Usage Note 63436: SAS AES encryption is affected when ICSF components are secured by RACF under z/OS
 |  |  |  |
SAS components that use Advanced Encryption Standard (AES) require Integrated Cryptographic Services Facility (ICSF) under z/OS.
You can use z/OS security software such as Remote Access Control Facility (RACF) to control which applications can use specific ICSF keys and services. This can help ensure that keys and services are used by only authorized users and jobs. Some ICSF components that can be protected are the CSFKEYS resource and the CSFSERV resource. If ICSF components are secured by RACF and SAS users do not have Read access to these protected RACF classes, SAS components using AES encryption might fail with messages similar to the following written to the z/OS System Console:
CSF-PKDS-DEFAULT CL(CSFKEYS)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
CL(CSFSERV)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
When you encounter this issue, you might also see a message similar to the following in the SAS server logs:
To work around this issue, grant Read permission for the ICSF RACF protected classes to SAS users who use AES encryption.
Operating System and Release Information
| Product Family | Product | System | SAS Release | |
| Reported | Fixed* | |||
| SAS System | SAS/SECURE | z/OS | ||
| z/OS 64-bit | ||||
| Type: | Usage Note |
| Priority: |
| Date Modified: | 2019-01-02 11:07:04 |
| Date Created: | 2018-12-28 16:57:13 |