Thousands of resource violations started for SAF-ECF-PKDS-DEFAULT after applying ACF2 PTF SO09195. Why is this occurring? 

Release : 16.0

Component : CA ACF2 for z/OS

IBM has support in place to enable the PKA Key Management Extensions control in class XFACILIT.   See IBM documentation Controlling how cryptographic keys can be used for more information in this area. 

ACF2 support was added under z/OS 1.10 support, but a bug was in place where only CSFKEYS address spaces running NON-CNCL would work.  PTF SO09195 corrected that coding error so any address space without NON-CNCL will also get the correct response.

PKA Key Management Extensions control allows the user to toggle on or off different controls. IN RACF that was done with an RDEFINE. In ACF2, a RACROUTE EXTRACT call is made under the type code of the resource class looking for an existence rule that matches the profile record in RACF.

For example:

$KEY(CSF.KDS.KEY.ARCHIVE.USE) TYPE(XFC)

The violations can be seen because the the CSFKEYS address spaces are running with NON-CNCL, the rules are in place for enabling the functionality, but no subsequent rules are in place to check who is authorized to that function, so all users will fail.  A rule needs to be written based on the ACFRPTRV report for users that should be allowed.  Other users should get the expected violation.

$KEY(ECF-PKDS-DEFAULT) TYPE(SAF)
 UID(uid string of user to be allowed.) SERVICE(READ) ALLOW