Getting a resource violation for resource CRYPTOZ. What are these validations for and what rules can be coded to address the violations?
The new CRYPTOZ resource, CLEARKEY,token-label, is used to set policy on the use of clear keys. A generic or a specific rule can be used to control the CLEARKEY.token-name resource within the CRYPTOZ class which controls the ICSF policy for creating a clear key versus a secure key.
The following examples show how the Security administrator can use the CRYPTOZ resource, CLEARKEY,token-label, to set policy on the use of clear keys.
Sample rules follow.
1) Restrict user ID ABCUSER to secure keys only and allow all other user
IDs to create clear keys:
ACF
SET RESOURCE(CRY)
RECKEY CLEARKEY ADD( SYSTOK-SESSION-ONLY UID(UID string for ABCUSER) PREVENT)
RECKEY CLEARKEY ADD( SYSTOK-SESSION-ONLY UID(*) SERVICE(UPDATE) ALLOW)
The ACF RECKEY Subcommand will update an existing rule or create a rule if the rule does not exist. If the "CLEARKEY" rule does not exist, the resultant rule from the above two RECKEY Subcommands will be as follows.
$KEY(CLEARKEY) TYPE(CRY)
SYSTOK-SESSION-ONLY UID(UID STRING FOR ABCUSER) PREVENT
SYSTOK-SESSION-ONLY UID(*) SERVICE(UPDATE) ALLOW
2) Sample generic(masked) rule restricting user ID ABCUSER and allow all other user IDs to create clear keys
ACF
SET RESOURCE(CRY)
RECKEY ******** ADD( - UID(UID string for ABCUSER) PREVENT)
RECKEY ******** ADD( - UID(*) SERVICE(UPDATE) ALLOW)
The ACF RECKEY Subcommand will update an existing rule or create a rule if the rule does not exist. If the "CLEARKEY" rule does not exist, the resultant rule from the above two RECKEY Subcommands will be as follows.
$KEY(********) TYPE(CRY)
- UID(UID STRING FOR ABCUSER) PREVENT
- UID(*) SERVICE(UPDATE) ALLOW
For a fastauth request, the infodir entry for this resource needs to be resident since those requests are not allowed to read the ACF2 database.
Resource rule TYPE(CRY) should be made resident since this is a fastauth call.
Modify;
- F ACF2,REFRESH(INFODIR)
- F ACF2,REBUILD(CRY)
- Details on the CRYPTOZ resource used for controlling clear key processing can be found in the z/OS Cryptographic Services ICSF Writing PKCS #11 Applications (IBM SC14-7510-01).
- Details on the ACF2 RECKEY Subcommand can be found in the CA ACF2 for Z/OS Administration Guide in Chapter 7: Maintaining Resource Rules section 'RECKEY Subcommand'.