Giving the channel initiator the correct access rights on z/OS

The channel initiator (CHINIT) needs access to the key repository and to certain security profiles.


Granting the CHINIT access to read the key repository

If the key repository is owned by the CHINIT user ID, this user ID needs read access to the IRR.DIGTCERT.LISTRING profile in the FACILITY class, and update access otherwise. Grant access by using the PERMIT command with ACCESS(UPDATE) or ACCESS(READ) as appropriate:

PERMIT IRR.DIGTCERT.LISTRING CLASS(FACILITY) ID( userid ) ACCESS(UPDATE)

where userid is the user ID of the channel initiator address space.


Granting the CHINIT read access to the appropriate CSF* profiles

For hardware support provided through the Integrated Cryptographic Service Facility (ICSF) to be used, ensure your CHINIT user ID has read access to the appropriate CSF* profiles in the CSFSERV class by using the following command:

PERMIT csf-resource CLASS(CSFSERV) ID( userid ) ACCESS(READ)

where csf-resource is the name of the CSF* profile and userid is the user ID of the channel initiator address space.

Repeat this command for each of the following CSF* profiles:

  • CSFDSG
  • CSFDSV
  • CSFPKD
  • CSFPKE
  • CSFPKI

Your CHINIT user ID might also need read access to other CSF* profiles. For example, if we are using the ECDHE_RSA_AES_256_GCM_SHA384 Cipher Spec, your CHINIT user ID also needs read access to the following CSF* profiles:

  • CSF1DVK
  • CSF1GAV
  • CSF1GKP
  • CSF1SKE
  • CSF1TRC
  • CSF1TRD

For more information, see RACF CSFSERV resource requirements.

If your certificate keys are stored in ICSF and your installation has established access control over keys stored in ICSF, ensure your CHINIT user ID has read access to the profile in the CSFKEYS class by using the following command:

PERMIT IRR.DIGTCERT. userid.* CLASS(CSFKEYS) ID( userid ) ACCESS(READ)

where userid is the user ID of the channel initiator address space.


Use the Integrated Cryptographic Service Facility (ICSF)

The channel initiator can use ICSF to generate a random number when seeding the password protection algorithm to obfuscate passwords flowing over client channels if TLS is not being used.

For further information, see Use the Integrated Cryptographic Service Facility (ICSF)

Parent topic: Work with SSL/TLS on z/OS