How to setup ICSF and ACF2 profiles to make all TLSv1.2 cipher suites available
Article ID: 239968
Updated On:
Products
Issue/Introduction
How to setup ICSF with ACF2 to make all TLSv1.2 cipher suites available.
Environment
Release : 16.0
Component : ACF2 for z/OS
Resolution
Based on the IBM link: AT-TLS support for TLS v1.2 and related features, the following resource class CSFSERV resources:
Before you use Elliptic Curve Cryptography (ECC) ciphers, perform the following steps:
Start ICSF. If the CSFSERV class is defined, give the user ID that runs the AT-TLS application READ access to the following resources in that class:
CSF1TRC
CSF1PKV
CSF1PKS
CSF1GKP
CSF1GAV
CSF1DVK
CSF1TRD
Before you use AES GCM ciphers, perform the following steps:
Start ICSF. If the CSFSERV class is defined, give the user ID that runs the AT-TLS application READ access to the following resources in that class:
CSF1TRC
CSF1SKD
CSF1SKE
CSF1TRD
By default, ACF2 assigns the 3-character type code "SAF" to the CSFSERV resource class. It is recommended to modify the default type code of "SAF" to a more unique type code of "CSF" or another value. Sample commands to change the CSFSERV class type code to "CSF":
SET CONTROL(GSO)
INSERT CLASMAP.CSFSERV RESOURCE(CSFSERV) RSRCTYPE(CSF)
F ACF2,REFRESH(CLASMAP)
The CSFSERV resource class type code must be made resident by adding the type code to the GSO INFODIR record. Make resource rules with type code CSF resident:
SET CONTROL(GSO)
CHANGE INFODIR TYPES(R-RCSF) ADD
F ACF2,REFRESH(INFODIR)
Next write appropriate resource rules for TYPE(CSF) for the CSFSERV resources as described above for the type of ciphers that you intend to use. For example:
* Elliptic Curve Cryptography (ECC) ciphers
SET RESOURCE(CSF)
RECKEY CSF1TRC add( UID(***IT-) SERVICE(READ) ALLOW)
RECKEY CSF1PKV add( UID(***IT-) SERVICE(READ) ALLOW)
RECKEY CSF1PKS add( UID(***IT-) SERVICE(READ) ALLOW)
RECKEY CSF1GKP add( UID(***IT-) SERVICE(READ) ALLOW)
RECKEY CSF1GAV add( UID(***IT-) SERVICE(READ) ALLOW)
RECKEY CSF1DVK add( UID(***IT-) SERVICE(READ) ALLOW)
RECKEY CSF1TRD add( UID(***IT-) SERVICE(READ) ALLOW)
F ACF2,REBUILD(CSF)
* AES GCM ciphers
SET RESOURCE(CSF)
RECKEY CSF1TRC add( UID(***IT-) SERVICE(READ) ALLOW)
RECKEY CSF1SKD add( UID(***IT-) SERVICE(READ) ALLOW)
RECKEY CSF1SKE add( UID(***IT-) SERVICE(READ) ALLOW)
RECKEY CSF1TRD add( UID(***IT-) SERVICE(READ) ALLOW)
F ACF2,REBUILD(CSF)
CRYPTOZ is a resource class defined in support of PKCS #11. Access to PKCS #11 tokens in ICSF is controlled by the CRYPTOZ class, with different access levels as well as a differentiation between standard users and security officers. A user's access level to each of these resources (read, update, or delete) determines the user's access level to the token. For each token, there are resources in the CRYPTOZ class for controlling access to tokens:
USER.token-name controls the access of the User role to the token
SO.token-name controls the access of the Security Officer (SO) role to the token.
CLEARKEY.token-name controls the ICSF policy for creating a clear key versus a secure key.
* CRYPTOZ TYPE(CRY) is required to be resident
SET CONTROL(GSO)
CHANGE INFODIR TYPES(R-RCRY) ADD
F ACF2,REFRESH(INFODIR)
* CRYPTOZ token access
* Note update SERVICE as required
SET RESOURCE(CRY)
RECKEY USER add( token-name UID(***IT-) SERVICE(READ) ALLOW)
RECKEY SO add( token-name UID(***IT-) SERVICE(READ) ALLOW)
RECKEY CLEARKEY add( token-name UID(***IT-) SERVICE(READ) ALLOW)
F ACF2,REBUILD(CRY)
Feedback
