Getting a RCRY resource violation for resource class CRYPTOZ when using Cryptographic ICSF facilities, what rules need to be written to address the violation?
The violation from the ACF2 ACFRPTRV report:
REQUESTED RESOURCE REC LOOKUP KEY
UID SOURCE CPU MODULE DISP DSP-MOD KEY-MOD SERV
DATE TIME JNAME LID NAME PRE RMC INT PST FIN
MLS USER-SECLABEL RSRC-SECLABEL MODE SRC RRC RSN
RCRY-CLEARKEY.SYSTOK-SESSION-ONLY *VIO RCRY-CLEARKEY
uid STCINRDR SYS1 ACF9CFAT NO-REC - DIRECTRY READ
15.289 16/10 08.51 xxxxx xxxx started TASK 0 8 0 0 16
SAF RESOURCE CLASS CRYPTOZ
RESOURCE NAME: CLEARKEY.SYSTOK-SESSION-ONLY
Release: ACF2 16.0
Using Cryptographic ICSF facilities.
A generic or a specific RCRY resource rule needs to be written to control the CLEARKEY.token-name resource within the CRYPTOZ class which controls the ICSF policy for creating a clear key versus a secure key to address the resource violation.
A generic or a specific rule can be used to control the CLEARKEY.token-name resource within the CRYPTOZ class which controls the ICSF policy for creating a clear key versus a secure key.
Sample rules follow.
Restrict user ID ABCUSER to secure keys only and allow all other user IDs to create clear keys:
ACF
SET RESOURCE(CRY)
RECKEY CLEARKEY ADD( SYSTOK-SESSION-ONLY UID(UID string for ABCUSER) PREVENT)
RECKEY CLEARKEY ADD( SYSTOK-SESSION-ONLY UID(*) SERVICE(UPDATE) ALLOW)
Sample generic(masked) rule restricting user ID ABCUSER and allow all other user IDs to create clear keys
ACF
SET RESOURCE(CRY)
RECKEY ******** ADD( - UID(UID string for ABCUSER) PREVENT)
RECKEY ******** ADD( - UID(*) SERVICE(UPDATE) ALLOW)
Details on CA ACF2 and the P11TOKEN command that allows you to define and manage certain objects within a PKCS #11 token can be found in the ACF2 documentation section: 'P11TOKEN Subcommand'.
Details on the CRYPTOZ resource used for controlling clear key processing can be found in the IBM z/OS Cryptographic Services ICSF Writing PKCS #11 Applications Guide.
Possible symptoms: