It is important to note that CSFSERV calls for authorization differs based upon the ICSF option CHECKAUTH at startup. If you run CHECKAUTH(NO) you will NOT see all users of ICSF services. There is a small performance implication for running CHECKAUTH(YES)... but you have to weight it against what you want control over.
Additionally, you can gain most of the performance by running protected key (depending on your z model and operating system level) which will give you most of the performance enjoyed by CPACF. I agree that just marking a CEX2 or CEX3 processor as offline does not keep the user of the system from being able to use it. The only way to keep it from use is to not make it eligible for use via HMC. Which is mostly true. If you have a TKE ... it is possible to further restrict individual services from being used on a processor. I can't remember if it is lpar related or port related. I only ever investigated the possibility once about 6 years ago and that knowledge has since been moved to "non accessible brain storage". Rob Schramm Senior Systems Consultant Imperium Group On Tue, Apr 3, 2012 at 11:02 AM, R.S. <[email protected]> wrote: > W dniu 2012-04-03 08:54, Francis van Zutphen pisze: > You can easily control > which services are used and which are not. > ICSF calls RACF, see CSF* > classes. > BTW: Why do you afraid? What's the risk you want to avoid? Just > > curious. > -- Hello Radoslaw, > I had already set on the RACF audit bit for > the CSF* classes and have > successfully execute some ICSF API's and > received audit records in > the CSFSERV class...this works fine. > However I > am also conducting tests with CA-XCOM (FTP) and switched on > the ICSF > interface in the XCOM config file, see XCOM documentation > attachment, > however this time I do not get any hits in the CSFSERV > class. I expect to > see some hits on the RACF profiles that cover ICSF > CSNBSYE/CSNBSYD (CPACF) > callable services. Well. Two things to check: 1. Is the software using CPACF > or CEX? That's significant difference. Crypto cards (CEX2C, CEX3C) are > designed for "high security" - secure key cryptography. The cards are > *SLOW*, especially for enc/decryption small blocks of data. However you can > also have CPACF which is fast (up to 1000 times faster AFAIK), but it is > clear key cryptography (or latest enhancement - "masked" key). To use CPACF > you can use (possibly different) ICSF services or even assembler (without > ICSF at all). I would create CL(CSFSERV) ** profile with AUDIT(ALL(READ)) > and watch the SMF80. Radoslaw Skorupka Lodz, Poland tej wiadomo ci mo e > zawiera informacje prawnie chronione Banku przeznaczone wy cznie do u ytku > s bowego adresata. Odbiorc e by jedynie jej adresat z wy czeniem dost pu os > b trzecich. Je eli nie jeste adresatem niniejszej wiadomo ci lub > pracownikiem upowa nionym do jej przekazania adresatowi, informujemy, e jej > rozpowszechnianie, kopiowanie, rozprowadzanie lub inne dzia anie o podobnym > charakterze jest prawnie zabronione i mo e by karalne. Je eli otrzyma > wiadomo omy kowo, prosimy niezw ocznie zawiadomi nadawc wysy c odpowied > oraz trwale usun wiadomo czaj c w to wszelkie jej kopie wydrukowane lub > zapisane na dysku. This e-mail may contain legally privileged information of > the Bank and is intended solely for business use of the addressee. This > e-mail may only be received by the addressee and may not be disclosed to any > third parties. If you are not the intended addressee of this e-mail or the > employee authorised to forward it to the addressee, be advised that any > dissemination, copying, distribution or any other similar activity is > legally prohibited and may be punishable. If you received this e-mail by > mistake please advise the sender immediately by using the reply facility in > your e-mail software and delete permanently this e-mail including any copies > of it either printed or saved to hard drive. BRE Bank SA, 00-950 Warszawa, > ul. Senatorska 18, tel. +48 (22) 829 00 00, fax +48 (22) 829 00 33, > www.brebank.pl, e-mail: [email protected] d Rejonowy dla m. st. Warszawy XII > Wydzia Gospodarczy Krajowego Rejestru S dowego, nr rejestru przedsi biorc w > KRS 0000025237, NIP: 526-021-50-88. ug stanu na dzie 01.01.2012 r. kapita > zak adowy BRE Banku SA (w ca ci wp acony) wynosi 168.410.984 z otych. > ---------------------------------------------------------------------- For > IBM-MAIN subscribe / signoff / archive access instructions, send email to > [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
