ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to setup ICSF  and ACF2 profiles to make all TLSv1.2 cipher suites available

book

Article ID: 239968

calendar_today

Updated On:

Products

ACF2

Issue/Introduction

How to setup ICSF with ACF2 to make all TLSv1.2 cipher suites available.

 

 

 

Environment

Release : 16.0

Component : ACF2 for z/OS

Resolution

Based on the IBM link: AT-TLS support for TLS v1.2 and related features, the following resource class CSFSERVE resources:

Before you use Elliptic Curve Cryptography (ECC) ciphers, perform the following steps:
Start ICSF. If the CSFSERV class is defined, give the user ID that runs the AT-TLS application READ access to the following resources in that class:

CSF1TRC
CSF1PKV
CSF1PKS
CSF1GKP
CSF1GAV
CSF1DVK
CSF1TRD

Before you use AES GCM ciphers, perform the following steps:
Start ICSF. If the CSFSERV class is defined, give the user ID that runs the AT-TLS application READ access to the following resources in that class:

CSF1TRC
CSF1SKD
CSF1SKE
CSF1TRD

By default, ACF2 assigns the 3-character type code "SAF" to the CSFSERV resource class. It is recommended to modify the default type code of "SAF" to a more unique type code of "CSF" or another value. Sample commands to change the CSFSERV class type code to "CSF":

SET CONTROL(GSO)
INSERT CLASMAP.CSFSERV RESOURCE(CSFSERV) RSRCTYPE(CSF)
F ACF2,REFRESH(CLASMAP)   

The CSFSERVE resource class type code must be made resident by adding the type code to the GSO INFODIR record. Make resource rules with type code CSF resident:

SET CONTROL(GSO)
CHANGE INFODIR TYPES(R-RCSF) ADD
F ACF2,REFRESH(INFODIR)

Next write appropriate resource rules for TYPE(CSF) for the CSFSERV resources as described above for the type of ciphers that you intend to use. For example:

* Elliptic Curve Cryptography (ECC) ciphers
SET RESOURCE(CSF)
RECKEY CSF1TRC add( UID(***IT-) SERVICE(READ) ALLOW) 
RECKEY CSF1PKV add( UID(***IT-) SERVICE(READ) ALLOW)
RECKEY CSF1PKS add( UID(***IT-) SERVICE(READ) ALLOW)
RECKEY CSF1GKP add( UID(***IT-) SERVICE(READ) ALLOW)
RECKEY CSF1GAV add( UID(***IT-) SERVICE(READ) ALLOW)
RECKEY CSF1DVK add( UID(***IT-) SERVICE(READ) ALLOW)
RECKEY CSF1TRD add( UID(***IT-) SERVICE(READ) ALLOW)
F ACF2,REBUILD(CSF)

* AES GCM ciphers
SET RESOURCE(CSF)
RECKEY CSF1TRC add( UID(***IT-) SERVICE(READ) ALLOW)
RECKEY CSF1SKD add( UID(***IT-) SERVICE(READ) ALLOW)
RECKEY CSF1SKE add( UID(***IT-) SERVICE(READ) ALLOW)
RECKEY CSF1TRD add( UID(***IT-) SERVICE(READ) ALLOW)
F ACF2,REBUILD(CSF)

CRYPTOZ is a resource class defined in support of PKCS #11. Access to PKCS #11 tokens in ICSF is controlled by the CRYPTOZ class, with different access levels as well as a differentiation between standard users and security officers. A user's access level to each of these resources (read, update, or delete) determines the user's access level to the token. For each token, there are resources in the CRYPTOZ class for controlling access to tokens:

USER.token-name controls the access of the User role to the token
SO.token-name controls the access of the Security Officer (SO) role to the token.
CLEARKEY.token-name controls the ICSF policy for creating a clear key versus a secure key.

* CRYPTOZ TYPE(CRY) is required to be resident
SET CONTROL(GSO)
CHANGE INFODIR TYPES(R-RCRY) ADD
F ACF2,REFRESH(INFODIR)
* CRYPTOZ token access
* Note update SERVICE as required
SET RESOURCE(CRY)
RECKEY USER add( token-name UID(***IT-) SERVICE(READ) ALLOW)
RECKEY SO add( token-name UID(***IT-) SERVICE(READ) ALLOW)
RECKEY CLEARKEY add( token-name UID(***IT-) SERVICE(READ) ALLOW)
F ACF2,REBUILD(CRY)