Setting up profiles in the CSFSERV general resource class

To set up profiles in the CSFSERV general resource class, take these steps.
Note: The CSFSERV class grants access to the service if there is no profile. You can create a global generic profile to restrict access.
  1. Define appropriate profiles in the CSFSERV class: 
        RDEFINE  CSFSERV profile-name  UACC(NONE)
             other-optional-operands
    Where profile-name is the profile that is used to protect the resource. Resource names for CCA and ICSF entry points lists the resources that are used by ICSF and PKDS #11 callable services. Table 1 shows the resource names that are used by ICSF TSO panels, utilities, and compatibility services for PCF macros.

    To determine which services are used by PKCS #11 services, see 'Controlling access to tokens' in Chapter 1 of z/OS Cryptographic Services ICSF Writing PKCS #11 Applications. Users must be SAF authorized to the CSFSERV profile for the services for PKCS #11 services to execute.

    Notes:
    • If the CSF.CSFSERV.AUTH.CSFOWH.DISABLE resource is defined within the XFACILIT class, the SAF authorization check is disabled for CSNBOWH and CSNBOWH1 (One Way Hash). Disabling the SAF check might improve the performance of your applications.
    • If the CSF.CSFSERV.AUTH.CSFRNG.DISABLE resource is defined within the XFACILIT class, the SAF authorization check is disabled for CSNBRNG (Random Number Generate) and CSFNRNGL (Random Number Generate Long). Disabling the SAF check might improve the performance of your application.
    • These services do not perform SAF authorization checks against key labels or handles (SAF classes CSFKEYS and CRYPTOZ). Therefore, any user ID that is permitted to use these services is able to access any KDS record. The level of access (read or update) depends on the operation of the service:
      • CSFKDSL (Key Data Set List)
      • CSFKDMR (Key Data Set Metadata Read)
      • CSFKDMW (Key Data Set Metadata Write)
      • CSFKDU (Key Dataset Update)
      • CSFRRT (Key Dataset Record Retrieve)
      It is recommended that this profile is defined with UACC(NONE) and that no user is given access as it is for diagnostic purposes only.
    • Access to these services is denied if there is no covering profile in the CSFSERV class:
      • CSFKDU (Key Dataset Update)
      • CSFRRT (Key Dataset Record Retrieve)
      It is recommended that this profile is defined with UACC(NONE) and that no user is given access as it is for diagnostic purposes only.
    Table 1. Resource names for ICSF TSO panels, utilities, and compatibility services for PCF macros
    Resource Name Utility and Callable Service Description
    CSFBRCK CKDS KEYS.
    CSFBRPK PKDS KEYS.
    CSFBRTK PKCS11 TOKEN.
    CSFCMK Change master key utility, including the panel for a local change master key, the Coordinated KDS Administration service, and CSFEUTIL.
    CSFCONV PCF CKDS to ICSF CKDS conversion utility.
    CSFCRC Coordinated KDS Administration.
    CSFDKCS Master key entry utility.
    CSFEDC Compatibility service for the PCF CIPHER macro.
    CSFEMK Compatibility service for the PCF EMK macro.
    CSFGKC Compatibility service for the PCF GENKEY macro.
    CSFGKF Generate key fingerprint. Required by KGUP if key lifecycle auditing is enabled.
    CSFKGUP Key generation utility program.
    CSFOPKL Operational key load.
    CSFPCAD Cryptographic processors management (activate/deactivate).
    CSFPMCI Pass phrase master key/KDS initialization utility.
    CSFREFR Refresh CKDS or PKDS utility, including the panels for a local refresh, the Coordinated KDS Administration service, and CSFEUTIL (CKDS) and CSFPUTIL (PKDS).
    CSFRENC Reencipher CKDS or PKDS utility, including the panels for a local refresh, the Coordinated KDS Administration service, and CSFEUTIL (CKDS) and CSFPUTIL (PKDS).
    CSFRSWS Administrative control functions utility (ENABLE).
    CSFRWP CKDS Conversion2 - rewrap option.
    CSFRTC Compatibility service for the CUSP or PCF RETKEY macro.
    CSFSMK Set master key utility.
    CSFSSWS Administrative control functions utility (DISABLE).
    CSFUDM User Defined Extensions (UDX) management functions.
    Note:
    1. As with any RACF general resource profile, if you want to change the profile later, use the RALTER command. To change the access list, use the PERMIT command as described in the next step.
    2. If you have already started ICSF, you need to refresh the in-storage profiles. See Step 3.
    3. You can specify other operands, such as auditing (AUDIT operand), on the RDEFINE or RALTER commands.
    4. If the security administrator has activated generic profile checking for the CSFSERV class, you can create generic profiles that use the generic characters * and %. This is the same as with any RACF general resource class.
    For example, if generic profile checking is in effect, these profiles enable you to specify which users and jobs can use the Ciphertext Translate callable services. No other services can be used by any job on the system. 
        RDEFINE  CSFSERV  CSFCTT*  UACC(NONE)
    RDEFINE  CSFSERV  CSFCTT%  UACC(NONE)
    RDEFINE  CSFSERV  *        UACC(NONE)
  2. Give appropriate users (preferably groups) access to the profiles: 
        PERMIT  profile-name  CLASS(CSFSERV) ID(groupid)  ACCESS(READ)
  3. When the profiles are ready to be used, ask the security administrator to activate the CSFSERV class and refresh the in-storage RACF profiles: 
    SETROPTS RACLIST(CSFSERV) REFRESH
  4. If you want to disable SAF authorization checking for the CSFRNG services to potentially improve application performance:
    RDEF XFACILIT CSF.CSFSERV.AUTH.CSFRNG.DISABLE
SETROPTS RACLIST(XFACILIT) REFRESH
  5. If you want to disable SAF authorization checking for the CSFOWH services to potentially improve application performance:
    RDEF XFACILIT CSF.CSFSERV.AUTH.CSFOWH.DISABLE
SETROPTS RACLIST(XFACILIT) REFRESH