IP Services: Allow users of AT-TLS access to CSFIQA and CSFRNG resources of the CSFSERV class if ICSF will be used with AT-TLS
Description
Starting in z/OS V2R1, System SSL will attempt to use ICSF services if ICSF is active during AT-TLS group initialization. If ICSF is active and the CSFSERV class is active, the userid associated with TCP/IP stack should have READ access to the CSFIQA and CSFRNG resources of the CSFSERV class. This will allow System SSL to be aware of the hardware available with ICSF and use ICSF to generate random numbers during initialization. Application userids using AT-TLS groups should also be given READ access to the CSFRNG resource of the CSFSERV class.
Table 1 provides more details about this migration action. Use this information to plan your changes to the system.
| Element or feature: | Communications Server |
|---|---|
| When change was introduced: | z/OS V2R1. |
| Applies to migration from: | z/OS V1R13. |
| Timing: | Before the first IPL of z/OS V2R2. |
| Is the migration action required? | Yes. |
| Target system hardware requirements: | None. |
| Target system software requirements: | None. |
| Other system (coexistence or fallback) requirements: | None. |
| Restrictions: | None. |
| System impacts: | None. |
| Related IBM Health Checker for z/OS check: | None. |
Steps to take
- If the CSFSERV class is active, give READ access to the userid associated with the TCP/IP stack and any application userid using the TTLSGroup to the CSFRNG resource within the CSFSERV class.
- If the CSFSERV class is active, give READ access to the userid associated with the TCP/IP stack to the CSFIQA resource within the CSFSERV class.
Reference information
For more information, see "Chapter 3. Using Cryptographic Features with System SSL" in z/OS Cryptographic Services System SSL Programming.