I am getting a resource violation for resource CRYPTOZ. What are these validations for and what rules can be coded to address the violations?

Document ID : KB000032457
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:

I am getting a resource violation for resource CRYPTOZ. What are these validations for and what rules can be coded to address the violations?

Answer:

The new CRYPTOZ resource, CLEARKEY,token-label, is used to set policy on the use of clear keys.  A generic or a specific rule can be used to control the CLEARKEY.token-name resource within the CRYPTOZ class which controls the ICSF policy for creating a clear key versus a secure key.

The following examples show how the Security administrator can use the CRYPTOZ resource, CLEARKEY,token-label, to set policy on the use of clear keys.

Sample rules follow.

1) Restrict user ID ABCUSER to secure keys only and allow all other user
    IDs to create clear keys:

    ACF
    SET RESOURCE(CRY)
    RECKEY CLEARKEY ADD( SYSTOK-SESSION-ONLY UID(UID string for ABCUSER) PREVENT)
    RECKEY CLEARKEY ADD( SYSTOK-SESSION-ONLY UID(*) SERVICE(UPDATE) ALLOW)

The ACF RECKEY Subcommand will update an existing rule or create a rule if the rule does not exist. If the "CLEARKEY" rule does not exist, the resultant rule from the above two RECKEY Subcommands will be as follows.

  $KEY(CLEARKEY) TYPE(CRY)                                  
  SYSTOK-SESSION-ONLY UID(UID STRING FOR ABCUSER) PREVENT  
  SYSTOK-SESSION-ONLY UID(*) SERVICE(UPDATE) ALLOW          

2) Sample generic(masked) rule restricting user ID ABCUSER and allow all other user IDs to create clear keys

    ACF
    SET RESOURCE(CRY)
    RECKEY ******** ADD( - UID(UID string for ABCUSER) PREVENT)
    RECKEY ******** ADD( - UID(*) SERVICE(UPDATE) ALLOW)

The ACF RECKEY Subcommand will update an existing rule or create a rule if the rule does not exist. If the "CLEARKEY" rule does not exist, the resultant rule from the above two RECKEY Subcommands will be as follows.

   $KEY(********) TYPE(CRY)              
    - UID(UID STRING FOR ABCUSER) PREVENT
    - UID(*) SERVICE(UPDATE) ALLOW        

 

Additional Information:

Details on the CRYPTOZ resource used for controlling clear key processing can be found in the z/OS Cryptographic Services ICSF Writing PKCS #11 Applications (IBM SC14-7510-01). 

Details on the ACF2 RECKEY Subcommand can be found in the CA ACF2 for Z/OS Administration Guide in Chapter 7: Maintaining Resource Rules section 'RECKEY Subcommand'.