For each token, there are two resources in the CRYPTOZ class:
Controls the access of the User role to the token.
Controls the access of the SO role to the token.
A user's access level to each of these resources (read, update, or control) determines the user's access level to the token.
For information on the CRYPTOZ class, see the IBM guide Cryptographic Services Integrated Cryptographic Services Facility Writing PKCS #11 Applications SA23-2231.
Example: Controlling access to z/OS PKCS#11 tokens
In this example, a company uses z/OS PKCS #11 tokens as the key stores for their FTP and Web servers. The company naming convention is that all tokens have the owning ACID as the high-level qualifier. The owning ACID the FTP is the daemon FTPSERV and Web server is the daemon WEBSERV. User01 is the administrator for the servers.
The security administrator (SECADMIN) creates the protection profiles for the tokens. His goal is to give user01 the Security Officer role for these profiles, and to give the daemon ACIDs the User role.
The security administrator:
TSS ADD(SECDEPT) CRYPTOZ(SO.FTPSRV.*) TSS ADD(SECDEPT) CRYPTOZ(SO.WEBSRV.*)
TSS ADD(SECDEPT) CRYPTOZ(USER.FTPSRV.*) TSS ADD(SECDEPT) CRYPTOZ(USER.WEBSRV.*)
TSS PERMIT(user01) CRYPTOZ(SO.FTPSRV.*) ACCESS(CONTROL) TSS PERMIT(user01) CRYPTOZ(SO.WEBSRV.*) ACCESS(CONTROL)
TSS PERMIT(FTPSRV) CRYPTOZ(USER.FTPSRV.*) ACCESS(UPDATE) TSS PERMIT(WEBSRV) CRYPTOZ(USER.WEBSRV.*) ACCESS(UPDATE)
When complete:
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|