I am getting a resource violation for resource CRYPTOZ. What are these validations for and what ACF2 rules can be coded to address the violations?

book

Article ID: 32457

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC

Issue/Introduction

Getting a resource violation for resource CRYPTOZ. What are these validations for and what rules can be coded to address the violations?

 

Environment

Release: ACF2 16.0
Component: Z/OS

Resolution

The new CRYPTOZ resource, CLEARKEY,token-label, is used to set policy on the use of clear keys.  A generic or a specific rule can be used to control the CLEARKEY.token-name resource within the CRYPTOZ class which controls the ICSF policy for creating a clear key versus a secure key.

The following examples show how the Security administrator can use the CRYPTOZ resource, CLEARKEY,token-label, to set policy on the use of clear keys.

Sample rules follow.

1) Restrict user ID ABCUSER to secure keys only and allow all other user
    IDs to create clear keys:

    ACF
    SET RESOURCE(CRY)
    RECKEY CLEARKEY ADD( SYSTOK-SESSION-ONLY UID(UID string for ABCUSER) PREVENT)
    RECKEY CLEARKEY ADD( SYSTOK-SESSION-ONLY UID(*) SERVICE(UPDATE) ALLOW)

The ACF RECKEY Subcommand will update an existing rule or create a rule if the rule does not exist. If the "CLEARKEY" rule does not exist, the resultant rule from the above two RECKEY Subcommands will be as follows.

  $KEY(CLEARKEY) TYPE(CRY)                                  
  SYSTOK-SESSION-ONLY UID(UID STRING FOR ABCUSER) PREVENT  
  SYSTOK-SESSION-ONLY UID(*) SERVICE(UPDATE) ALLOW          

2) Sample generic(masked) rule restricting user ID ABCUSER and allow all other user IDs to create clear keys

    ACF
    SET RESOURCE(CRY)
    RECKEY ******** ADD( - UID(UID string for ABCUSER) PREVENT)
    RECKEY ******** ADD( - UID(*) SERVICE(UPDATE) ALLOW)

The ACF RECKEY Subcommand will update an existing rule or create a rule if the rule does not exist. If the "CLEARKEY" rule does not exist, the resultant rule from the above two RECKEY Subcommands will be as follows.

   $KEY(********) TYPE(CRY)              
    - UID(UID STRING FOR ABCUSER) PREVENT
    - UID(*) SERVICE(UPDATE) ALLOW        

Additional Information

For a fastauth request, the infodir entry for this resource needs to be resident since those requests are not allowed to read the ACF2 database. 

Resource rule TYPE(CRY) should be made resident since this is a fastauth call. 
Modify; 
- F ACF2,REFRESH(INFODIR) 
- F ACF2,REBUILD(CRY)

- Details on the CRYPTOZ resource used for controlling clear key processing can be found in the z/OS Cryptographic Services ICSF Writing PKCS #11 Applications (IBM SC14-7510-01). 
- Details on the ACF2 RECKEY Subcommand can be found in the CA ACF2 for Z/OS Administration Guide in Chapter 7: Maintaining Resource Rules section 'RECKEY Subcommand'.