Setup of CSFKEYS profile records and ACF2 Resource rules for ICSF
search cancel

Setup of CSFKEYS profile records and ACF2 Resource rules for ICSF

book

Article ID: 14183

calendar_today

Updated On:

Products

ACF2 ACF2 - z/OS ACF2 - MISC

Issue/Introduction

How are CSFKEYS profile records and ACF2 Resource rules setup for ICSF? 

Resolution

CSFKEYS and XCSFKEY profiles are used to specify the attributes for ICSF keys. ICSF will also check the authorization of the user to access the keys saved in the ICSF data sets. These checks will also be in the CSFKEYS and XCSFKEY classes. 

The ACF2 ICSF CSFKEYS and XCSFKEY Profile Records provide a way to specify the ICSF attributes for the keys that are controlled by the CSFKEYS and XCSFKEY profiles. ICSF will perform EXTRACTS against CSFKEYS and XCSFKEY classes.

ACF2 CSFKEYS and XCSFKEY Profile Record syntax:

recid
ASYMUSE(HANDSHAK|SECXPORT) 
RESOURCE(resource) 
SYMXCERT(qualifier/certlabel) 
SYMXKEYS(keylabel) 
SYMXPORT(BYLIST|BYANY|BYONE)

The following example highlights how to set up a CSFKEYS record for a DES key labeled DES.XXX.KEY in the ICSF CKDS dataset that should never be exported.

 ACF
 SET PROFILE(CSFKEYS) DIVISION(ICSF)
 INSERT safe.key RESOURCE(DES.XXX.KEY) SYMXPORT(BYNONE)

ICSF will perform EXTRACTS against CSFKEYS and XCSFKEY classes. You must add the PCSF and PXCF classes to the current INFODIR:

 ACF       
 SET CONTROL(GSO)
 CHANGE INFODIR TYPES(R-PCSF R-PXCF) ADD
 F ACF2,REFRESH(INFODIR)

ICSF will also check the authorization(RACROUTE FASTAUTH) of the user to access the keys saved in the ICSF data sets. These checks will also be in the CSFKEYS and XCSFKEY classes. Both classes are defined to CA ACF2 using the 3 character class code of SAF and XCS respectively. Because the CSFKEYS class is defined with the SAF code, you may wish to override the definition with a CLASMAP record.

ACF       
SET CONTROL(GSO) 
INSERT CLASMAP.CSFKEYS RESOURCE(CSFKEYS) RSRCTYPE(CSF) ENTITYLN(73)
F ACF2,REFRESH(CLASMAP)

If you do override the CLASMAP record, you should add the new class to the current INFODIR record. The three-character class code for XCSFKEY should also be added to the INFODIR record.

ACF       
SET CONTROL(GSO)
CHANGE INFODIR TYPES(R-RCSF R-RXCS) ADD
F ACF2,REFRESH(INFODIR)

For changes to CSFKEYS or XCSKEY rule to take effect:

F ACF2,REBUILD(XCS)       
F ACF2,REBUILD(CSF) 

For changes to CSFKEYS Profile records to take effect:

F ACF2,REBUILD(CSFKEYS),CLASS(P)       
F ACF2,OMVS(CSFKEYS) 

For details see the CA ACF2 for z/OS Administration Guide sections CSFKEYS and XCSFKEY Profile Record and Integrated Cryptographic Service Facility

Powered by Wolken Software