The z/OS 1.10 release of ICSF introduced a new set of resource controls. How do you write a resource rule for resource CSF-CKDS-DEFAULT in the CSFKEYS resource class when the qualifiers are separated by dash '-' rather than '.'?

Document ID : KB000054193
Last Modified Date : 14/02/2018
Show Technical Document Details

Description

For resource CSF-CKDS-DEFAULT, dash '-' is not a delimiter for a resource qualifier in a resource name. Therefore CSF-CKDS-DEFAULT is an unqualified resource name and an extended resource rule key cannot be used, so the entire resource name would be coded in the $KEY, for example: $KEY(CSF-CKDS-DEFAULT).

Solution

ICSF services looks for a CSF-CKDS-DEFAULT or CSF-PKDS-DEFAULT resource in the CSFKEYS class to determine application access. This control is active only when key store policy checking is active.

To setup RACF profiles and give appropriate users access to the CSF-CKDS-DEFAULT profile in the CSFKEYS class:

RDEFINE CSFKEYS CSF-CKDS-DEFAULT UACC(NONE) WA
PERMIT CSF-CKDS-DEFAULT CLASS(CSFKEYS) ID(group-id) ACCESS(READ)

There is no ACF2 equivalent for RDEFINE because ACF2 protects resources by default.

Since CSF-CKDS-DEFAULT is an unqualified resource name, an ACF2 extended resource rule cannot be used so the entire resource name would be coded in the $KEY. The ACF2 equivalent to the RACF PERMIT would be as follows.

$KEY(CSF-CKDS-DEFAULT) TYPE(SAF)
 UID(uid string) SERVICE(READ) ALLOW 

Note: The resource class CSFKEYS defaults to a TYPE code of SAF. An ACF2 GSO CLASMAP record can be created to map the resource class CSFKEYS to a more unique TYPE code.

Details on ACF2 qualified and un-qualified resource rules can be found in the ACF2 Administrator Guide in Chapter 7: Maintaining Resource Rules, section "Control Statement Descriptions".

Details on the resource class CSFKEYS and the resource CSF-CKDS-DEFAULT can be found in the IBM z/OS Cryptographic Services Integrated Cryptographic Service Facility Administrator's Guide.