When resource violations for resource CRYPTOZ are seen, what are the underlying validations and required access rules?
The new CRYPTOZ resource, CLEARKEY,token-label, is used to set policy on the use of clear keys. A generic or a specific rule can be used to control the CLEARKEY.token-name resource within the CRYPTOZ class which controls the ICSF policy for creating a clear key versus a secure key.
The following examples show how the Security administrator can use the CRYPTOZ resource, CLEARKEY,token-label, to set policy on the use of clear keys.
Sample rules follow.
1) Restrict user ID ABCUSER to secure keys only and allow all other user
IDs to create clear keys:
ACF
SET RESOURCE(CRY)
RECKEY CLEARKEY ADD( SYSTOK-SESSION-ONLY UID(UID string for ABCUSER) PREVENT)
RECKEY CLEARKEY ADD( SYSTOK-SESSION-ONLY UID(*) SERVICE(READ,UPDATE) ALLOW)
The ACF RECKEY Subcommand will update an existing rule or create a rule if the rule does not exist. If the "CLEARKEY" rule does not exist, the resultant rule from the above two RECKEY Subcommands will be as follows.
$KEY(CLEARKEY) TYPE(CRY)
SYSTOK-SESSION-ONLY UID(UID STRING FOR ABCUSER) PREVENT
SYSTOK-SESSION-ONLY UID(*) SERVICE(READ,UPDATE) ALLOW
2) Sample generic(masked) rule restricting user ID ABCUSER and allow all other user IDs to create clear keys
ACF
SET RESOURCE(CRY)
RECKEY ******** ADD( - UID(UID string for ABCUSER) PREVENT)
RECKEY ******** ADD( - UID(*) SERVICE(READ,UPDATE) ALLOW)
The ACF RECKEY Subcommand will update an existing rule or create a rule if the rule does not exist. If the "CLEARKEY" rule does not exist, the resultant rule from the above two RECKEY Subcommands will be as follows.
$KEY(********) TYPE(CRY)
- UID(UID STRING FOR ABCUSER) PREVENT
- UID(*) SERVICE(READ,UPDATE) ALLOW
For a fastauth request, the infodir entry for this resource needs to be resident since those requests are not allowed to read the ACF2 database.
Resource rule TYPE(CRY) should be made resident since this is a fastauth call.
ACF
SET CONTROL(GSO)
CHANGE INFODIR TYPES(R-RCRY) ADD
END
Issue the Modify commands:
- F ACF2,REFRESH(INFODIR)
- F ACF2,REBUILD(CRY)
- Details on the CRYPTOZ resource used for controlling clear key processing can be found in the PDF z/OS Cryptographic Services ICSF Writing PKCS #11 Applications (IBM SC14-7510-01).
- Details on the ACF2 RECKEY Subcommand can be found in the ACF2 documentation section 'RECKEY Subcommand'.