z/OS Cryptographic Services System SSL Programming
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


z/OS PKCS #11 tokens

z/OS Cryptographic Services System SSL Programming
SC14-7495-00

z/OS® PKCS #11 tokens are managed and protected by ICSF. ICSF uses the CRYPTOZ SAF class to determine if the issuer of gskkyman is permitted to perform the operation against a z/OS PKCS #11 token. The resources for this class are:
  • USER.tokenname
  • SO.tokenname
The gskkyman utility provides limited functionality for PKCS #11 token certificates that have secure private keys. If a PKCS #11 certificate has a secure private key, the following functions are allowed:
  • Showing certificate and key information.
  • Setting the key as default.
  • Exporting a certificate to a file.
  • Deleting a certificate and key.
  • Changing the label.
If a PKCS #11 token certificate has a secure private key, the following functions are not allowed:
  • Copying certificate and key to another token.
  • Exporting certificate and key to a file.
  • Creating a signed certificate and key.
  • Creating a certificate renewal request.

A PKCS #11 token certificate with a clear private key is allowed full gskkyman functionality.

When displaying token key information for a PKCS #11 certificate's private key, the private key type indicates the private key is either clear or secure.

Table 1 illustrates the SAF access levels required to perform certain functions. The 3 SAF levels in order of increasing accessibility are READ, UPDATE, and CONTROL. The higher levels each retain all the permissions of the previous level including gaining additional capability. For more information, see the Token Access Levels table under Overview of z/OS support for PKCS #11 in z/OS Cryptographic Services ICSF Writing PKCS #11 Applications.

Table 1. SAF access levels
USER.token-name CRYPTOZ resource:
Function SAF access level
Create/delete/modify CA certificate and private key Control
Create/delete/modify user certificate and private key Update
Read certificate and private key Read
Set default key Update
SO.token-name CRYPTOZ resource:
Function SAF access level
Create or delete token Update
Read/create/delete/modify certificate (but not the private key) Read
Read/create/delete/modify private key Control
Set default key Read
Parent topic: Certificate/Key management

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014