Your browser does not allow storing cookies. We recommend enabling them.

SSH

Appendix H Setting ICSF Permissions in RACF for Cryptographic Hardware Support

To enable cryptographic hardware you need to enable the following CSFSERV profiles for all client, and server IDs in RACF. You can run the first set of commands with the Tectia SSH Assistant ISPF application job 1.5 CSFSERV.

SETROPTS CLASSACT(CSFSERV CSFKEYS XCSFKEY)     
SETROPTS RACLIST(CSFSERV) GENERIC(CSFSERV)     
RDEFINE CSFSERV CSFRNG UACC(NONE)             
PERMIT CSFRNG CLASS(CSFSERV) ID(*) ACCESS(READ)
RDEFINE CSFSERV CSFIQA UACC(NONE)             
PERMIT CSFIQA  CLASS(CSFSERV) ID(*) ACCESS(READ)
RDEFINE CSFSERV CSFIQF UACC(NONE)               
PERMIT CSFIQF  CLASS(CSFSERV) ID(*) ACCESS(READ) 
RDEFINE CSFSERV CSF1TRC UACC(NONE)               
PERMIT CSF1TRC CLASS(CSFSERV) ID(*) ACCESS(READ) 
RDEFINE CSFSERV CSF1TRD UACC(NONE)               
PERMIT CSF1TRD CLASS(CSFSERV) ID(*) ACCESS(READ) 
RDEFINE CSFSERV CSF1SKE UACC(NONE)               
PERMIT CSF1SKE CLASS(CSFSERV) ID(*) ACCESS(READ) 
RDEFINE CSFSERV CSF1SKD UACC(NONE)               
PERMIT CSF1SKD CLASS(CSFSERV) ID(*) ACCESS(READ) 
RDEFINE CSFSERV CSFOWH  UACC(NONE)               
PERMIT CSFOWH  CLASS(CSFSERV) ID(*) ACCESS(READ) 
RDEFINE CSFSERV CSFCKM  UACC(NONE)               
PERMIT CSFCKM CLASS(CSFSERV) ID(*) ACCESS(READ) 
RDEFINE CSFSERV CSFKPI2  UACC(NONE)             
PERMIT CSFKPI2 CLASS(CSFSERV) ID(*) ACCESS(READ) 
RDEFINE CSFSERV CSFENC  UACC(NONE)               
PERMIT CSFENC CLASS(CSFSERV) ID(*) ACCESS(READ) 
RDEFINE CSFSERV CSFDEC  UACC(NONE)             
PERMIT CSFDEC CLASS(CSFSERV) ID(*) ACCESS(READ)
RDEFINE CSFSERV CSFSAD  UACC(NONE)             
PERMIT CSFSAD CLASS(CSFSERV) ID(*) ACCESS(READ)
RDEFINE CSFSERV CSFSAE  UACC(NONE)             
PERMIT CSFSAE CLASS(CSFSERV) ID(*) ACCESS(READ)
RDEFINE CSFSERV CSFHMG  UACC(NONE)             
PERMIT CSFHMG CLASS(CSFSERV) ID(*) ACCESS(READ)
RDEFINE CSFSERV CSF1GAV  UACC(NONE)           
PERMIT CSF1GAV CLASS(CSFSERV) ID(*) ACCESS(READ)
RDEFINE CSFSERV CSF1DVK  UACC(NONE)           
PERMIT CSF1DVK CLASS(CSFSERV) ID(*) ACCESS(READ)
RDEFINE CSFSERV CSF1GKP  UACC(NONE)           
PERMIT CSF1GKP CLASS(CSFSERV) ID(*) ACCESS(READ)
RDEFINE CSFSERV CSF1PKS  UACC(NONE)           
PERMIT CSF1PKS CLASS(CSFSERV) ID(*) ACCESS(READ)
RDEFINE CSFSERV CSF1PKV  UACC(NONE)           
PERMIT CSF1PKV CLASS(CSFSERV) ID(*) ACCESS(READ)
SETROPTS RACLIST(CSFSERV) REFRESH

If possible, avoid defining the following SAF/RACF profile. Otherwise you must grant READ access to this profile for all client and server IDs:

CLASS(CRYPTOZ) CLEARKEY.SYSTOK-SESSION-ONLY

To enable use of IBM Crypto Express Card (CEX) you also need to enable the following CSFSERV profiles for all client, and server IDs in RACF:

# For Cipher offload to CEX
RDEFINE CSFSERV CSFCKM  UACC(NONE)
PERMIT CSFCKM CLASS(CSFSERV) ID(*) ACCESS(READ)

RDEFINE CSFSERV CSFSAD  UACC(NONE)
PERMIT CSFSAD CLASS(CSFSERV) ID(*) ACCESS(READ)

RDEFINE CSFSERV CSFSAE  UACC(NONE)
PERMIT CSFSAE CLASS(CSFSERV) ID(*) ACCESS(READ)

# For MAC offload to CEX
RDEFINE CSFSERV CSFKPI2  UACC(NONE)
PERMIT CSFKPI2 CLASS(CSFSERV) ID(*) ACCESS(READ)

RDEFINE CSFSERV CSFHMG  UACC(NONE)
PERMIT CSFHMG CLASS(CSFSERV) ID(*) ACCESS(READ)
SETROPTS CLASSACT(CSFSERV)
SETROPTS RACLIST(CSFSERV) REFRESH


 

 
Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more