKYT
CSNEKYTKey Test CSFKYT2 CSNBKYT2
CSNEKYT2Key Test2 CSFKYTX CSNBKYTX
CSNEKYTXKey Test Extended CSFMDG CSNBMDG
CSNEMDGMDC Generate CSFMDG1 CSNBMDG1
CSNEMDG1MDC Generate (with ALET) CSFMGN CSNBMGN
CSNEMGNMAC Generate CSFMGN1 CSNBMGN1
CSNEMGN1MAC Generate (with ALET) CSFMGN2 CSNBMGN2
CSNEMGN2MAC Generate2 CSFMGN3 CSNBMGN3
CSNEMGN3MAC Generate2 (with ALET) CSFMPS CSFMPS
CSFMPS6ICSF Multi-Purpose Service CSFMVR CSNBMVR
CSNEMVRMAC Verify CSFMVR1 CSNBMVR1
CSNEMVR1MAC Verify (with ALET) CSFMVR2 CSNBMVR2
CSNEMVR2MAC Verify2 CSFMVR3 CSNBMVR3
CSNEMVR3MAC Verify2 (with ALET) CSFOWH1 CSNBOWH
CSNEOWH
CSFPOWH
CSFPOWH6One-Way Hash Generate and PKCS #11 One-way hash, sign, or verify CSFOWH1 1 CSNBOWH1
CSNEOWH1One-Way Hash Generate (with ALET) CSFPCI CSFPCI
CSFPCI6PCI Interface Callable Service CSFPCU CSNBPCU
CSNEPCUPIN Change/Unblock CSFPEX CSNBPEX
CSNEPEXProhibit Export CSFPEXX CSNBPEXX
CSNEPEXXProhibit Export Extended CSFPFO CSNBPFO
CSNEPFORecover PIN From Offset CSFPGN CSNBPGN
CSNEPGNClear PIN Generate CSFPKD CSNDPKD
CSNFPKD
CSFPPD2
CSFPPD26PKA Decrypt PKCS #11 Private key structure decrypt
CSFPKE CSNDPKE
CSNFPKE
CSFPPE2
CSFPPE26PKA Encrypt PKCS #11 Public key structure encrypt
CSFPKG CSNDPKG
CSNFPKGPKA Key Generate CSFPKI CSNDPKI
CSNFPKIPKA Key Import CSFPKRC CSNDKRC
CSNFKRCPKDS Record Create CSFPKRD CSNDKRD
CSNFKRDPKDS Record Delete CSFPKRR CSNDKRR
CSNFKRRPKDS Record Read CSFPKRW CSNDKRW
CSNFKRWPKDS Record Write CSFPKT CSNDPKT
CSNFPKTPKA Key Translate CSFPKTC CSNDKTC
CSNFKTCPKA Key Token Change CSFPKX CSNDPKX
CSNFPKXPKA Public Key Extract CSFPRR2 CSNDKRR2
CSNFKRR2PKDS Key Record Read2 CSFPTR CSNBPTR
CSNEPTREncrypted PIN Translate CSFPTRE CSNBPTRE
CSNEPTREEncrypted PIN Translate Enhanced CSFPVR CSNBPVR
CSNEPVREncrypted PIN Verify CSFRKA CSNBRKA
CSNERKARestrict Key Attribute CSFRKD CSNDRKD
CSNFRKDRetained Key Delete CSFRKL CSNDRKL
CSNFRKLRetained Key List CSFRKX CSNDRKX
CSNFRKXRemote Key Export CSFRNG2 CSNBRNG
CSNERNG
CSFPPRF
CSFPPRF6Random Number Generate (returning an 8-byte random number) and PKCS #11 Pseudo-random function CSFRNGL2 CSNBRNGL
CSNERNGLRandom Number Generate (returning a random number of a length that is specified by the caller) CSFRRT 3, 4 CSFRRT
CSFRRT6Key Dataset Record Retrieve It is recommended that this profile is defined with UACC(NONE) and that no user is given access as it is for diagnostic purposes only.
CSFSAD CSNBSAD
CSNESADSymmetric Algorithm Decipher CSFSAD1 CSNBSAD1
CSNESAD1Symmetric Algorithm Decipher (with ALET) CSFSAE CSNBSAE
CSNESAESymmetric Algorithm Encipher CSFSAE1 CSNBSAE1
CSNESAE1Symmetric Algorithm Encipher (with ALET) CSFSBC CSNDSBC
CSNFSBCSET Block Compose CSFSBD CSNDSBD
CSNFSBDSET Block Decompose CSFSKI CSNBSKI
CSNESKISecure Key Import CSFSKI2 CSNBSKI2
CSNESKI2Secure Key Import2 CSFSKM CSNBSKM
CSNESKMMultiple Secure Key Import CSFSKY CSNBSKY
CSNESKYSecure Messaging for Keys CSFSPN CSNBSPN
CSNESPNSecure Messaging for PINs CSFSXD CSNDSXD
CSNFSXDSymmetric Key Export with Data CSFSYG CSNDSYG
CSNFSYGSymmetric Key Generate CSFSYI CSNDSYI
CSNFSYISymmetric Key Import CSFSYI2 CSNDSYI2
CSNFSYI2Symmetric Key Import2 CSFSYX CSNDSYX
CSNFSYXSymmetric Key Export CSFTBC CSNDTBC
CSNFTBCTrusted Block Create CSFTRV CSNBTRV
CSNETRVTransaction Validation CSFT31I CSNBT31I
CSNET31ITR-31 Import CSFT31X CSNBT31X
CSNET31XTR-31 Export CSFUKD CSNBUKD
CSNEUKDUnique Key Derive CSFWRP CSFWRP
CSFWRP6Key Token Wrap CSF1DVK CSFPDVK
CSFPDVK6PKCS #11 Derive key CSF1DMK CSFPDMK
CSFPDMK6PKCS #11 Derive multiple keys CSF1HMG CSFPHMG
CSFPHMG6PKCS #11 Generate MAC CSF1GKP CSFPGKP
CSFPGKP6PKCS #11 Generate key pair CSF1GSK CSFPGSK
CSFPGSK6PKCS #11 Generate secret key CSF1GAV CSFPGAV
CSFPGAV6PKCS #11 Get attribute value CSF1PKS CSFPPKS
CSFPPKS6PKCS #11 Private key sign CSF1PKV CSFPPKV
CSFPPKV6PKCS #11 Public key verify CSF1SKD CSFPSKD
CSFPSKD6PKCS #11 Secret key decrypt CSF1SKE CSFPSKE
CSFPSKE6PKCS #11 Secret key encrypt CSF1SAV CSFPSAV
CSFPSAV6PKCS #11 Set attribute value CSF1TRC CSFPTRC
CSFPTRC6PKCS #11 Token record create CSF1TRD CSFPTRD
CSFPTRD6PKCS #11 Token record delete CSF1TRL CSFPTRL
CSFPTRL6PKCS #11 Token record list CSF1UWK CSFPUWK
CSFPUWK6PKCS #11 Unwrap key CSF1HMV CSFPHMV
CSFPHMV6PKCS #11 Verify MAC CSF1WPK CSFPWPK
CSFPWPK6PKCS #11 Wrap key 1 If the CSF.CSFSERV.AUTH.CSFOWH.DISABLE resource is defined within the XFACILIT class, the SAF authorization check is disabled for this resource. Disabling the SAF check might improve the performance of your applications.
2 If the CSF.CSFSERV.AUTH.CSFRNG.DISABLE resource is defined within the XFACILIT class, the SAF authorization check is disabled for this resource. Disabling the SAF check might improve the performance of your application.
3 These services do not perform SAF authorization checks against key labels or handles (SAF classes CSFKEYS and CRYPTOZ). Therefore, any user ID that is permitted to use these services is able to access any KDS record. The level of access (read or update) depends on the operation of the service.
4 Access to these services is denied if there is no covering profile in the CSFSERV class.
Table 2. Resource names for ICSF TSO panels, utilities, and compatibility services for PCF macros Resource Name Utility and Callable Service Description CSFCMK Change master key utility, including the panel for a local change master key, the Coordinated KDS Administration service, and CSFEUTIL. CSFCONV PCF CKDS to ICSF CKDS conversion utility CSFCRC Coordinated KDS Administration CSFDKCS Master key entry utility CSFEDC Compatibility service for the PCF CIPHER macro CSFEMK Compatibility service for the PCF EMK macro CSFGKC Compatibility service for the PCF GENKEY macro CSFGKF Generate key fingerprint. Required by KGUP if key lifecycle auditing is enabled. CSFKGUP Key generation utility program CSFOPKL Operational key load CSFPCAD Cryptographic processors management (activate/deactivate) CSFPKDR PKDS reencipher and PKDS refresh utilities CSFPMCI Pass phrase master key/KDS initialization utility CSFREFR Refresh CKDS or PKDS utility, including the panels for a local refresh, the Coordinated KDS Administration service, and CSFEUTIL (CKDS) and CSFPUTIL (PKDS). CSFRENC Reencipher CKDS or PKDS utility, including the panels for a local refresh, the Coordinated KDS Administration service, and CSFEUTIL (CKDS) and CSFPUTIL (PKDS). CSFRSWS Administrative control functions utility (ENABLE) CSFRWP CKDS Conversion2 - rewrap option. CSFRTC Compatibility service for the CUSP or PCF RETKEY macro CSFSMK Set master key utility CSFSSWS Administrative control functions utility (DISABLE) CSFUDM User Defined Extensions (UDX) management functions Note:- As with any RACF general resource profile, if you want to change the profile later, use the RALTER command. To change the access list, use the PERMIT command as described in the next step.
- If you have already started ICSF, you need to refresh the in-storage profiles. See Step 3.
- You can specify other operands, such as auditing (AUDIT operand), on the RDEFINE or RALTER commands.
- If the security administrator has activated generic profile checking for the CSFSERV class, you can create generic profiles that use the generic characters * and %. This is the same as with any RACF general resource class.
For example, if generic profile checking is in effect, these profiles enable you to specify which users and jobs can use the Ciphertext Translate callable services. No other services can be used by any job on the system.RDEFINE CSFSERV CSFCTT* UACC(NONE) RDEFINE CSFSERV CSFCTT% UACC(NONE) RDEFINE CSFSERV * UACC(NONE)
- Give appropriate users (preferably groups) access to the profiles:
PERMIT profile-name CLASS(CSFSERV) ID(groupid) ACCESS(READ)
- When the profiles are ready to be used, ask the security administrator to activate
the CSFSERV class and refresh the in-storage RACF profiles:
SETROPTS RACLIST(CSFSERV) REFRESH
- If you want to disable SAF authorization checking for the CSFRNG services to
potentially improve application
performance:
RDEF XFACILIT CSF.CSFSERV.AUTH.CSFRNG.DISABLE SETROPTS RACLIST(XFACILIT) REFRESH
- If you want to disable SAF authorization checking for the CSFOWH services to
potentially improve application
performance:
RDEF XFACILIT CSF.CSFSERV.AUTH.CSFOWH.DISABLE SETROPTS RACLIST(XFACILIT) REFRESH