CSFSERV Services required by ISKLM using ICSF

Technote (troubleshooting)


Problem(Abstract)

Determining what CSFSERV services are needed for IBM Security Key Lifecycle Manager

Symptom

ICH408I USER(ISKLM ) GROUP(SYSTEMS ) NAME(SYSTEM JOBS(STC)CSFPKE CL(CSFSERV )


Environment

z/OS

Diagnosing the problem

Which profiles under class CSFSERV do I need to grant READ access to ISKLM? Via ICH408I messages, I see that I need to at least grant READ access to CSFPKE. What else?

ICH408I USER(ISKLM ) GROUP(SYSTEMS ) NAME(SYSTEM JOBS(STC)
CSFPKE CL(CSFSERV )


Resolving the problem

Please take a look at the following link which names all the profiles or services (including CSFPKE) of the CSFSERV class and explains how to set up a profile in the CSFSERV class.

http://pic.dhe.ibm.com/infocenter/zos/v2r1/topic/com.ibm.zos.v2r1.csfb300/ctlserv.htm

According to the document the customer can activate generic profile checking for the CSFSERV class. They then can create generic profiles using the generic characters * and %.

This is the same as with any RACF general resource class.

In the following example, you can define a generic profile (CSF*), give read access to this profile to the ISKLMSRV userid, and then activate the CSFSERV class and refresh the RACF profiles to make the changes effective:

 /* Activate generic profile definition*/

SETROPTS GENERIC(CSFSERV)

/* define generic profile in the CSFSERV class * /

RDEFINE CSFSERV CSF* UACC(NONE)

/* Give appropriate users (preferably groups) access to the profiles*/

PERMIT  CSF* CLASS(CSFSERV) ID(ISKLMSRV)  ACCESS(READ)

/* Finish setup and refresh the classes */

SETROPTS  CLASSACT(CSFSERV)

SETROPTS RACLIST(CSFSERV)

SETROPTS RACLIST(CSFSERV) REFRESH

If you don't wish to activate generic profile checking for the CSFSERV class, then you need to go through the list of the profiles of the CSFSERV class (which is mentioned in the above link) and define the appropriate profiles with the access you wish to grant to your user IDs. Since each working site is different, it is impossible to determine exactly which profile will be pulled in by ISKLM, making CSF* the ideal choice.

Based on the ICH408I message shown above, an example of specific CSFSERV profile defining and permitting would be:

RDEFINE CSFSERV CSFPKE UACC(NONE)

PERMIT CSFPKE CLASS(CSFSERV) ID(ISKLMSRV) ACCESS(READ)

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Security Key Lifecycle Manager for z/OS

Software version:

1.1.0

Operating system(s):

z/OS

Software edition:

Enterprise

Reference #:

1502640

Modified date:

2014-05-13

Translate my page

Machine Translation

Content navigation