The RACF® authorization mechanism for this callable service varies depending on the type of function requested (end user versus administrative) and the requested provider (SAF versus PKI Services).

For the end user functions, this interface is protected by FACILITY class profiles (resources) of the form IRR.RPKISERV.(function)[.ca-domain], where (function) is one of the end user function names described under Function_code below. If the CA_domain parameter supplied on the R_PKIServ call is not null (has a length greater than 0), the profile is qualified with the CA domain name. If the CA_domain parameter supplied on the R_PKIServ call is null, the qualifier is not used. For example, if the function name is GENCERT and the CA_domain parameter is “Customers”, the FACILITY class resource is IRR.RPKISERV.GENCERT.CUSTOMER. However, if the CA_domain parameter is null, the FACILITY class resource is IRR.RPKISERV.GENCERT.

For SAF GENCERT and EXPORT requests where the application has READ and UPDATE access, subsequent access checks are performed against the IRR.DIGTCERT.(function) FACILITY profiles. These are identical to the checks made by the RACDCERT TSO command. See z/OS Security Server RACF Command Language Reference and z/OS Security Server RACF Security Administrator's Guide for more information.

For PKI Services GENCERT, REQCERT, EXPORT, VERIFY, REVOKE, GENRENEW, REQRENEW, RESPOND, SCEPREQ and QRECOVER requests where the application has READ and UPDATE access, subsequent access checks are performed against the IRR.DIGTCERT.function FACILITY profiles as follows:

• GENCERT — This function is used to request an auto-approved certificate. The access check user ID needs to have CONTROL access to IRR.DIGTCERT.GENCERT. The access check user ID also needs appropriate access to IRR.DIGTCERT.ADD, UPDATE access if any HostIdMapping information is specified in the certificate request parameter list or the Userid field in the certificate request parameter list indicates that the certificate is being requested for another user other than the caller, otherwise READ access.
• REQCERT — This function is used to request a certificate that must be approved by an administrator before being created. The access check user ID needs to have READ access to IRR.DIGTCERT.REQCERT
• EXPORT — This function is used to retrieve (export) a certificate that was requested previously or the PKI Services RA/CA certificate. The access check user ID needs to have appropriate access to IRR.DIGTCERT.EXPORT, UPDATE access if no pass phrase is specified on the call, READ access if a pass phrase is specified or the Cert ID is "PKICACERT".
• VERIFY — This function is used to confirm that a given user certificate was issued by this CA and if so, return the certificate fields. The access check user ID needs to have READ access to IRR.DIGTCERT.VERIFY. It is assumed that the calling application has already verified that the end user possesses the private key that correlates to the input certificate.
• REVOKE — This function is used to revoke a certificate that was previously issued. The access check user ID needs to have READ access to IRR.DIGTCERT.REVOKE. It is assumed that the calling application has already verified the target certificate using the VERIFY function.
• GENRENEW — This function is used to generate a renewal certificate. The request submitted is automatically approved. The access check user ID needs to have READ access to IRR.DIGTCERT.GENRENEW and CONTROL access to IRR.DIGTCERT.GENCERT. It is assumed that the calling application has already verified the input certificate using the VERIFY function.
• REQRENEW — This function is used to request certificate renewal. The request submitted needs to be approved by the administrator before the certificate is renewed. The access check user ID needs to have READ access to IRR.DIGTCERT.REQRENEW. It is assumed that the calling application has already verified the input certificate using the VERIFY function.
• RESPOND — This function is used to get an Online Certificate Status Protocol (OCSP) response from the PKI Services responder. The access check user ID needs to have READ access to IRR.RPKISERV.RESPOND and IRR.DIGTCERT.RESPOND.
• SCEPREQ — This function is used to request a certificate using SCEP. The access check user ID needs to have READ access to IRR.DIGTCERT.SCEPREQ
• QRECOVER — This function is used to get a list of certificates whose key pairs were generated by PKI Services under a particular email address and pass phrase. The access check user ID needs READ access to IRR.DIGTCERT.QRECOVER.

For the administrative functions, this interface is protected by a single FACILITY class profile (resource), IRR.RPKISERV.PKIADMIN[.ca-domain]. If the CA_domain parameter supplied on the R_PKIServ call is not null (has a length greater than 0), the profile is qualified with the CA domain name. If the CA_domain parameter supplied on the R_PKIServ call is null, the qualifier is not used. For example, if the CA_domain parameter is “Customers”, the FACILITY class resource is IRR.RPKISERV.PKIADMIN.CUSTOMER. However, if the CA_domain parameter is null, the FACILITY class resource is IRR.RPKISERV.PKIADMIN.

If the caller is not RACF SPECIAL, the caller will need READ access to perform read operations (QUERYREQS, QUERYCERTS, REQDETAILS, and CERTDETAILS) and UPDATE access for the action operations (PREREGISTER, MODIFYREQS, and MODIFYCERTS). To determine the caller, the current TCB is checked for an ACEE. If one is found, the authority of that user is checked. If there is no ACEE associated with the current TCB, the ACEE associated with the address space is used to locate the user ID.