This topic only applies if you have a TKE workstation. For non-TKE users, all access control points are enabled with the exception of the access control points listed below. These are disabled for all users and require a TKE workstation to enable.

• ANSI X9.8 PIN - Enforce PIN block restrictions
• ANSI X9.8 PIN - Allow modification of PAN
• ANSI X9.8 PIN - Allow only ANSI PIN blocks
• ANSI X9.8 PIN - Use stored decimalization tables only
• DKYGENKY-DALL
• DSG ZERO-PAD unrestricted hash length
• PTR enhanced PIN security

Access control points for ISPF, API, and UDX services on the coprocessor can be enabled/disabled using the TKE workstation. All access control points will be enabled when the TKE workstation is installed. If you don't enable or disable any access control points, all new access control points will be enabled when a new release of ICSF is installed and the services will be available. However, if any access control points have been enabled or disabled, all new access control points will be disabled when a new release of ICSF is installed. These new access control points must be enabled to before the services are available. UDX support is dependent on access control points. If your installation wants to use UDX callable services, the corresponding access control point must be enabled.

To enable/disable access control points on a PCICC/PCIXCC/CEX2C, TKE V5.0 or higher is required.

To enable/disable access control points on a CEX2C/CEX3C on z10, TKE V6.0 or higher is required.

To enable/disable access control points on a CEX3C on z196, TKE V7.0 or higher is required.

To list the access control points that are enabled, see Displaying PCICC coprocessor roles and Displaying PCIXCC, CEX2C, and CEX3C coprocessor roles.

For more information, see z/OS Cryptographic Services ICSF TKE Workstation User’s Guide.