|
|
|
This sample scenario shows how to control key protection using the RDEF and PE commands on IBM Security Server RACF. You can permit users to access most keys while restricting the use of a few keys.
The first RDEF statement permits all users to access any available key on any BES subsystem. The second RDEF statement indicates that you want to control access to the symmetric key named AES256_KEY on BES1. The PE statement indicates that only users SECADMIN and SYSADMIN are permitted to use this key on BES1. Because the first RDEF statement defines the default behavior for key protection, any users can use any available keys on any active subsystem except for AES256_KEY on BES1.
RDEF CA@BES BES.KEYS.PERMIT
OWNER(SECADMIN)
DATA('CA Tape Encryption GLOBAL KEY PROTECTION OPTION ' )
RDEF CA@BES BES1.KEYSYMM.AES256_KEY
OWNER(SECADMIN)
DATA('CA Tape Encryption KEY PROTECTION PROFILE' )
PE BES1.KEYSYMM.AES256_KEY
ACCESS(READ)
GENERIC
CLASS(CA@BES)
ID(SECADMIN,SYSADMIN)
If you wanted to control access to AES256_KEY on other BES subsystems, you would have to create an RDEF statement and a PE statement for each subsystem, for example BES2, BES3, and so on.
| Copyright © 2011 CA. All rights reserved. | Tell Technical Publications how we can improve this information |