We are getting a RCRY resource violation for resource class CRYPTOZ when using Cryptographic ICSF facilities, what rules need to be written to address the violation?

Document ID : KB000035347
Last Modified Date : 14/02/2018
Show Technical Document Details

Symptoms:

We are getting a RCRY resource violation for resource class CRYPTOZ when using Cryptographic ICSF facilities, what rules need to be written to address the violation?

The violation from the ACF2 ACFRPTRV report:

REQUESTED RESOURCE                                                       REC  LOOKUP KEY

UID                                          SOURCE    CPU    MODULE   DISP       DSP-MOD  KEY-MOD  SERV
      DATE           TIME        JNAME         LID            NAME                         PRE  RMC INT PST FIN
MLS         USER-SECLABEL  RSRC-SECLABEL   MODE       SRC       RRC      RSN                 

 

RCRY-CLEARKEY.SYSTOK-SESSION-ONLY                              *VIO  RCRY-CLEARKEY
SSSSSSSSKED                          STCINRDR SYS1 ACF9CFAT NO-REC         -            DIRECTRY READ
15.289 16/10 08.51            TCPKED      TCPKED      TCPKED TASK                 0     8     0     0   16                             

SAF RESOURCE CLASS CRYPTOZ 

RESOURCE NAME: CLEARKEY.SYSTOK-SESSION-ONLY 

 

Environment: 

Using Cryptographic ICSF facilities.

 

Cause:

A generic or a specific RCRY resource rule needs to be written to control the CLEARKEY.token-name 

resource within the CRYPTOZ class which controls the ICSF policy for creating a clear key versus a secure key
to address the resource violation.

 

Resolution/Workaround:

A generic or a specific rule can be used to control the CLEARKEY.token-name 

resource within the CRYPTOZ class which controls the ICSF policy for creating a 

clear key versus a secure key. 

 

Sample rules follow. 

 

Restrict user ID ABCUSER to secure keys only and allow all other user IDs to create clear keys: 

 

ACF 

SET RESOURCE(CRY) 

RECKEY CLEARKEY ADD( SYSTOK-SESSION-ONLY UID(UID string for ABCUSER) PREVENT) 

RECKEY CLEARKEY ADD( SYSTOK-SESSION-ONLY UID(*) SERVICE(UPDATE) ALLOW) 

 

 

Sample generic(masked) rule restricting user ID ABCUSER and allow all other user IDs to create clear keys 

 

ACF 

SET RESOURCE(CRY) 

RECKEY ******** ADD( - UID(UID string for ABCUSER) PREVENT) 

RECKEY ******** ADD( - UID(*) SERVICE(UPDATE) ALLOW) 

 

Additional Information:

Details on CA ACF2 and the P11TOKEN command that allows you to define and manage 

certain objects within a PKCS #11 token can be found in the CA ACF2 for z/OS 

Administration Guide in Chapter 26: Digital Certificate Support, section 'P11TOKEN 

Subcommand'.

 

Details on the CRYPTOZ resource used for controlling clear key processing can be 

 

found in the IBM z/OS Cryptographic Services ICSF Writing PKCS #11 Applications Guide.