Release: 16.0 
OS: z O/S 2.3

Release : 16.0

Component : CA ACF2 for z/OS

IBM has support in place to enable the PKA Key Management Extensions control in class XFACILIT.   See the IBM link below for more information in this area. 

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.csfb300/pkaxtn.htm

ACF2 support was added under z/OS 1.10 support, but a bug was in place where only CSFKEYS address spaces running NON-CNCL would work.  PTF SO09195 corrected that coding error so any address space without NON-CNCL will also get the correct response.

PKA Key Management Extensions control allows the user to toggle on or off different controls.  IN RACF that was done with an RDEFINE.  In ACF2, a RACROUTE EXTRACT call is made under the type code of the resource class looking for an existence rule that matches the profile record in RACF.  For example:

$KEY(CSF.KDS.KEY.ARCHIVE.USE) TYPE(XFC)

No rule lines are needed, just the rule.  This rule will enable the functionality, and subsequent calls are then made.  See the IBM link below for more information in this area.

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.csfb300/actksp.htm

This particular system got the violation because the the CSFKEYS address spaces were running with NON-CNCL, the rules were in place for enabling the functionality, buit no subsequent rules were in place to check who ia authorized to that function, so all users failed.  A rule needs to be written based on the ACFRPTRV report for users that should be allowed.  Other users should get the expected violation.

$KEY(ECF-PKDS-DEFAULT) TYPE(SAF)
 UID(uid string of user to be allowed.) SERVICE(READ) ALLOW