IBM Crypto Education Community

IBM Crypto Education Community

IBM Crypto Education Community

Join the IBM Crypto Education community to explore and understand IBM cryptography technology. This community is operated and maintained by the IBM Crypto Development team.

 View Only

  • 1.  CRYPTOZ CLEARKEY.SYSTOK-SESSION-ONLY

    Posted Wed June 19, 2024 09:42 PM

    Greetings all,

    We are implementing RACF protection for a new installation of Omegamon. 'Taken Action' functions get access violations on CRYPTOZ CLEARKEY.SYSTOK-SESSION-ONLY. I have not worked with class CRYPTOZ. I have perused the documentation on this resource but don't fully grasp its purpose or the security implications of granting access. Should access to this resource be tightly restricted? What types of users might need access? Can I grant access to it without concern? Are there any exposures in doing so?

    On a side note, is there a way to search on a given topic in past threads in this group? I had planned to look for past discussions of this resource in hopes my questions would have already been answered but couldn't figure out how to do it.

    Regards, Bob



    ------------------------------
    Robert S. Hansel
    Lead RACF Specialist
    RSH Consulting, Inc.
    R.Hansel@rshconsulting.com
    www.rshconsulting.com
    ------------------------------


  • 2.  RE: CRYPTOZ CLEARKEY.SYSTOK-SESSION-ONLY

    Posted Fri June 21, 2024 09:09 AM
    > Should access to this resource be tightly restricted?
     
    I don't think so, unless you have a specific need to limit use of clear key creation, which is not likely. The CLEARKEY.* resources are used to determine whether a specific ID is permitted to create clear keys. You can see the breakdown in Table 3. CLEARKEY.token-label resource access and key security policy in z/OS ICSF Writing PKCS #11 Applications.
     
    > What types of users might need access?
     
    Most commonly, users who need to create keys would be any initiating or responding to TLS requests.
     
    > Can I grant access to it without concern? Are there any exposures in doing so?
     
    In general, it is probably safe to grant access to any given user. This profile was added to force the use of secure keys where required by compliance rules. Forcing secure key use is not great for TLS where each session handshake will create one or more ephemeral keys, which are clear because they exist for only one session.
     
    > Is there a way to search on a given topic in past threads in this group?
     
    If you search using the magnifying glass icon in the upper right, you should get all posts in all of IBM with the search term. You can then narrow it down using the dropdowns on the left side.


    ------------------------------
    Eric Rossman
    ------------------------------

    Original Message


Related Content