Your browser does not allow storing cookies. We recommend enabling them.

SSH

Appendix H Setting ICSF Permissions in RACF for Cryptographic Hardware Support

To enable cryptographic hardware you need to enable the following CSFSERV profiles for all client, and server IDs in RACF. You can run the first set of commands with the Tectia SSH Assistant ISPF application job 1.5 CSFSERV.

SETROPTS CLASSACT(CSFSERV CSFKEYS XCSFKEY)     
SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV)     
RDEFINE CSFSERV CSFRNG UACC(NONE)             
PERMIT CSFRNG CLASS(CSFSERV) ID(*) ACCESS(READ)
RDEFINE CSFSERV CSFIQA UACC(NONE)             
PERMIT CSFIQA  CLASS(CSFSERV) ID(*) ACCESS(READ)
RDEFINE CSFSERV CSFIQF UACC(NONE)               
PERMIT CSFIQF  CLASS(CSFSERV) ID(*) ACCESS(READ) 
RDEFINE CSFSERV CSF1TRC UACC(NONE)               
PERMIT CSF1TRC CLASS(CSFSERV) ID(*) ACCESS(READ) 
RDEFINE CSFSERV CSF1TRD UACC(NONE)               
PERMIT CSF1TRD CLASS(CSFSERV) ID(*) ACCESS(READ) 
RDEFINE CSFSERV CSF1SKE UACC(NONE)               
PERMIT CSF1SKE CLASS(CSFSERV) ID(*) ACCESS(READ) 
RDEFINE CSFSERV CSF1SKD UACC(NONE)               
PERMIT CSF1SKD CLASS(CSFSERV) ID(*) ACCESS(READ) 
RDEFINE CSFSERV CSFOWH  UACC(NONE)               
PERMIT CSFOWH  CLASS(CSFSERV) ID(*) ACCESS(READ) 
RDEFINE CSFSERV CSFCKM  UACC(NONE)               
PERMIT CSFCKM CLASS(CSFSERV) ID(*) ACCESS(READ) 
RDEFINE CSFSERV CSFKPI2  UACC(NONE)             
PERMIT CSFKPI2 CLASS(CSFSERV) ID(*) ACCESS(READ) 
RDEFINE CSFSERV CSFENC  UACC(NONE)               
PERMIT CSFENC CLASS(CSFSERV) ID(*) ACCESS(READ) 
RDEFINE CSFSERV CSFDEC  UACC(NONE)             
PERMIT CSFDEC CLASS(CSFSERV) ID(*) ACCESS(READ)
RDEFINE CSFSERV CSFSAD  UACC(NONE)             
PERMIT CSFSAD CLASS(CSFSERV) ID(*) ACCESS(READ)
RDEFINE CSFSERV CSFSAE  UACC(NONE)             
PERMIT CSFSAE CLASS(CSFSERV) ID(*) ACCESS(READ)
RDEFINE CSFSERV CSFHMG  UACC(NONE)             
PERMIT CSFHMG CLASS(CSFSERV) ID(*) ACCESS(READ)
RDEFINE CSFSERV CSF1GAV  UACC(NONE)           
PERMIT CSF1GAV CLASS(CSFSERV) ID(*) ACCESS(READ)
RDEFINE CSFSERV CSF1DVK  UACC(NONE)           
PERMIT CSF1DVK CLASS(CSFSERV) ID(*) ACCESS(READ)
RDEFINE CSFSERV CSF1GKP  UACC(NONE)           
PERMIT CSF1GKP CLASS(CSFSERV) ID(*) ACCESS(READ)
RDEFINE CSFSERV CSF1PKS  UACC(NONE)           
PERMIT CSF1PKS CLASS(CSFSERV) ID(*) ACCESS(READ)
RDEFINE CSFSERV CSF1PKV  UACC(NONE)           
PERMIT CSF1PKV CLASS(CSFSERV) ID(*) ACCESS(READ)
SETROPTS RACLIST(CSFSERV) REFRESH

If possible, avoid defining the following SAF/RACF profile. Otherwise you must grant READ access to this profile for all client and server IDs:

CLASS(CRYPTOZ) CLEARKEY.SYSTOK-SESSION-ONLY

To enable use of IBM Crypto Express Card (CEX) you also need to enable the following CSFSERV profiles for all client, and server IDs in RACF:

# For Cipher offload to CEX
RDEFINE CSFSERV CSFCKM  UACC(NONE)
PERMIT CSFCKM CLASS(CSFSERV) ID(*) ACCESS(READ)

RDEFINE CSFSERV CSFSAD  UACC(NONE)
PERMIT CSFSAD CLASS(CSFSERV) ID(*) ACCESS(READ)

RDEFINE CSFSERV CSFSAE  UACC(NONE)
PERMIT CSFSAE CLASS(CSFSERV) ID(*) ACCESS(READ)

# For MAC offload to CEX
RDEFINE CSFSERV CSFKPI2  UACC(NONE)
PERMIT CSFKPI2 CLASS(CSFSERV) ID(*) ACCESS(READ)

RDEFINE CSFSERV CSFHMG  UACC(NONE)
PERMIT CSFHMG CLASS(CSFSERV) ID(*) ACCESS(READ)
SETROPTS CLASSACT(CSFSERV)
SETROPTS RACLIST(CSFSERV) REFRESH



Want to see how PrivX can help your organisation?

Are you a DEVELOPER accessing cloud hosts, are you a IT ADMIN managing access & credentials in your corporation, are you BUSINESS MANAGER and want to save money or are you responsible of IT SECURITY in DevOps