Filter
Top Products
CCA Release 2.54
Initializing and Managing the Access-Control System
Before you can use a Coprocessor with newly loaded or initialized CCA support
you should initialize roles, profiles, and other data. You may also need to update
some of these values from time to time. Access-control initialization and
management are the processes you will use to accomplish this.
You can initialize and manage the access-control system in either of two ways:
You can use the IBM-supplied utility program for your platform:
– Cryptographic Node Management utility program
3
(“CNM”) (not for OS/400)
– OS/400 Cryptographic Coprocessor web-based configuration utility.
You can write programs that use the access-control verbs described in this
chapter.
The verbs allow you to write programs that do more than the utility program
included with the CCA Support Program. If your needs are simple, however, the
utility program may do everything you need.
Access-Control Management and Initialization Verbs
Two verbs provide all of the access-control management and initialization functions:
CSUAACI Perform access-control initialization functions
CSUAACM Perform access-control management functions.
With Access_Control_Initialization, you can perform functions such as:
Loading roles and user profiles
Changing the expiration date for a user profile
Changing the authentication data in a user profile
Resetting the authentication failure-count in a user profile.
With Access_Control_Maintenance, you can perform functions such as:
Getting a list of the installed roles or user profiles
Retrieving the non-secret data for a selected role or user profile
Deleting a selected role or user profile from the Coprocessor
Get a list of the users who are logged on to the Coprocessor.
These two verbs are fully described on pages 2-21 and 2-24, respectively. See
also “Access-Control Data Structures” on page B-28.
Permitting Changes to the Configuration
It is possible to setup the Coprocessor so no one is authorized to perform any
functions, including further initialization. It is also possible to setup the Coprocessor
where operational commands are available, but not initialization commands,
meaning you could never change the configuration of the Coprocessor. This
happens if you setup the Coprocessor with no roles having the authority to perform
initialization functions.
3
The Cryptographic Node Management utility is described in the IBM 4758 PCI Cryptographic Coprocessor CCA Support Program
Installation Manual.
Chapter 2. CCA Node-Management and Access-Control
2-5