To set up profiles in the CSFKEYS general resource class, take
these steps:
- Define appropriate profiles in the CSFKEYS class:
RDEFINE CSFKEYS label UACC(NONE)
other-optional-operands
where label is
the label by which the key is defined in the CKDS or PKDS.
Note that if an application uses a token instead of a key label, no
authorization checking is done on the use of the key.
Notes:
- If you have ICSF/MVS Version 1 Release 1 profiles that specify key-type.label,
you need to change them to specify only label.
- As with any RACF profile, if you want to change the profile later,
use the RALTER command. To change the access list, use the PERMIT
command as described in the next step.
- If you have already started ICSF, you need to refresh the in-storage
profiles. See Step 3.
- You can specify other operands, such as auditing (AUDIT operand),
on the RDEFINE or RALTER commands.
- If the RACF security administrator has activated generic profile
checking for the CSFKEYS class, you can create generic profiles using
the generic characters * and %. This is the same as any RACF general
resource class.
- Give appropriate users (preferably groups) access to the profiles:
PERMIT profile-name CLASS(CSFKEYS)
ID(groupid) ACCESS(READ)
- When the profiles are ready to be used, ask the RACF
security administrator to activate the CSFKEYS class and refresh the
in-storage RACF profiles:
SETROPTS CLASSACT(CSFKEYS)
SETROPTS RACLIST(CSFKEYS) REFRESH
|