z/OS Cryptographic Services ICSF Administrator's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Summary of Key Store Policy (KSP) and Enhanced Keylabel Access Control interactions

z/OS Cryptographic Services ICSF Administrator's Guide
SA22-7521-17

For services that are passed a label, the key store policy will not affect the SAF check, so only Granular Keylabel Access Controls and CSNDSYX Access Controls will have an effect:

Table 33. Key Store Policy (KSP) and Enhanced Keylabel Access Control interactions (label)
No CSNDSYX Access Controls for algorithmCSNDSYX Access Controls for algorithmNo Granular Keylabel Access ControlsGranular Keylabel Access Controls
CSNDSYX: DATA key identifierlabel SAF check is done against CSFKEYSlabel SAF check is done against XCSFKEYn/an/a
CSNDSYX: RSA key identifier and all other services passed a labeln/an/alabel SAF check is done against CSFKEYS for READ accesslabel SAF check is done against CSFKEYS for appropriate access

For services that are passed a token:

Table 34. Key Store Policy (KSP) and Enhanced Keylabel Access Control interactions (token)
No KSPKSP
No CSNDSYX Access Controls for algorithmCSNDSYX Access Controls for algorithmNo Granular Keylabel Access ControlsGranular Keylabel Access Controls
CSNDSYX: DATA key identifierno SAF check is doneKSP SAF checks are done against CSFKEYSKSP SAF checks are done against XCSFKEYn/an/a
CSNDSYX: RSA key identifier and all other services passed a labelno SAF check is donen/an/aKSP SAF checks are done against CSFKEYSKSP SAF checks are done against CSFKEYS
Note:
The levels used by Granular Keylabel Access Controls will also be applied to KSP checks (that is, if the CKDS labels matching a token were checked with UPDATE access, CSF-CKDS-DEFAULT will also be checked with UPDATE access)

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014