IBM Crypto Education Community

Back to discussions
Expand all | Collapse all

ICSF - CKDS KEYS menu ( option 1 ; 2 ; 3) - NOT AUTHORIZED

  • 1.  ICSF - CKDS KEYS menu ( option 1 ; 2 ; 3) - NOT AUTHORIZED

    Posted Thu January 21, 2021 08:49 AM
    Dear ,

    After creating a DATA key I'm trying to display key from  CKDS KEYS menu but I'm facing lack of authority appparently to access 
    to the following options :


    And I' m getting  this message:

    I specify that I'm using the same protection services, keys that another system where I've not this problem .

    Thanks in advance for the advise .

    Regards,

    ------------------------------
    Nordine
    ------------------------------


  • 2.  RE: ICSF - CKDS KEYS menu ( option 1 ; 2 ; 3) - NOT AUTHORIZED

    Posted Fri January 22, 2021 08:19 AM
    See the ICSF Administrator's Guide, Chapter 17, "Using the utility panels to manage keys in the CKDS". Here's the SAF resources needed to do things on the CKDS Key Utilities panel:

    The following resources and profiles are SAF checked by the CKDS KEYS utility. You must have SAF authority to the resource to perform the function. The CSFKEYS class can be checked for the label when these functions are executed.

    Listing labels (CSFSERV(CSFKDSL) and CSFSERV(CSFBRCK))
       You must have READ authority to the profiles.

    Displaying key attributes and record metadata (CSFSERV(CSFBRCK))
      You must have READ authority to the profile.

    Modifying metadata (CSFSERV(CSFBRCK))
      You must have UPDATE authority to the profile and READ authority to the CSFKEYS profile for the label.

    Deleting records (CSFSERV(CSFBRCK))
      You must have CONTROL authority to the profile and READ authority to the CSFKEYS profile for the label.

    Archiving/recalling records (CSFSERV(CSFBRCK))
      You must have UPDATE authority to the profile and READ authority to the CSFKEYS profile for the label.

    If you have ALTER authority to the CSFSERV(CSFBRCK) profile, the CSFKEYS SAF check is not performed.

    Generating an AES DATA key requires you to have SAF authority to the specified label in the CSFKEYS class and to these resources in the CSFSERV class:
    CSFKGN
    Generates keys.
    CSFKRC2
    Creates the CKDS record.
    CSFKRR2
    Checks whether specified record exists.
    CSFKRW2
    Overwrites the existing key token in the existing record.

    ------------------------------
    Bob Petti
    ------------------------------

    Original Message