Using cryptographic features with System SSL

System SSL uses cryptographic features available on z/OS® to offer a comprehensive range of cryptographic support. In addition to software cryptographic processing performed by System SSL, services offered by the Integrated Cryptographic Service Facility (ICSF) and the CP Assist for Cryptographic Function (CPACF) are employed to enhance System SSL with hardware cryptographic support for commonly used algorithms. ICSF also provides support for Elliptic Curve Cryptography (ECC).

In order for System SSL to use cryptographic support provided through ICSF, the ICSF started task must be running and the application user ID must be authorized for the appropriate resources in the RACF® CSFSERV class (when the class is active), either explicitly or through a generic resource profile. See RACF CSFSERV resource requirements for further details. In addition to the CSFSERV class, the application user ID needs READ access to:

RACF CSFKEYS class when SAF key rings are being used and the application's certificate keys are stored in ICSF'S PKDS. This access is not required if the CSFKEYS class is not active or the RACF resource is not defined.
RACF resource USER.token-name within the CRYPTOZ class when either SAF key rings or PKCS #11 tokens are being used and the application's certificate keys are stored as secure keys in an ICSF PKCS #11 token. The CRYPTOZ class must be active and the RACF resource must exist, otherwise access is not granted.

For more information about access to CSFKEYS, see the RACDCERT command in z/OS Security Server RACF Command Language Reference. For more information about the CRYPTOZ class, see z/OS Cryptographic Services ICSF Writing PKCS #11 Applications.