The following RACF commands to set up the TKE host transaction program to communicate with a new Trusted Key Entry (TKE) workstation need to be converted to the Top Secret equivalent commands. 

2. Set up system security
You will associate a RACF pro®le or group with the TKE Host Transaction Program. The userid or group
associated with the TKE host transaction program must be authorized to all the APIs in the CSFSERV
class it will use.

z/OS: Cryptographic Services ICSF Trusted Key Entry Workstation User's Guide
PERMIT CSFCRC CLASS(CSFSERV) ID(userid or group) ACCESS(READ)
PERMIT CSFKIM CLASS(CSFSERV) ID(userid or group) ACCESS(READ)
PERMIT CSFKRC CLASS(CSFSERV) ID(userid or group) ACCESS(READ)
PERMIT CSFKRD CLASS(CSFSERV) ID(userid or group) ACCESS(READ)
PERMIT CSFKRR CLASS(CSFSERV) ID(userid or group) ACCESS(READ)
PERMIT CSFKRW CLASS(CSFSERV) ID(userid or group) ACCESS(READ)
PERMIT CSFKYT CLASS(CSFSERV) ID(userid or group) ACCESS(READ)
PERMIT CSFKYT2 CLASS(CSFSERV) ID(userid or group) ACCESS(READ)
PERMIT CSFPCI CLASS(CSFSERV) ID(userid or group) ACCESS(READ)
PERMIT CSFPKRC CLASS(CSFSERV) ID(userid or group) ACCESS(READ)
PERMIT CSFPKRW CLASS(CSFSERV) ID(userid or group) ACCESS(READ)
PERMIT CSFPKI CLASS(CSFSERV) ID(userid or group) ACCESS(READ)
SETROPTS RACLIST(CSFSERV) REFRESH

To protect module CSFTTKE from unauthorized users, you must protect it using RACF. For more
information, refer to z/OS Security Server RACF Security Administrator's Guide and z/OS Security Server
RACF System Programmer's Guide.

This example permits the user ID or group assigned to the CSFTTCP started task to the CSFTTKE pro®le in the FACILITY class:
SETR CLASSACT(FACILITY)
SETR RACLIST(FACILITY)
RDEFINE FACILITY CSFTTKE UACC(NONE)
PERMIT CSFTTKE CLASS(FACILITY) ID(userid or group) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH

Figure 10: Assign a user ID to CSFTTKE in FACILITY class
The module (CSFTTKE) must also be protected, using the APPL class to control which users can use the application when they enter the system.
This example assigns a user ID or group to the CSFTTKE profile in the APPL class:
SETR CLASSACT(APPL)
SETR RACLIST(APPL)
RDEFINE APPL CSFTTKE UACC(NONE)
PERMIT CSFTTKE CLASS(APPL) ID(userid or group) ACCESS(READ)
SETROPTS RACLIST(APPL) REFRESH

Figure 11: Assign a User ID to CSFTTKE in APPL Class
Note: The user IDs or groups of user IDs must be permitted to use the TKE workstation.
If you do not have a generic user ID associated to all started procedures, you can associate a user ID to the CSFTTCP proc by issuing a RACF RDEFINE command.
For more information, see z/OS Security Server RACF Security Administrator's Guide.
Note: The RACF user ID associated with the CSFTTCP proc must have a valid OMVS segment.
Ths example assigns a user ID or group to the started task CSFTTCP:
SETR CLASSACT(STARTED)SETR RACLIST(STARTED)
RDEFINE STARTED CSFTTCP.CSFTTCP STDATA(USER(userid))
SETROPTS RACLIST(STARTED) REFRESH 

Release : 16.0

Component : CA Top Secret for z/OS

The RACF commands are below along with the Top Secret equivalent commands in red.

2. Set up system security

You will associate a RACF pro®le or group with the TKE Host Transaction Program. The userid or group

associated with the TKE host transaction program must be authorized to all the APIs in the CSFSERV

class it will use.

z/OS: Cryptographic Services ICSF Trusted Key Entry Workstation User's Guide

PERMIT CSFCRC CLASS(CSFSERV) ID(userid or group) ACCESS(READ)

PERMIT CSFKIM CLASS(CSFSERV) ID(userid or group) ACCESS(READ)

PERMIT CSFKRC CLASS(CSFSERV) ID(userid or group) ACCESS(READ)

PERMIT CSFKRD CLASS(CSFSERV) ID(userid or group) ACCESS(READ)

PERMIT CSFKRR CLASS(CSFSERV) ID(userid or group) ACCESS(READ)

PERMIT CSFKRW CLASS(CSFSERV) ID(userid or group) ACCESS(READ)

PERMIT CSFKYT CLASS(CSFSERV) ID(userid or group) ACCESS(READ)

PERMIT CSFKYT2 CLASS(CSFSERV) ID(userid or group) ACCESS(READ)

PERMIT CSFPCI CLASS(CSFSERV) ID(userid or group) ACCESS(READ)

PERMIT CSFPKRC CLASS(CSFSERV) ID(userid or group) ACCESS(READ)

PERMIT CSFPKRW CLASS(CSFSERV) ID(userid or group) ACCESS(READ)

PERMIT CSFPKI CLASS(CSFSERV) ID(userid or group) ACCESS(READ)

SETROPTS RACLIST(CSFSERV) REFRESH

TSS Equivalent:

TSS ADD(dept) CSFSERV(CSF) (if not already done)

TSS PER(userid or profile) CSFSERV(CSFCRC) ACC(READ)

TSS PER(userid or profile) CSFSERV(CSFKIM) ACC(READ)

TSS PER(userid or profile) CSFSERV(CSFKRC) ACC(READ)

TSS PER(userid or profile) CSFSERV(CSFKRD) ACC(READ)

TSS PER(userid or profile) CSFSERV(CSFKRR) ACC(READ)

TSS PER(userid or profile) CSFSERV(CSFKRW) ACC(READ)

TSS PER(userid or profile) CSFSERV(CSFKYT) ACC(READ)

TSS PER(userid or profile) CSFSERV(CSFKYT2) ACC(READ)

TSS PER(userid or profile) CSFSERV(CSFPCI) ACC(READ)

TSS PER(userid or profile) CSFSERV(CSFPKRC) ACC(READ)

TSS PER(userid or profile) CSFSERV(CSFPKRW) ACC(READ)

TSS PER(userid or profile) CSFSERV(CSFPKI) ACC(READ)

If you prefer, you can use CSFSERV(CSF) to include everything that starts with CSF. Then only 1 permit is needed:

TSS PER(userid or profile) CSFSERV(CSF) ACC(READ)

To protect module CSFTTKE from unauthorized users, you must protect it using RACF. For more

information, refer to z/OS Security Server RACF Security Administrator's Guide and z/OS Security Server

RACF System Programmer's Guide.

This example permits the user ID or group assigned to the CSFTTCP started task to the CSFTTKE pro®le in the FACILITY class:

SETR CLASSACT(FACILITY)

SETR RACLIST(FACILITY)

RDEFINE FACILITY CSFTTKE UACC(NONE)

PERMIT CSFTTKE CLASS(FACILITY) ID(userid or group) ACCESS(READ)

SETROPTS RACLIST(FACILITY) REFRESH

TSS Equivalent:

TSS ADD(dept) IBMFAC(CSFTTKE)    (if not already done)

TSS PER(userid or profile) IBMFAC(CSFTTKE) ACC(READ)

Figure 10: Assign a user ID to CSFTTKE in FACILITY class

The module (CSFTTKE) must also be protected, using the APPL class to control which users can use the application when they enter the system.

This example assigns a user ID or group to the CSFTTKE profile in the APPL class:

SETR CLASSACT(APPL)

SETR RACLIST(APPL)

RDEFINE APPL CSFTTKE UACC(NONE)

PERMIT CSFTTKE CLASS(APPL) ID(userid or group) ACCESS(READ)

SETROPTS RACLIST(APPL) REFRESH

TSS Equivalent:

TSS ADD(dept) APPL(CSFTTKE) (if not already done)

TSS PER(userid or profile) APPL(CSFTTKE) ACC(READ)

Figure 11: Assign a User ID to CSFTTKE in APPL Class

Note: The user IDs or groups of user IDs must be permitted to use the TKE workstation.

If you do not have a generic user ID associated to all started procedures, you can associate a user ID to the CSFTTCP proc by issuing a RACF RDEFINE command.

For more information, see z/OS Security Server RACF Security Administrator's Guide.

Note: The RACF user ID associated with the CSFTTCP proc must have a valid OMVS segment.

Ths example assigns a user ID or group to the started task CSFTTCP:

SETR CLASSACT(STARTED)SETR RACLIST(STARTED)

RDEFINE STARTED CSFTTCP.CSFTTCP STDATA(USER(userid))

SETROPTS RACLIST(STARTED) REFRESH

TSS Equivalent:

TSS ADD(STC) PROCNAME(CSFTTCP) ACID(userid)