Getting a RCRY resource violation for resource class CRYPTOZ when using Cryptographic ICSF facilities, what rules need to be written to address the violation?
search cancel

Getting a RCRY resource violation for resource class CRYPTOZ when using Cryptographic ICSF facilities, what rules need to be written to address the violation?

book

Article ID: 35347

calendar_today

Updated On:

Products

ACF2 ACF2 - z/OS ACF2 - MISC

Issue/Introduction

Getting a RCRY resource violation for resource class CRYPTOZ when using Cryptographic ICSF facilities, what rules need to be written to address the violation?

The violation from the ACF2 ACFRPTRV report:

REQUESTED RESOURCE                                                       REC  LOOKUP KEY

UID                                          SOURCE    CPU    MODULE   DISP       DSP-MOD  KEY-MOD  SERV
      DATE           TIME        JNAME         LID            NAME                         PRE  RMC INT PST FIN
MLS         USER-SECLABEL  RSRC-SECLABEL   MODE       SRC       RRC      RSN                 

RCRY-CLEARKEY.SYSTOK-SESSION-ONLY                              *VIO  RCRY-CLEARKEY
uid                                 STCINRDR SYS1 ACF9CFAT NO-REC         -            DIRECTRY READ
15.289 16/10 08.51            xxxxx      xxxx      started TASK                 0     8     0     0   16                             

SAF RESOURCE CLASS CRYPTOZ 

RESOURCE NAME: CLEARKEY.SYSTOK-SESSION-ONLY 

 

Environment

Release: ACF2 16.0
Using Cryptographic ICSF facilities.

Cause

A generic or a specific RCRY resource rule needs to be written to control the CLEARKEY.token-name resource within the CRYPTOZ class which controls the ICSF policy for creating a clear key versus a secure key to address the resource violation.

Resolution

A generic or a specific rule can be used to control the CLEARKEY.token-name resource within the CRYPTOZ class which controls the ICSF policy for creating a clear key versus a secure key.  

Sample rules follow. 

Restrict user ID ABCUSER to secure keys only and allow all other user IDs to create clear keys: 

ACF 
SET RESOURCE(CRY) 
RECKEY CLEARKEY ADD( SYSTOK-SESSION-ONLY UID(UID string for ABCUSER) PREVENT) 
RECKEY CLEARKEY ADD( SYSTOK-SESSION-ONLY UID(*) SERVICE(UPDATE) ALLOW) 

Sample generic(masked) rule restricting user ID ABCUSER and allow all other user IDs to create clear keys 

ACF 
SET RESOURCE(CRY) 
RECKEY ******** ADD( - UID(UID string for ABCUSER) PREVENT) 
RECKEY ******** ADD( - UID(*) SERVICE(UPDATE) ALLOW)

Additional Information

Details on CA ACF2 and the P11TOKEN command that allows you to define and manage certain objects within a PKCS #11 token can be found in the ACF2 documentation section: 'P11TOKEN Subcommand'.

 Details on the CRYPTOZ resource used for controlling clear key processing can be found in the IBM z/OS Cryptographic Services ICSF Writing PKCS #11 Applications Guide.

Possible symptoms: