OCSF: Migrate the directory structure

Description: If you previously configured Open Cryptographic Services Facility (OCSF), you need to verify that the OCSF directories have been migrated to the target system. When your system is up and running, customize OCSF by running the customization script and then the IVP.

Note: If you want to take advantage of the new Software Cryptographic Service Provider 2 (SWCSP2), you should bypass this migration action. When your system is up and running, install OCSF by running the install script and then the IVP.

Element or feature:

Cryptographic Services.

When change was introduced:

General migration action not tied to a specific release.

Applies to migration from:

z/OS V1R13 and z/OS V1R12.

Timing:

Before the first IPL of z/OS V2R1.

Is the migration action required?

Yes, if you currently use OCSF or if new products or functions on your new z/OS system require OCSF to be active. However, if you installed your new z/OS® system with ServerPac or SystemPac, the OCSF installation script has been run and you do not have to perform this migration action for that system.

Target system hardware requirements:

None.

Target system software requirements:

None.

Other system (coexistence or fallback) requirements:

None.

Restrictions:

None.

System impacts:

None.

Related IBM® Health Checker for z/OS check:

None.

Steps to take: Migrate the OCSF /var directory structure to the target system. If you installed z/OS with CBPDO or by cloning an already-installed z/OS system, you can either copy the/var/ocsf directory from your old system or rerun the installation script. If you installed z/OS with ServerPac, the OCSF installation script has been run and you have no migration actions for that target system (although you still have to migrate the directory structure to any cloned systems, as already described).

If you installed z/OS V1R11 with CBPDO or by cloning an already-installed V1R11 system, you can either copy the /var/ocsf directory from your old system or rerun the installation script. If you installed z/OS V1R11 with ServerPac or SystemPac, the OCSF installation script has been run and you have no migration actions for that target system (although you still have to migrate the directory structure to any cloned systems, as already described).

If you copy /var/ocsf, verify that the OCSF /var directory structure has been migrated to the target system as described in Migrate /etc and /var system control files. The OCSF registry (the /var/ocsf files) contains the directory path names to the code libraries. If the registry files are copied, the CSSM DLL and the add-ins must be in the same location on the target system as on the prior release. The normal locations are /usr/lpp/ocsf/lib for the CSSM and supporting DLLs and /usr/lpp/ocsf/addins for the add-in libraries.

If you copied /var/ocsf, do the following:

Verify that the following four files exist in that directory:
- CDSA_Registry.dir with permissions (-rw-r--r--)
- CDSA_Registry.pag with permissions ( -rw-r--r--)
- CDSA_Sections.dir with permissions (-rw-r--r-- )
- CDSA_Sections.pag with permissions (-rw-r--r--)
Verify that the required RACF® FACILITY class profiles are defined and set up:
- CDS.CSSM — authorizes the daemon to call OCSF services
- CDS.CSSM.CRYPTO — authorizes the daemon to call a cryptographic service provider (CSP)
- CDS.CSSM.DATALIB — authorizes the daemon to call a data storage library (DL) service provider
Ensure that the necessary libraries are program controlled:
- XL C/C++ runtime libraries
- Language Environment® libraries
- SYS1.LINKLIB
- SYS1.SIEALNKE

If you did not copy /var/ocsf, rerun the installation script:

Set up the RACF FACILITY class profiles required by OCSF and authorize the appropriate user IDs to those profiles:
- CDS.CSSM — authorizes the daemon to call OCSF services
- CDS.CSSM.CRYPTO — authorizes the daemon to call a cryptographic service provider (CSP)
- CDS.CSSM.DATALIB — authorizes the daemon to call a data storage library (DL) service provider
Ensure that the following libraries are defined as program controlled:
- XL C/C++ runtime libraries
- Language Environment libraries
- SYS1.LINKLIB
- SYS1.SIEALNKE
Run the ocsf_install_crypto script from the OMVS shell. This must be run from the target system.
1. Verify and update $LIBPATH.
2. Change directory to the location of the script (/usr/lpp/ocsf/bin).
3. Run the script.

Whether you reinstalled or migrated, it is strongly recommended that you rerun IVP ocsf_baseivp from the OMVS shell. This IVP verifies that OCSF is installed and configured correctly. To run the IVP:

Mount /usr/lpp/ocsf/ivp.
Read the README file and follow the instructions.
Run the IVP.

If you were using other IBM or non-IBM services to supplement the functions in OCSF, such as the Open Cryptographic Enhanced Plug-ins (OCEP) component of base element Integrated Security Services, or the PKI Services component of base element Cryptographic Services, you must ensure that these are migrated or reinstalled.

Reference information: Integrated Security Services Open Cryptographic Enhanced Plug-ins Application Programming.