ICSF: Limit archived keys to decrypt operations only

Description: A new SAF resource in the XFACILIT class, CSF.KDS.KEY.ARCHIVE.DATA.DECRYPT, allows ICSF administrators to restrict the use of archived keys to data decryption operations only. The intent is to allow archived keys to decrypt existing ciphertext which would enable reencryption with a new key, but not allow that same archived key to generate new ciphertext. If the SAF resource does not exist, the behavior of the archived keys is governed by the CSF.KDS.KEY.ARCHIVE.USE resource.

When change was introduced: Cryptographic Support for z/OS V2R5 (FMID HCR77D2).

Reference information:

z/OS Cryptographic Services ICSF Administrator's Guide
z/OS Cryptographic Services ICSF Application Programmer's Guide
z/OS Cryptographic Services ICSF System Programmer's Guide
z/OS Cryptographic Services ICSF Messages