You can use z/OS Security Server RACF to control which applications can use specific keys and services. This can help you ensure that keys and services are used only by authorized users and jobs. You can also use RACF to audit the use of keys and services. In addition, you can establish a Key Store Policy that defines rules for the use of encrypted key tokens that are stored in a CKDS or PKDS. To use RACF to control access to keys and services, you create and maintain general resource profiles in the CSFKEYS class, the CSFSERV class, and the XFACILIT class.

• The CSFKEYS class controls access to cryptographic keys. You create profiles in this class (based on the label by which the key is defined in the CKDS or PKDS) to set access authority for the keys. For the exclusive purpose of requiring UPDATE instead of READ authority when transferring a secure AES or DES key from encryption under the master key to encryption under an RSA key, you can define profiles in the XCSFKEY class. Profiles in the XCSFKEY class are used in authorization checks only when the Symmetric Key Export service (CSNDSYX or CSNFSYX) is called. For all other callable services, the CSFKEYS class is used.
• The CSFSERV class controls access to ICSF services and ICSF TSO panel utilities.
• One or more resource profiles in the XFACILIT class define your Key Store Policy. A Key Store Policy consists of a number of controls that collectively determine how encrypted key tokens defined in a CKDS or PKDS can be accessed and used.

If you are not the RACF security administrator, you may need to ask assistance from that person. To use the auditing capabilities of RACF, you may need to ask for reports from a RACF auditor. Your installation's security plan should show who is responsible for maintaining these RACF profiles and auditing their use.