A Key Store Policy defines rules for how encrypted key tokens stored
in a CKDS or PKDS can be accessed and used. A Key Store Policy is
collectively defined by a number of separate controls that each specify
a particular rule. Most of the Key Store Policy controls work in conjunction
with profiles in the CSFKEYS class, and enable you to:
- Specify how ICSF should respond when a key token is passed to
a callable service instead of a key label (which is needed to perform
a SAF authorization check).
- Determine if applications should be prevented from creating a
new key record (with a new key label) for a token that is already
stored in the CKDS or PKDS (in a key record with a different key label).
- Specify if READ access authority is sufficient to create, write
to, or delete a key label, or if a higher level of access authority
should be required for these actions.
- Specify if READ access authority to an AES or DES key is sufficient
to export the key (move it from encryption under a master key to encryption
under an RSA key), or if UPDATE authority should be required for this
action.
- Place restrictions on how keys can be used. You can:
- restrict a particular AES or DES key from being exported, or allow
it to be exported only by certain RSA keys (or only by RSA keys bound
to identities in certain key certificates).
- restrict certain RSA keys from being used in secure export and
import operations, or from being used in handshake operations.
Each Key Store Policy control is a resource in the XFACILIT class,
and can be enabled by creating a profile for the resource using the
RDEFINE command. Similarly, you can disable a control by deleting
its profile using the RDELETE command.
Certain controls, when enabled, will activate Key
Store Policy for either the CKDS or PKDS. When Key Store Policy is activated, ICSF will identify the key label(s)
associated with each key token in the key store. This information
is needed, for example, in order to carry out SAF authorization checks
against RACF profiles (which are based on key labels) when a key token
is passed to a callable service, or to ensure an application doesn't
store a duplicate token (a token that is already stored, but associated
with a different key label) in the key store. In addition to the controls
that activate Key Store Policy, other controls that do not themselves
activate Key Store Policy may still require, or to a lesser degree
rely upon, an active Key Store Policy and its key token/label associations.
The following table outlines the Key Store Policy controls that are
available. This table also highlights the controls that activate Key
Store Policy for a CKDS or PKDS, as well as the dependencies the other
controls have on Key Store Policy being active. Be aware that Key
Store Policy is activated separately for a CKDS and a PKDS.
Table 5. Key Store Policy controlsThe following Key Store Policy controls: | Consist of the following XFACILIT class resources: | Description: |
---|
Key Token Authorization
Checking controls
Verifies, when an application passes a callable
service a key token instead of a key label, that the user has authority
to the key token in the CKDS or PKDS. It does this by identifying
the key label associated with the passed token. | CSF.CKDS.TOKEN.CHECK.LABEL.WARN | Activates Key Store Policy
for CKDS. Enables Key Token Authorization Checking for the CKDS
in warning mode. In this mode, a failing authorization check will
result in a warning, but the operation will be allowed to continue. | CSF.CKDS.TOKEN.CHECK.LABEL.FAIL | Activates Key Store Policy
for CKDS. Enables Key Token Authorization Checking for the CKDS
in fail mode. In this mode, ICSF does not allow the operation to continue
when the authorization check fails. The service returns with an error. | CSF.PKDS.TOKEN.CHECK.LABEL.WARN | Activates Key Store Policy
for PKDS. Enables Key Token Authorization Checking for the PKDS
in warning mode. In this mode, a failing authorization check will
result in a warning, but the operation will be allowed to continue. | CSF.PKDS.TOKEN.CHECK.LABEL.FAIL | Activates Key Store Policy
for PKDS. Enables Key Token Authorization Checking for the PKDS
in fail mode. In this mode, ICSF does not allow the operation to continue
when the authorization check fails. The service returns with an error. | Default Key Label
Checking controls
Specifies that ICSF should use a default
profile to determine application access to tokens that are not stored
in the CKDS or PKDS. Can be enabled only if the Key Token Authorization
Checking control for the appropriate key store is also enabled. | CSF.CKDS.TOKEN.CHECK.DEFAULT.LABEL | Requires an active Key Store
Policy for CKDS. Specifically, this control can be enabled only
if the CSF.CKDS.TOKEN.CHECK.LABEL.WARN or CSF.CKDS.TOKEN.CHECK.LABEL.FAIL
control is also enabled. Specifies that ICSF should use the default
profile CSF-CKDS-DEFAULT in the CSFKEYS class to determine
user access to tokens that are not stored in the CKDS. | CSF.PKDS.TOKEN.CHECK.DEFAULT.LABEL | Requires an active Key Store
Policy for PKDS. Specifically, this control can be enabled only
if the CSF.PKDS.TOKEN.CHECK.LABEL.WARN or CSF.PKDS.TOKEN.CHECK.LABEL.FAIL
control is also enabled. Specifies that ICSF should use the default
profile CSF-PKDS-DEFAULT in the CSFKEYS class to determine
user access to tokens that are not stored in the PKDS. | Duplicate Key
Token Checking controls
Prevents applications from storing
duplicate tokens in the CKDS or PKDS. | CSF.CKDS.TOKEN.NODUPLICATES | Activates Key Store Policy
for CKDS. Enables Duplicate Key Token Checking for the CKDS.
ICSF will prevent an application from creating a new key record (with
a new key label) for a token that is already stored in the CKDS. | CSF.PKDS.TOKEN.NODUPLICATES | Activates Key Store Policy
for PKDS. Enables Duplicate Key Token Checking for the PKDS.
ICSF will prevent an application from creating a new key record (with
a new key label) for a token that is already stored in the PKDS. | Granular Key Label
Access controls
Increases the level of access authority required
to create, write to, or delete a key label. | CSF.CSFKEYS.AUTHORITY.LEVELS.WARN | Enables Granular Key Label Access in warning
mode. In this mode, a warning will be issued if the user does not
have UPDATE authority (if creating a label), or CONTROL authority
(if writing to or deleting a label). As long as the user has READ
authority, however, ICSF will allow the operation to continue. Does not require an active Key Store Policy for CKDS
or PKDS. However, if a key token is passed to a callable service instead
of a key label, ICSF will, in order to initiate a SAF authorization
check, rely on an active Key Store Policy for the appropriate key
store. | CSF.CSFKEYS.AUTHORITY.LEVELS.FAIL | Enables Granular Key Label Access in fail mode.
In this mode, ICSF will not allow a key label to be modified if the
user does not have UPDATE authority (if creating a label), or CONTROL
authority (if writing to or deleting a label). The service returns
with an error. Does not require an active Key Store
Policy for CKDS or PKDS. However, if a key token is passed to a callable
service instead of a key label, ICSF will, in order to initiate a
SAF authorization check, rely on an active Key Store Policy for the
appropriate key store. | Symmetric Key
Label Export controls
Specifies that profiles in the XCSFKEY
class (instead of profiles in the CSFKEYS class) should be used to
determine access to AES or DES keys that an application is attempting
to export using the Symmetric Key Export (CSNDSYX or CSNFSYX) callable
service. This allows you to control access to AES and DES keys for
the purpose of key export separately from the access allowed to the
keys for other purposes. | CSF.XCSFKEY.ENABLE.AES | Enables Symmetric Key Label Export for AES keys.
Specifies that profiles in the XCSFKEY class should determine access
to an AES key when an application is attempting to export it using
the Symmetric Key Export (CSNDSYX or CSNFSYX) callable service. Does not require an active Key Store Policy for CKDS
or PKDS. However, if a key token is passed to the callable service
instead of a key label, ICSF will, in order to initiate the SAF authorization
check, rely on an active Key Store Policy for CKDS. | CSF.XCSFKEY.ENABLE.DES | Enables Symmetric Key Label Export for DES keys.
Specifies that profiles in the XCSFKEY class should determine access
to a DES key when an application is attempting to export it using
the Symmetric Key Export (CSNDSYX or CSNFSYX) callable service. Does not require an active Key Store Policy for CKDS
or PKDS. However, if a key token is passed to the callable service
instead of a key label, ICSF will, in order to initiate the SAF authorization
check, rely on an active Key Store Policy for CKDS. | PKA Key Management
Extensions control
Specifies that the ICSF segment of profiles
in the CSFKEYS class (and the XCSFKEY class when a Symmetric Key Label
Export control is enabled) will be checked to determine additional
restrictions on how keys covered by the profile can be used. | CSF.PKAEXTNS.ENABLE.WARNONLY | Requires an active Key Store
Policy for CKDS and PKDS. Enables PKA Key Management Extensions
in warning mode. The ICSF segment of CSFKEYS or XCSFKEY profiles will
be checked to:
- determine if a symmetric key can be exported, and, if so, which
asymmetric keys can be used in the operation to re-encrypt
the symmetric key.
- determine if an asymmetric key can be used in secure export and
import operations, or in handshake operations.
However, because this is warning mode, ICSF will allow the operation
to continue even if the ICSF segment indicates that the operation
is not allowed. | CSF.PKAEXTNS.ENABLE | Requires an active Key Store
Policy for CKDS and PKDS. Enables PKA Key Management Extensions
in fail mode. The ICSF segment of CSFKEYS or XCSFKEY profiles will
be checked to:
- determine if a symmetric key can be exported, and, if so, which
asymmetric keys can be used in the operation to re-encrypt
the symmetric key.
- determine if an asymmetric key can be used in secure export and
import operations, or in handshake operations.
If the ICSF segment indicates that the operation is not allowed,
the service returns with an error. | For more information on the:
|