Radoslaw, These ACPs (Access Control Points) are really security switches which are embedded in the microcode in the Crypto Express device. So only a process which can have a secure conversation with that device is able to alter the switches. That device is the TKE. RACF could not be used without a great deal of software and firmware redesign. As for the default settings, this is a question for IBM. Perhaps someone like Garry Sullivan could answer such a question.
Lennie -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Radoslaw Skorupka Sent: 29 June 2025 14:11 To: [email protected] Subject: ICSF ACP and TKE I just tried to use some ICSF service and got rc=4, rsn=05A, which means some Access Control Point is disabled. I checked documentation - it is "DD" - Disabled by Default. It can be enabled by the user, however TKE is the only way to change ACP enable/disable status. From the other hand TKE is optional (paid) feature. Important: enablement of the ACP is not subject to charge (AFAIK). So, we have scenario where some users purchase CPC with CryptoExpress cards plus z/OS with ICSF as a standard component, but some functionalities are unavailable to them just because they are disabled. Theoretically the user could borrow some TKE for a while and enable it. :-) Q1: Why some ACPs are disabled by default? What is the rationale behind it? Q2: What is the purpose of such (IMHO quite complex) method of enablement some features? Wouldn't be enough to use Image Profile checkboxes on HMC/SE and/or RACF profiles? Just curious. -- Radoslaw Skorupka Lodz, Poland ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
