I'm making a call to CSNDSYX to encrypt a DES key under an RSA key.
I've created a RSA token for a public 256byte RSA key.
I have a DES token for a DATA key that I'm trying to encrypt.
I didn't use labels for either of the keys during my initial testing of this call when it returned 8/BF8. I then saved the RSA token into the PKDS dataset using a a label. And then I used that label in this call in a follow up test. It also returned 8/FB8. The DES token remains a token and not a label.
The call returns 8/BF8...
ICSF key store policy checking is active. The specified token does not exist in the key data set (CKDS or PKDS as appropriate). The CSF-CKDS-DEFAULT or CSF-PKDS-DEFAULT resource in the CSFKEYS class is either not defined or the caller is not authorized to the CSF-CKDS-DEFAULT or CSF-PKDS-DEFAULT resource. The resource is not in WARNING mode, so the request is not allowed to continue.
An SMF type 80 record with event qualifier ACCESS is logged indicating the request failed.
The policy is defined by the CSF.CKDS.TOKEN.CHECK.DEFAULT.LABEL or the CSF.PKDS.TOKEN.CHECK.DEFAULT.LABEL resource in the XFACILIT class.
And an excerpt from the ADMIN guide says this...
Table 27. Key Store Policy controls: The Default Key Label Checking controls |
The existence of this resource profile in the XFACILIT class: |
Does this: |
CSF.CKDS.TOKEN.CHECK.DEFAULT.LABEL |
Specifies that ICSF should use the default profile CSF-CKDS-DEFAULT in the CSFKEYS class to determine user access to tokens that are not stored in the CKDS. This control is enabled only if the CSF.CKDS.TOKEN.CHECK.LABEL.WARN or CSF.CKDS.TOKEN.CHECK.LABEL.FAIL control is also enabled. |
CSF.PKDS.TOKEN.CHECK.DEFAULT.LABEL |
Specifies that ICSF should use the default profile CSF-PKDS-DEFAULT in the CSFKEYS class to determine user access to tokens that are not stored in the PKDS. This control is enabled only if the CSF.PKDS.TOKEN.CHECK.LABEL.WARN or CSF.PKDS.TOKEN.CHECK.LABEL.FAIL control is also enabled. |
For example, to enable the Default Key Label Checking control for a CKDS, you would:
1. Create the default profile CSF-CKDS-DEFAULT in the CSFKEYS class.
RDEFINE CSFKEYS CSF-CKDS-DEFAULT UACC(NONE)
2. By defining the universal access authority (UACC) as NONE in the preceding step, the use of key tokens that do not reside in the key store has been prohibited. If necessary, however, you can give appropriate users (preferably groups) access in the CSF-CKDS-DEFAULT profile and refresh the CSFKEYS class in storage:
PERMIT CSF-CKDS-DEFAULT CLASS(CSFKEYS) ID(group-id) ACCESS(READ) SETROPTS RACLIST(CSFKEYS) REFRESH
3. Create a profile for the CSF.CKDS.TOKEN.CHECK.DEFAULT.LABEL resource in the XFACILIT class, and refresh the XFACILIT class in storage.
RDEFINE XFACILIT CSF.CKDS.TOKEN.CHECK.DEFAULT.LABEL SETROPTS RACLIST(XFACILIT) REFRESH
Note: If SAF profile prefixing is enabled, the CSF-CKDS-DEFAULT or CSF-PKDS-DEFAULT CSFKEYS profiles must be defined with the appropriate prefix prepended to the profile name
The systems folks tell me that there are no RACF messages showing as a result.
There isn't a SMF 80 record they can find.
Without finding either of those, they are at a loss as to how to resolve our problem.
This is the first time we are using the CSNDSYX call.
What other hints can I give the systems folks to look for in order to solve our problem? If you think a different approach to my code would help, I'm also all ears.
I would appreciate the help/pointers.
Thanks.
------------------------------
Mark Vollmer
Developer, but does everything.
CV Systems, LLC
------------------------------