Determining what CSFSERV services are needed for IBM Security Key Lifecycle Manager
ICH408I USER(ISKLM ) GROUP(SYSTEMS ) NAME(SYSTEM JOBS(STC)CSFPKE CL(CSFSERV )
Diagnosing the problem
Which profiles under class CSFSERV do I need to grant READ access to ISKLM? Via ICH408I messages, I see that I need to at least grant READ access to CSFPKE. What else?
ICH408I USER(ISKLM ) GROUP(SYSTEMS ) NAME(SYSTEM JOBS(STC)
CSFPKE CL(CSFSERV )
Resolving the problem
Please take a look at the following link which names all the profiles or services (including CSFPKE) of the CSFSERV class and explains how to set up a profile in the CSFSERV class.
According to the document the customer can activate generic profile checking for the CSFSERV class. They then can create generic profiles using the generic characters * and %.
This is the same as with any RACF general resource class.
In the following example, you can define a generic profile (CSF*), give read access to this profile to the ISKLMSRV userid, and then activate the CSFSERV class and refresh the RACF profiles to make the changes effective:
/* Activate generic profile definition*/
/* define generic profile in the CSFSERV class * /
RDEFINE CSFSERV CSF* UACC(NONE)
/* Give appropriate users (preferably groups) access to the profiles*/
PERMIT CSF* CLASS(CSFSERV) ID(ISKLMSRV) ACCESS(READ)
/* Finish setup and refresh the classes */
SETROPTS RACLIST(CSFSERV) REFRESH
If you don't wish to activate generic profile checking for the CSFSERV class, then you need to go through the list of the profiles of the CSFSERV class (which is mentioned in the above link) and define the appropriate profiles with the access you wish to grant to your user IDs. Since each working site is different, it is impossible to determine exactly which profile will be pulled in by ISKLM, making CSF* the ideal choice.
Based on the ICH408I message shown above, an example of specific CSFSERV profile defining and permitting would be:
RDEFINE CSFSERV CSFPKE UACC(NONE)
PERMIT CSFPKE CLASS(CSFSERV) ID(ISKLMSRV) ACCESS(READ)