z/OS Cryptographic Services ICSF Application Programmer's Guide
Previous topic | Next topic | Contents | Index | Contact z/OS | Library | PDF


Authorization

z/OS Cryptographic Services ICSF Application Programmer's Guide
SA22-7522-16

The token authorization required and the amount of attribute information returned is dependent on the values of the attributes the object possesses.

The authority to retrieve the non-sensitive attributes is as follows:

  • For a public object - any authority to the token (USER (READ) or SO (READ))
  • For a private object - USER (READ) or SO (CONTROL)

If the caller is not authorized to retrieve the non-sensitive attributes, the service fails.

If the caller is authorized to retrieve the non-sensitive attributes and the object does not possess any sensitive attributes, the service returns all the object's attributes.

If the caller is authorized to retrieve the non-sensitive attributes and the object does possess sensitive attributes, processing is as defined in this table:

Table 301. Get attribute value processing for objects possessing sensitive attributes
ObjectPKCS #11 role authorityCKA_SENSITIVECKA_EXTRACTABLEAttributes returned
PublicUSER (READ) or SO (READ)TrueTrue or FalseNon-sensitive only
PrivateUSER (READ) or SO (CONTROL)TrueTrue or FalseNon-sensitive only
PublicUSER (READ) or SO (READ)FalseFalseNon-sensitive only
PrivateUSER (READ) or SO (CONTROL)FalseFalseNon-sensitive only
PublicUSER (READ) or SO (READ)FalseTrueSensitive and non-sensitive
PrivateSO (CONTROL)FalseTrueNon-sensitive only
PrivateUSER (READ)FalseTrueSensitive and non-sensitive
Note:
  • Session and token objects require the same authority.
  • The sensitive attributes are as follows:
    • CKA_VALUE for a secret key, Elliptic Curve private key, DSA private key, or Diffie-Hellman private key object.
    • CKA_PRIVATE_EXPONENT, CKA_PRIME_1, CKA_PRIME_2, CKA_EXPONENT_1, CKA_EXPONENT_2, and CKA_COEFFICIENT for a private key object.
  • See z/OS Cryptographic Services ICSF Writing PKCS #11 Applications for more information on the SO and User PKCS #11 roles.

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014