Controlling how cryptographic keys can be used
In addition to using profiles in the CSFKEYS class (and, when Symmetric
Key Label Export is enabled, the XCSFKEY class) to identify which
users have permission to certain cryptographic keys, you can also
enable the PKA Key Management Extensions control so that CSFKEYS and
XCSFKEY profiles can place restrictions on how keys are used. For
example, you can:
- Restrict an asymmetric key from being used in secure export and import operations.
- Restrict an asymmetric key from being used in handshake operations.
- Restrict a symmetric key from being exported (transferred from encryption under a master key to encryption under an application-supplied RSA public key). Alternatively, you can allow the symmetric key to be exported, but only by certain public keys (as indicated by a list of key labels), or only by public keys bound to certain identities (as indicated by a list of certificates in either a PKCS #11 token, or a SAF key ring).
You place restrictions on cryptographic keys using the ICSF segment of the CSFKEYS or XCSFKEY class profiles that cover the keys. After you have modified the profiles with the restrictions you want to place on the keys, you can enable the PKA Key Management Extensions control by creating a CSF.PKAEXTNS.ENABLE profile in class XFACILIT. You can also enable PKA Key Management Extensions in warning mode by creating a CSF.PKAEXTNS.ENABLE.WARNONLY profile in class XFACILIT. In order to enable PKA Key Management Extensions, Key Store Policy must be active for both the CKDS and the PKDS. For more information, refer to Enabling PKA key management extensions.