ICSF controls access to cryptographic services through the RACF® CSFSERV resource class. An application using System SSL that requires cryptographic support from ICSF must be authorized for the appropriate resources in the class, either explicitly or through a generic resource profile. For more information, see z/OS Cryptographic Services ICSF Administrator's Guide.
When the System SSL DLLs are loaded, System SSL determines what hardware is available by using the ICSF Query Algorithm callable service (CSFIQA). For this reason, make sure that the RACF user ID that starts the application can access the CSFIQA resource of the CSFSERV class. If the user ID that starts the SSL application cannot access the CSFIQA resource of the CSFSERV class, System SSL cannot retrieve information by using the CSFIQA callable service, and the informational message ICH408I (which indicates insufficient authorization) may be issued to the console. Although System SSL processing continues, System SSL might not be aware of all the hardware that is currently available.
The following tables summarize the CSFSERV resources required for each ICSF cryptographic function used by System SSL.
Function | ICSF callable services | z10 | z196/z114 and zEC12/zBC12 |
---|---|---|---|
PKA (RSA) Encrypt | CSNDPKB |
-- |
-- |
PKA (RSA) Decrypt | CSNDPKB |
-- |
-- |
RSA Digital Signature Generation | CSNDPKB |
-- |
-- |
RSA Digital Signature Verify | CSFDPKB |
-- |
-- |
ECC Digital Signature Generation (private key in the PKDS) | CSNDDSG |
CSFDSG |
Function | ICSF PKCS #11 callable services | CSFSERV resources required |
---|---|---|
ECC Key Generation | CSFPGKP |
CSF1GKP |
RSA/ECC Digital Signature Generation | CSFPTRC |
CSF1TRC |
ECC Digital Signature Verify | CSFPTRC |
CSF1TRC |
ECDH Derive Key | CSFPTRC |
CSF1TRC |
Diffie-Hellman in FIPS mode | CSFPTRC |
CSF1TRC |
AES-GCM Secret Key Decrypt | CSFPSKD |
CSF1SKD |
AES-GCM Secret Key Encrypt | CSFPSKE |
CSF1SKE |
Random Number Generation | CSFPPRF | CSFRNG |
Secure PKCS #7 Make Enveloped Data Message | CSFPTRC |
CSF1TRC |
Secure PKCS #7 Read Enveloped Data Message | CSFPPKS | CSF1PKS |
Secure PKCS #12 Private Key Export | CSFPGSK |
CSF1GSK |
RSA PKCS #11 Secure Key Decrypt | CSFPPKS | CSF1PKS |