Integrated Cryptographic Service Facility (ICSF)
Integrated Cryptographic Service Facility (ICSF)
z/OS System SSL will use ICSF when available. The ICSF started task must be running and ICSF configuration completed.
The user profile with which the System SSL application executes must have access to the following ICSF resources in the CSFSERV class:
- CSFCKI, clear key import
- CSFCKM, multiple clear key import
- CSFDEC, symmetric key decrypt
- CSFDSG, digital signature generate
- CSFDSV, digital signature verify
- CSFENC, symmetric key encrypt
- CSFPKB, PKA key build
- CSFPKD, PKA decrypt
- CSFPKE, PKE encrypt
- CSFPKI, PKA key import
In addition to the resources above, it also may be necessary to grant the user access to the CSFIQA resource. That resource permits queries on the cryptographic hardware available on a particular system. If the user does not have READ access to that resource, System SSL processing can continue, but may do so with reduced functionality (for example, TLS 1.2 ciphers may not be accessible). ICH408I messages will also appear in the system log for each query that fails.
To use ICSF's random number generator - used to seed key generation – the CSFRNG resource must be defined to the CSFSERV class and the user must have READ access to it. If this resource is not available, or the user cannot access it, a less secure generator may be used.
Refer to the IBM z/OS ICSF Administrator's Guide for managing access to ICSF resources.