CSFSERV Services required by ISKLM using ICSF

Resolving The Problem

Please take a look at the following link which names all the profiles or services (including CSFPKE) of the CSFSERV class and explains how to set up a profile in the CSFSERV class.

https://www.ibm.com/support/knowledgecenter/SSLTBW_2.3.0/com.ibm.zos.v2r3.csfb300/ctlserv.htm

According to the document the customer can activate generic profile checking for the CSFSERV class. They then can create generic profiles using the generic characters * and %.

This is the same as with any RACF general resource class.

In the following example, you can define a generic profile (CSF*), give read access to this profile to the ISKLMSRV userid, and then activate the CSFSERV class and refresh the RACF profiles to make the changes effective:

 /* Activate generic profile definition*/

SETROPTS GENERIC(CSFSERV)

/* define generic profile in the CSFSERV class * /

RDEFINE CSFSERV CSF* UACC(NONE)

/* Give appropriate users (preferably groups) access to the profiles*/

PERMIT  CSF* CLASS(CSFSERV) ID(ISKLMSRV)  ACCESS(READ)

/* Finish setup and refresh the classes */

SETROPTS  CLASSACT(CSFSERV)

SETROPTS RACLIST(CSFSERV)

SETROPTS RACLIST(CSFSERV) REFRESH

If you don't wish to activate generic profile checking for the CSFSERV class, then you need to go through the list of the profiles of the CSFSERV class (which is mentioned in the above link) and define the appropriate profiles with the access you wish to grant to your user IDs. Since each working site is different, it is impossible to determine exactly which profile will be pulled in by ISKLM, making CSF* the ideal choice.

Based on the ICH408I message shown above, an example of specific CSFSERV profile defining and permitting would be:

RDEFINE CSFSERV CSFPKE UACC(NONE)

PERMIT CSFPKE CLASS(CSFSERV) ID(ISKLMSRV) ACCESS(READ)