To set up profiles in the CSFSERV general resource class, take these steps:

1. Define appropriate profiles in the CSFSERV class:

       RDEFINE  CSFSERV profile-name  UACC(NONE)
                other-optional-operands

   Where profile-name is the profile used to protect the resource. Table 3 lists the resources used by ICSF callable services. Table 4 shows the resource names used by ICSF TSO panels, utilities, and compatibility services for PCF macros.

   Table 3. Resource names for ICSF Callable Services

   Resource Name	Callable Service Name(s)	Callable Service Description
   CSFAEGN	CSNAEGN CSNGEGN	ANSI X9.17 EDC Generate
   CSFAKEX	CSNAKEX CSNGKEX	ANSI X9.17 Key Export
   CSFAKIM	CSNAKIM CSNGKIM	ANSI X9.17 Key Import
   CSFAKTR	CSNAKTR CSNGKTR	ANSI X9.17 Key Translate
   CSFATKN	CSNATKN CSNGTKN	ANSI X9.17 Transport Key Partial Notarize
   CSFCKC	CSNBCKC CSNECKC	CVV Key Combine
   CSFCKI	CSNBCKI CSNECKI	Clear Key Import
   CSFCKM	CSNBCKM CSNECKM	Multiple Clear Key Import
   CSFCPA	CSNBCPA CSNECPA	Clear PIN Generate Alternate
   CSFCPE	CSNBCPE CSNECPE	Clear PIN Encrypt
   CSFCRC	CSFCRC CSFCRC6	Coordinated KDS Administration
   CSFCSG	CSNBCSG CSNECSG	VISA CVV Service Generate
   CSFCSV	CSNBCSV CSNECSV	VISA CVV Service Verify
   CSFCTT	CSNBCTT CSNECTT	Ciphertext Translate
   CSFCTT1	CSNBCTT1 CSNECTT1	Ciphertext Translate (with ALET)
   CSFCVE	CSNBCVE CSNECVE	Cryptographic Variable Encipher
   CSFCVT	CSNBCVT CSNECVT	Control Vector Translate
   CSFDCO	CSNBDCO CSNEDCO	Decode
   CSFDEC	CSNBDEC CSNEDEC	Decipher
   CSFDEC1	CSNBDEC1 CSNEDEC1	Decipher (with ALET)
   CSFDKG	CSNBDKG CSNEDKG	Diversified Key Generate
   CSFDKM	CSNBDKM CSNEDKM	Data Key Import
   CSFDKX	CSNBDKX CSNEDKX	Data Key Export
   CSFDSG	CSNDDSG CSNFDSG	Digital Signature Generate
   CSFDSV	CSNDDSV CSNFDSV	Digital Signature Verify
   CSFECO	CSNBECO CSNEECO	Encode
   CSFEDH	CSNDEDH CSNFEDH	ECC Diffie-Hellman
   CSFENC	CSNBENC CSNEENC	Encipher
   CSFENC1	CSNBENC1 CSNEENC1	Encipher (with ALET)
   CSFEPG	CSNBEPG CSNEEPG	Encrypted PIN Generate
   CSFHMG	CSNBHMG CSNEHMG	HMAC Generate
   CSFHMG1	CSNBHMG1 CSNEHMG1	HMAC Generate (with ALET)
   CSFHMV	CSNBHMV CSNEHMV	HMAC Verify
   CSFHMV1	CSNBHMV1 CSNEHMV1	HMAC Verify (with ALET)
   CSFIQA	CSFIQA CSFIQA6	ICSF Query Algorithm
   CSFIQF	CSFIQF CSFIQF6	ICSF Query Facility
   CSFKEX	CSNBKEX CSNEKEX	Key Export
   CSFKGN	CSNBKGN CSNEKGN	Key Generate
   CSFKGN2	CSNBKGN2 CSNEKGN2	Key Generate2
   CSFKIM	CSNBKIM CSNEKIM	Key Import
   CSFKPI	CSNBKPI CSNEKPI	Key Part Import
   CSFKPI2	CSNBKPI2 CSNEKPI2	Key Part Import2
   CSFKRC	CSNBKRC CSNEKRC	Key Record Create
   CSFKRC2	CSNBKRC2 CSNEKRC2	Key Record Create2
   CSFKRD	CSNBKRD CSNEKRD	Key Record Delete
   CSFKRR	CSNBKRR CSNEKRR	Key Record Read
   CSFKRR2	CSNBKRR2 CSNEKRR2	Key Record Read2
   CSFKRW	CSNBKRW CSNEKRW	Key Record Write
   CSFKRW2	CSNBKRW2 CSNEKRW2	Key Record Write2
   CSFKTR	CSNBKTR CSNEKTR	Key Translate
   CSFKTR2	CSNBKTR2 CSNEKTR2	Key Translate2
   CSFKYT	CSNBKYT CSNEKYT	Key Test
   CSFKYT2	CSNBKYT2 CSNEKYT2	Key Test2
   CSFKYTX	CSNBKYTX CSNEKYTX	Key Test Extended
   CSFMDG	CSNBMDG CSNEMDG	MDC Generate
   CSFMDG1	CSNBMDG1 CSNEMDG1	MDC Generate (with ALET)
   CSFMGN	CSNBMGN CSNEMGN	MAC Generate
   CSFMGN1	CSNBMGN1 CSNEMGN1	MAC Generate (with ALET)
   CSFMVR	CSNBMVR CSNEMVR	MAC Verify
   CSFMVR1	CSNBMVR1 CSNEMVR1	MAC Verify (with ALET)
   CSFOWH	CSNBOWH CSNEOWH CSFPOWH CSFPOWH6	One-Way Hash Generate and PKCS #11 One-way hash, sign, or verify
   CSFOWH1	CSNBOWH1 CSNEOWH1	One-Way Hash Generate (with ALET)
   CSFPCI	CSFPCI CSFPCI6	PCI Interface Callable Service
   CSFPCU	CSNBPCU CSNEPCU	PIN Change/Unblock
   CSFPEX	CSNBPEX CSNEPEX	Prohibit Export
   CSFPEXX	CSNBPEXX CSNEPEXX	Prohibit Export Extended
   CSFPGN	CSNBPGN CSNEPGN	Clear PIN Generate
   CSFPKD	CSNDPKD CSNFPKD	PKA Decrypt
   CSFPKE	CSNDPKE CSNFPKE	PKA Encrypt
   CSFPKG	CSNDPKG CSNFPKG	PKA Key Generate
   CSFPKI	CSNDPKI CSNFPKI	PKA Key Import
   CSFPKRC	CSNDKRC CSNFKRC	PKDS Record Create
   CSFPKRD	CSNDKRD CSNFKRD	PKDS Record Delete
   CSFPKRR	CSNDKRR CSNFKRR	PKDS Record Read
   CSFPKRW	CSNDKRW CSNFKRW	PKDS Record Write
   CSFPKSC	CSFPKSC	PKSC Interface Callable Service
   CSFPKT	CSNDPKT CSNFPKT	PKA Key Translate
   CSFPKTC	CSNDKTC CSNFKTC	PKA Key Token Change
   CSFPKX	CSNDPKX CSNFPKX	PKA Public Key Extract
   CSFPTR	CSNBPTR CSNEPTR	Encrypted PIN Translate
   CSFPVR	CSNBPVR CSNEPVR	Encrypted PIN Verify
   CSFRKA	CSNBRKA CSNERKA	Restrict Key Attribute
   CSFRKD	CSNDRKD CSNFRKD	Retained Key Delete
   CSFRKL	CSNDRKL CSNFRKL	Retained Key List
   CSFRKX	CSNDRKX CSNFRKX	Remote Key Export
   CSFRNG	CSNBRNG CSNERNG CSFPPRF CSFPPRF6	Random Number Generate (returning an 8-byte random number) and PKCS #11 Pseudo-random function
   CSFRNGL	CSNBRNGL CSNERNGL	Random Number Generate (returning a random number of a length specified by the caller)
   CSFSAD	CSNBSAD CSNESAD	Symmetric Algorithm Decipher
   CSFSAD1	CSNBSAD1 CSNESAD1	Symmetric Algorithm Decipher (with ALET)
   CSFSAE	CSNBSAE CSNESAE	Symmetric Algorithm Encipher
   CSFSAE1	CSNBSAE1 CSNESAE1	Symmetric Algorithm Encipher (with ALET)
   CSFSBC	CSNDSBC CSNFSBC	SET Block Compose
   CSFSBD	CSNDSBD CSNFSBD	SET Block Decompose
   CSFSKI	CSNBSKI CSNESKI	Secure Key Import
   CSFSKI2	CSNBSKI2 CSNESKI2	Secure Key Import2
   CSFSKM	CSNBSKM CSNESKM	Multiple Secure Key Import
   CSFSKY	CSNBSKY CSNESKY	Secure Messaging for Keys
   CSFSPN	CSNBSPN CSNESPN	Secure Messaging for PINs
   CSFSYG	CSNDSYG CSNFSYG	Symmetric Key Generate
   CSFSYI	CSNDSYI CSNFSYI	Symmetric Key Import
   CSFSYI2	CSNDSYI2 CSNFSYI2	Symmetric Key Import2
   CSFSYX	CSNDSYX CSNFSYX	Symmetric Key Export
   CSFTBC	CSNDTBC CSNFTBC	Trusted Block Create
   CSFTCK	CSNBTCK CSNETCK	Transform CDMF Key
   CSFTRV	CSNBTRV CSNETRV	Transaction Validation
   CSFT31I	CSNBT31I CSNET31I	TR-31 Import
   CSFT31X	CSNBT31X CSNET31X	TR-31 Export
   CSFUDK	CSFUDK CSFUDK6	User Derived Key
   CSF1DVK	CSFPDVK CSFPDVK6	PKCS #11 Derive key
   CSF1DMK	CSFPDMK CSFPDMK6	PKCS #11 Derive multiple keys
   CSF1HMG	CSFPHMG CSFPHMG6	PKCS #11 Generate HMAC
   CSF1GKP	CSFPGKP CSFPGKP6	PKCS #11 Generate key pair
   CSF1GSK	CSFPGSK CSFPGSK6	PKCS #11 Generate secret key
   CSF1GAV	CSFPGAV CSFPGAV6	PKCS #11 Get attribute value
   CSF1PKS	CSFPPKS CSFPPKS6	PKCS #11 Private key sign
   CSF1PKV	CSFPPKV CSFPPKV6	PKCS #11 Public key verify
   CSF1SKD	CSFPSKD CSFPSKD6	PKCS #11 Secret key decrypt
   CSF1SKE	CSFPSKE CSFPSKE6	PKCS #11 Secret key encrypt
   CSF1SAV	CSFPSAV CSFPSAV6	PKCS #11 Set attribute value
   CSF1TRC	CSFPTRC CSFPTRC6	PKCS #11 Token record create
   CSF1TRD	CSFPTRD CSFPTRD6	PKCS #11 Token record delete
   CSF1TRL	CSFPTRL CSFPTRL6	PKCS #11 Token record list
   CSF1UWK	CSFPUWK CSFPUWK6	PKCS #11 Unwrap key
   CSF1HMV	CSFPHMV CSFPHMV6	PKCS #11 Verify HMAC
   CSF1WPK	CSFPWPK CSFPWPK6	PKCS #11 Wrap key

   Table 4. Resource names for ICSF TSO panels, utilities, and compatibility services for PCF macros

   Resource Name	Utility and Callable Service Description
   CSFCMK	Change master key utility
   CSFCONV	PCF CKDS to ICSF CKDS conversion utility
   CSFDKCS	Clear master key entry utility (PCICC, PCIXCC,CEX2C, or CEX3C)
   CSFDKEF	Clear master key entry utility (CCF)
   CSFEDC	Compatibility service for the PCF CIPHER macro
   CSFEMK	Compatibility service for the PCF EMK macro
   CSFGKC	Compatibility service for the PCF GENKEY macro
   CSFINIT	CKDS initialization utility (CCF)
   CSFKGUP	Key generation utility program
   CSFOPKL	Operational key load
   CSFPCAD	PCICC, PCIXCC, CEX2C, and CEX3C management utility (activate/deactivate)
   CSFPKDR	PKDS reencipher and PKDS refresh utilities
   CSFPMCI	Pass phrase master key/KDS initialization utility
   CSFREFR	Refresh CKDS utility
   CSFRENC	Reencipher CKDS utility
   CSFRSWS	Administrative control functions utility (ENABLE)
   CSFRWP	CKDS Conversion2 - rewrap option.
   CSFRTC	Compatibility service for the CUSP or PCF RETKEY macro
   CSFSMK	Set master key utility
   CSFSSWS	Administrative control functions utility (DISABLE)
   CSFUDM	User Defined Extensions (UDX) management functions

   Notes:

   1. As with any RACF general resource profile, if you want to change the profile later, use the RALTER command. To change the access list, use the PERMIT command as described in the next step.
   2. If you have already started ICSF, you need to refresh the in-storage profiles. See Step 3.
   3. You can specify other operands, such as auditing (AUDIT operand), on the RDEFINE or RALTER commands.
   4. If the RACF security administrator has activated generic profile checking for the CSFSERV class, you can create generic profiles using the generic characters * and %. This is the same as with any RACF general resource class.

   For example, if generic profile checking is in effect, these profiles enable you to specify which users and jobs can use the ciphertext translate callable services. No other services can be used by any job on the system.

       RDEFINE  CSFSERV  CSFCTT   UACC(NONE)
   
       RDEFINE  CSFSERV  CSFCTT1  UACC(NONE)
   
       RDEFINE  CSFSERV  *        UACC(NONE)
                

2. Give appropriate users (preferably groups) access to the profiles:

       PERMIT  profile-name  CLASS(CSFSERV)
               ID(groupid)  ACCESS(READ)

3. When the profiles are ready to be used, ask the RACF security administrator to activate the CSFSERV class and refresh the in-storage RACF profiles:

       SETROPTS  CLASSACT(CSFSERV)
   
       SETROPTS RACLIST(CSFSERV) REFRESH