RACF CSFSERV resource requirements

ICSF controls access to cryptographic services through the RACF CSFSERV resource class. An application using System SSL that requires cryptographic support from ICSF must be authorized for the appropriate resources in the class, either explicitly or through a generic resource profile. For more information, see z/OS Cryptographic Services ICSF Administrator's Guide.

When the System SSL DLLs are loaded, System SSL determines what hardware is available by using the ICSF Query Algorithm callable service (CSFIQA). For this reason, make sure that the RACF user ID that starts the application can access the CSFIQA resource of the CSFSERV class. If the user ID that starts the SSL application cannot access the CSFIQA resource of the CSFSERV class, System SSL cannot retrieve information by using the CSFIQA callable service, and the informational message ICH408I (which indicates insufficient authorization) may be issued to the console. Although System SSL processing continues, System SSL might not be aware of all the hardware that is currently available.

The following tables summarize the CSFSERV resources required for each ICSF cryptographic function used by System SSL.

Table 1. CSFSERV resources required for hardware support through ICSF callable services
Function ICSF callable services CSFSERV resources required
ECC Digital Signature Generation (private key in the PKDS)
CSNDDSG
CSFDSG
PKA (RSA) Decrypt
CSNDPKB
CSNDPKD
--
CSFPKD
PKA (RSA) Encrypt
CSNDPKB
CSNDPKE
--
CSFPKE
RSA Digital Signature Generation
CSNDPKB
CSNDPKI
CSNDDSG
--
CSFPKI
CSFDSG
RSA Digital Signature Verify
CSFDPKB
CSNDDSV
--
CSFDSV
Start of changeRSASSA-PSS Digital Signature Generation (private key in PKDS)End of change CSNDDSG CSFDSG
Table 2. CSFSERV resources required for ICSF PKCS #11 callable services support
Function ICSF PKCS #11 callable services CSFSERV resources required
AES-GCM Secret Key Decrypt
CSFPSKD
CSFPTRC
CSFPTRD
CSF1SKD
CSF1TRC
CSF1TRD
AES-GCM Secret Key Encrypt
CSFPSKE
CSFPTRC
CSFPTRD
CSF1SKE
CSF1TRC
CSF1TRD
ChaCha20 Secret Key Decrypt
CSFPSKD
CSFPTRC
CSFPTRD
Start of changeCSF1SKD
CSF1TRC
CSF1TRDEnd of change
ChaCha20 Secret Key Encrypt
CSFPSKE
CSFPTRC
CSFPTRD
 Start of change
CSF1SKE
CSF1TRC
CSF1TRD
End of change
Diffie-Hellman in FIPS mode
CSFPTRC
CSFPDVK
CSFPGKP
CSFPGSK
CSFPGAV
CSFPTRD
CSF1TRC
CSF1DVK
CSF1GKP
CSF1GSK
CSF1GAV
CSF1TRD
ECC Digital Signature Generation
CSFPTRC
CSFPPKS
CSFPTRD
CSF1TRC
CSF1PKS
CSF1TRD
ECC Digital Signature Verify
CSFPTRC
CSFPPKV
CSFPTRD
CSF1TRC
CSF1PKV
CSF1TRD
ECC Key Generation
CSFPGKP
CSFPGAV
CSFPTRD
CSF1GKP
CSF1GAV
CSF1TRD
ECDH Derive Key
CSFPTRC
CSFPDVK
CSFPGAV
CSFPTRD
CSF1TRC
CSF1DVK
CSF1GAV
CSF1TRD
PKA (RSA) Decrypt in FIPS mode CSFPPD2 CSFPKD
PKA (RSA) Encrypt in FIPS mode CSFPPE2 CSFPKE
Random Number Generation CSFPPRF CSFRNG
RSA Digital Signature Verify in FIPS mode CSFPPV2 CSFDSV
RSA PKCS #11 Secure Key Decrypt CSFPPKS CSF1PKS
Start of changeRSASSA-PSS Digital Signature GenerateEnd of change
CSFPOWH
CSFPTRC
CSFPTRD
CSFOWH
CSF1TRC
CSF1TRD
Start of changeRSASSA-PSS Digital Signature VerifyEnd of change
CSFPOWH
CSFPTRC
CSFPTRD
CSFOWH
CSF1TRC
CSF1TRD
Secure PKCS #12 Private Key Export
CSFPGSK
CSFPWPK
CSFPTRC
CSFPTRD
CSF1GSK
CSF1WPK
CSF1TRC
CSF1TRD
Secure PKCS #7 Make Enveloped Data Message
CSFPTRC
CSFPGSK
CSFPWPK
CSFPTRD
CSF1TRC
CSF1GSK
CSF1WPK
CSF1TRD
Secure PKCS #7 Read Enveloped Data Message CSFPPKS CSF1PKS