Enabling Top Secret Access Authority Checking For Key Tokens in ICSF
search cancel

Enabling Top Secret Access Authority Checking For Key Tokens in ICSF

book

Article ID: 37379

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

z/OS Cryptographic Services ICSF Administrator's Guide SA22-7521-17 section 'Enabling access authority checking for key tokens' at the following link:

https://www-01.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.csfb300/actksp.htm?lang=en

gives the following sample RACF commands:

1. For example, say you want to enable Key Token Authorization Checking for both a CKDS and a PKDS. You're not certain all the users currently accessing key tokens in these key stores will have the necessary access authority, and do not want to disrupt current work patterns at your installation. For this reason, you decide to allow a warning period during which you can identify users who will need permission to access certain key tokens. The following commands will enable Key Token Authorization Checking for the CKDS and the PKDS in warning mode.

RDEFINE XFACILIT CSF.CKDS.TOKEN.CHECK.LABEL.WARN
RDEFINE XFACILIT CSF.PKDS.TOKEN.CHECK.LABEL.WARN
SETROPTS RACLIST(XFACILIT) REFRESH

2. During the warning period, you can, by examining the SMF type 82 subtype 25 records logged in the SMF data set, identify the users who need permission to access keys. You can then create or modify the necessary profiles in the CSFKEYS class. When you are ready to move to a stricter implementation of this policy, you enable the controls for fail mode and disable the ones for warning mode.

RDEFINE XFACILIT CSF.CKDS.TOKEN.CHECK.LABEL.FAIL
RDEFINE XFACILIT CSF.PKDS.TOKEN.CHECK.LABEL.FAIL
RDELETE XFACILIT CSF.CKDS.TOKEN.CHECK.LABEL.WARN
RDELETE XFACILIT CSF.PKDS.TOKEN.CHECK.LABEL.WARN
SETROPTS RACLIST(XFACILIT) REFRESH

3. For example, to enable the Default Key Label Checking control for a CKDS, you would:

Create the default profile CSF-CKDS-DEFAULT in the CSFKEYS class.

RDEFINE CSFKEYS CSF-CKDS-DEFAULT UACC(NONE)

4. By defining the universal access authority (UACC) as NONE in the preceding step, the use of key tokens that do not reside in the key store has been prohibited. If necessary, however, you can give appropriate users (preferably groups) access in the CSF-CKDS-DEFAULT profile and refresh the CSFKEYS class in storage: 

PERMIT CSF-CKDS-DEFAULT CLASS(CSFKEYS) ID(group-id) ACCESS(READ)
SETROPTS RACLIST(CSFKEYS) REFRESH

5. Create a profile for the CSF.CKDS.TOKEN.CHECK.DEFAULT.LABEL resource in the XFACILIT class, and refresh the XFACILIT class in storage:

RDEFINE XFACILIT CSF.CKDS.TOKEN.CHECK.DEFAULT.LABEL
SETROPTS RACLIST(XFACILIT) REFRESH

What are the Top Secret equivalents? 

 

 

 

 

Resolution

1. For example, say you want to enable Key Token Authorization Checking for both a CKDS and a PKDS. You're not certain all the users currently accessing key tokens in these key stores will have the necessary access authority, and do not want to disrupt current work patterns at your installation. For this reason, you decide to allow a warning period during which you can identify users who will need permission to access certain key tokens. The following commands will enable Key Token Authorization Checking for the CKDS and the PKDS in warning mode.

RDEFINE XFACILIT CSF.CKDS.TOKEN.CHECK.LABEL.WARN
RDEFINE XFACILIT CSF.PKDS.TOKEN.CHECK.LABEL.WARN
SETROPTS RACLIST(XFACILIT) REFRESH

TSS equivalent:
TSS ADD(owningacid) XFACILIT(CSF.CKDS.TOKEN.CHECK) 
TSS ADD(owningacid) XFACILIT(CSF.PKDS.TOKEN.CHECK)

Notes: XFACILIT resource class allows up to 26 characters. XFACILIT(CSF.CKDS.TOKEN.CHECK) specifies a prefix so CSF.CKDS.TOKEN.CHECK.LABEL.WARN is protected under the definition. The same applies for all TSS ADD commands in this document.

There is no equivalent for SETROPTS and not needed with CA Top Secret because the refresh is automatically done. They will be ignored in the rest of this document.

2. During the warning period, you can, by examining the SMF type 82 subtype 25 records logged in the SMF data set, identify the users who need permission to access keys. You can then create or modify the necessary profiles in the CSFKEYS class. When you are ready to move to a stricter implementation of this policy, you enable the controls for fail mode and disable the ones for warning mode.

RDEFINE XFACILIT CSF.CKDS.TOKEN.CHECK.LABEL.FAIL
RDEFINE XFACILIT CSF.PKDS.TOKEN.CHECK.LABEL.FAIL
RDELETE XFACILIT CSF.CKDS.TOKEN.CHECK.LABEL.WARN
RDELETE XFACILIT CSF.PKDS.TOKEN.CHECK.LABEL.WARN
SETROPTS RACLIST(XFACILIT) REFRESH

TSS equivalent:

TSS ADD(owningacid) XFACILIT(CSF.CKDS.TOKEN.CHECK)  <- Already done above can be skipped
TSS ADD(owningacid) XFACILIT(CSF.PKDS.TOKEN.CHECK)  <- Already done above can be skipped
TSS PER(ALL) XFACILIT(CSF.CKDS.TOKEN.CHECK.LABEL.WARN) ACC(READ)
TSS PER(ALL) XFACILIT(CSF.PKDS.TOKEN.CHECK.LABEL.WARN) ACC(READ)

Notes:

The RDELETEs unprotects CSF.CKDS.TOKEN.CHECK.LABEL.WARN and CSF.PKDS.TOKEN.CHECK.LABEL.WARN.

Because we issued a TSS ADD(owningacid) XFACILIT(CSF.CKDS.TOKEN.CHECK)  and TSS ADD(owningacid) XFACILIT(CSF.PKDS.TOKEN.CHECK),  CSF.CKDS.TOKEN.CHECK.LABEL.WARN and CSF.PKDS.TOKEN.CHECK.LABEL.WARN is also protected. 

So to unprotect it, we permit the ALL record to CSF.CKDS.TOKEN.CHECK.LABEL.WARN and CSF.PKDS.TOKEN.CHECK.LABEL.WARN.

3. For example, to enable the Default Key Label Checking control for a CKDS, you would:

Create the default profile CSF-CKDS-DEFAULT in the CSFKEYS class.

RDEFINE CSFKEYS CSF-CKDS-DEFAULT UACC(NONE)

TSS equivalent:

TSS ADD(ownignacid) CSFKEYS(CSF)

Notes: CSFKEYS(CSF) is a prefix so anything that starts with CSF including 'CSF-CKDS-DEFAULT' is protected by CA Top Secret.

4. By defining the universal access authority (UACC) as NONE in the preceding step, the use of key tokens that do not reside in the key store has been prohibited. If necessary, however, you can give appropriate users (preferably groups) access in the CSF-CKDS-DEFAULT profile and refresh the CSFKEYS class in storage:

PERMIT CSF-CKDS-DEFAULT CLASS(CSFKEYS) ID(group-id) ACCESS(READ)
SETROPTS RACLIST(CSFKEYS) REFRESH

TSS equivalent:

TSS PER(profile_acid) CSFKEYS(CSF+CKDS+DEFAULT) ACC(READ)

Notes:

Replaced '-' with '+' because it is a masking character. '+' is a masking character that is a wildcard for just one character. 

5. Create a profile for the CSF.CKDS.TOKEN.CHECK.DEFAULT.LABEL resource in the XFACILIT class, and refresh the XFACILIT class in storage.

RDEFINE XFACILIT CSF.CKDS.TOKEN.CHECK.DEFAULT.LABEL
SETROPTS RACLIST(XFACILIT) REFRESH

TSS equivalent:

TSS ADD(owningacid) XFACILIT(CSF.CKDS.TOKEN.CHECK)  <- Already done above can be skipped