resource violations for CRYPTOZ require rules for resource validations.

book

Article ID: 32457

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC

Issue/Introduction

When resource violations for resource CRYPTOZ are seen, what are the underlying validations and required access rules?

 

Environment

Release: ACF2 16.0
Component: Z/OS

Resolution

The new CRYPTOZ resource, CLEARKEY,token-label, is used to set policy on the use of clear keys.  A generic or a specific rule can be used to control the CLEARKEY.token-name resource within the CRYPTOZ class which controls the ICSF policy for creating a clear key versus a secure key.

The following examples show how the Security administrator can use the CRYPTOZ resource, CLEARKEY,token-label, to set policy on the use of clear keys.

Sample rules follow.

1) Restrict user ID ABCUSER to secure keys only and allow all other user
    IDs to create clear keys:

    ACF
    SET RESOURCE(CRY)
    RECKEY CLEARKEY ADD( SYSTOK-SESSION-ONLY UID(UID string for ABCUSER) PREVENT)
    RECKEY CLEARKEY ADD( SYSTOK-SESSION-ONLY UID(*) SERVICE(READ,UPDATE) ALLOW)

The ACF RECKEY Subcommand will update an existing rule or create a rule if the rule does not exist. If the "CLEARKEY" rule does not exist, the resultant rule from the above two RECKEY Subcommands will be as follows.

  $KEY(CLEARKEY) TYPE(CRY)                                  
  SYSTOK-SESSION-ONLY UID(UID STRING FOR ABCUSER) PREVENT  
  SYSTOK-SESSION-ONLY UID(*) SERVICE(READ,UPDATE) ALLOW          

2) Sample generic(masked) rule restricting user ID ABCUSER and allow all other user IDs to create clear keys

    ACF
    SET RESOURCE(CRY)
    RECKEY ******** ADD( - UID(UID string for ABCUSER) PREVENT)
    RECKEY ******** ADD( - UID(*) SERVICE(READ,UPDATE) ALLOW)

The ACF RECKEY Subcommand will update an existing rule or create a rule if the rule does not exist. If the "CLEARKEY" rule does not exist, the resultant rule from the above two RECKEY Subcommands will be as follows.

   $KEY(********) TYPE(CRY)              
    - UID(UID STRING FOR ABCUSER) PREVENT
    - UID(*) SERVICE(READ,UPDATE) ALLOW        

Additional Information

For a fastauth request, the infodir entry for this resource needs to be resident since those requests are not allowed to read the ACF2 database. 

Resource rule TYPE(CRY) should be made resident since this is a fastauth call. 
ACF
SET CONTROL(GSO)
CHANGE INFODIR TYPES(R-RCRY) ADD
END

Issue the Modify commands:

- F ACF2,REFRESH(INFODIR) 

- F ACF2,REBUILD(CRY)

- Details on the CRYPTOZ resource used for controlling clear key processing can be found in the PDF  z/OS Cryptographic Services ICSF Writing PKCS #11 Applications (IBM SC14-7510-01). 

- Details on the ACF2 RECKEY Subcommand can be found in the ACF2 TechDoc page Process Resource Rules  under section 'RECKEY Subcommand'.