If hardware encryption and Integrated Cryptographic Services Facility (ICSF) are installed, system SSL verifies that the user ID that is associated with the server is permitted to use CSFSERV resources. The RACF® administrator can permit the RACF user ID to use the CSFSERV resources:
PERMIT service-name CLASS(CSFSERV) ID(serverid) ACCESS(READ)For information about the CSFSERV resources (service-names) that are accessed by System SSL, see z/OS Cryptographic Services System SSL Programming.
z/OS® FTP users can either permit every FTP client user ID to these general resource profiles, or they can mark these profiles as delegated and permit only the FTP daemon user ID to the profiles.
In the following example, resource CSFENC in class CSFSERV is delegated, and only the FTP daemon user ID (FTPD for this example) needs to be permitted. Make these changes before you start FTPD.
Permit the FTP daemon to the resource:
PERMIT CSFENC CLASS(CSFSERV) ID(FTPD) ACCESS(READ)
Mark the resouce profile as delegated:
RALTER CSFSERV CSFENC APPLDATA('RACF-DELEGATED')
Refresh the CSFSERV class:
SETROPTS RACLIST(CSFSERV) REFRESHFor more examples, see the EZARACF sample in SEZAINST. For more information about authorizing daemons to use delegated resources, see z/OS Security Server RACF Security Administrator's Guide.
The MAXLEN installation option for hardware cryptography determines the maximum length that can be used to encrypt and decrypt data by using ICSF/MVS. Set this option to 65527 or greater, which is the maximum TCP/IP packet size.
The System SSL GSKSRVR server provides the capability to determine whether cryptographic hardware is being used through its DISPLAY CRYPTO operator command (for example, f gsksrvr,d crypto). The System SSL GSKSRVR server is not automatically started. For more information about the SSL started task and setting up and using the GSKSRVR server, see z/OS Cryptographic Services System SSL Programming.
For more information about controlling who can use cryptographic keys and services, see z/OS Cryptographic Services ICSF Administrator's Guide.