ICSF provides a CKDS conversion program, CSFCNV2, that converts
a fixed length record format CKDS to a variable length record format.
There will be no changes to the key token in the CKDS record. Only
the format of the record will be changed.
Note: There are three formats of the CKDS:
- The original fixed-length record format.
- The variable-length record format (introduced in HCR7780).
- The KDSR variable-length record format (introduced in HCR77A1).
The CSFCNV2 utility converts a fixed-length format CKDS to a
variable-length format. To convert a fixed-length or variable-length
format CKDS to the KDSR format, see
Migrating to the KDSR format key data set.
You can also use the
CSFCNV2 utility to rewrap encrypted DES values in the CKDS. For more
information on this capability of the CSFCNV2 utility, refer to z/OS Cryptographic Services ICSF Administrator's Guide.
There is no conversion from variable length to fixed length records.
You run the conversion utility program by submitting a batch job.
On the EXEC statement, specify PGM=CSFCNV2.
This example is a JCL that runs the conversion program:
//CKDSCNV2 EXEC PGM=CSFCNV2,PARM='FORMAT,OLD.CKDS,NEW.CKDS'
Where:
- OLD.CKDS
- The fixed length record format CKDS to be converted. This is the
source CKDS for the conversion.
- NEW.CKDS
- An empty disk copy of a variable length record format CKDS. This
is the CKDS into which the conversion utility writes the converted
records. The data set must be defined and empty before you run the
conversion program.
Refer to the SYS1.SAMPLIB CSFCKD2 member sample described in Steps to create the CKDS for example JCL that defines a VSAM
CKDS for variable length records.
The CSFV0560 message in the joblog will indicate the results of
processing.
- Return Code
- Meaning
- 0
- Process successful.
- 4
- Minor error occurred.
- 8
- RACF authorization check failed.
- 12
- Process unsuccessful.
- 60 or 92
- CKDS processing has failed. A return code 60 indicates the error
was detected in the new KDS. A return code 92 indicates the error
was detected with the old KDS.
When the program is invoked from another program, the invoking
program receives the reason code in General Register 0 along with
the return code in General Register 15. The following list describes
the meaning of the reason codes. If a particular reason code is not
listed, refer to the listing of ICSF and TSS return and reason codes
in the z/OS Cryptographic Services ICSF Application Programmer's Guidez/OS Cryptographic Services ICSF Application Programmer's Guide.
Return code 0 has this reason code: - Reason Code
- Meaning
- 36132
- CKDS reencipher/Change MK processed only tokens encrypted under
the DES master key.
Return code 4 has these reason codes: - Reason Code
- Meaning
- 0
- Parameters are incorrect.
- 4004
- Rewrapping is not allowed for one or more keys.
- 36112
- CKDS conversion completed successfully but some tokens could not
be rewrapped because the control vector prohibited rewrapping from
the enhanced wrapping method.
- 36164
- Input CKDS is already in the variable-length record format. No
conversion is necessary.
Return code 8 has this reason code: - Reason Code
- Meaning
- 16000
- Invoker has insufficient RACF access authority to perform function.
Return code 12 has these reason codes: - Reason Code
- Meaning
- 0
- ICSF has not been started
- 11060
- The required cryptographic coprocessor was not active or the master
key has not been set
- 36000
- Unable to change master key. Check hardware status.
- 36008
- Crypto master key register or registers in improper state.
- 36020
- Input CKDS is empty or not initialized (authentication pattern
in the control record is invalid).
- 36036
- The new master key register for Coprocessor 1 (C1) is not full,
but C0 is ready and the current master key is valid.
- 36040
- The new master key register for C0 is not full, but C1 is ready
and the current master key is valid.
- 36044
- The master key authentication pattern for the CKDS does not match
the authentication pattern of the coprocessors, which are not equal.
- 36048
- The master key authentication pattern for the CKDS does not match
the authentication pattern of either of the coprocessors, which are
not equal.
- 36052
- A valid new master key is present in C0, but its authentication
pattern does not match that of C1 or the CKDS, which are equal.
- 36056
- A valid new master key is present in C1, but its authentication
pattern does not match that of C0 or the CKDS, which are equal.
- 36060
- The new master key register or registers are not full.
- 36064
- Both new master key registers are full but not equal.
- 36068
- The input KDS is not enciphered under the current master key.
- 36076
- The new master key register for C0 is not full, but the CPUs are
online.
- 36080
- The new master key register for C1 is not full, but the CPUs are
online.
- 36084
- The master key register cannot be changed since ICSF is running
in compatibility mode.
- 36104
- Option not available. There were no Cryptographic Coprocessors
available to perform the service that was attempted.
- 36108
- PKA callable services are enabled, and the PKDS is the active
PKDS as specified in the options data set.
- 36120
- The CKDS is unusable. The CKDS does not support record level authentication.
- 36124
- The CKDS is unusable. The CKDS only supports encrypted AES keys
and encrypted DES support is required.
- 36128
- The CKDS is unusable. The CKDS does not support encrypted DES
keys which is required.
- 36160
- The attempt to reencipher the CKDS failed because there is an
enhanced token in the CKDS.
- 36168
- A CKDS has an invalid LRECL value for the requested function.
For wrapping, the input and output CKDS LRECLs must be the same.
- 36172
- The level of hardware required to perform the operation is not
available.
Return code 60 or 92 has these reason codes: - Reason Code
- Meaning
- 3078
- The CKDS was created with an unsupported LRECL.
- 5896
- The CKDS does not exist.
- 6008
- A service routine has failed.
The service routines that may
be called are:
- CSFMGN
- MAC generation
- CSFMVR
- MAC verification
- CSFMKVR
- Master key verification
- 6012
- The single-record, read-write installation
exit (CSFSRRW) returned a return code greater than 4.
- 6016
- An I/O error occurred reading or writing the CKDS.
- 6020
- The CSFSRRW installation exit abended and the installation options
EXIT keyword specifies that the invoking service should end.
- 6024
- The CSFSRRW installation exit abended and the installation options
EXIT keyword specifies that ICSF should
end.
- 6028
- The CKDS access routine could not establish the ESTAE environment.
- 6040
- The CSFSRRW installation exit could not be loaded and is required.
- 6044
- Information necessary to set up CSFSRRW installation exit processing
could not be obtained.
- 6048
- The system keys cannot be found while attempting to write a complete
CKDS data set.
- 6052
- For a write CKDS record request, the current master key verification
pattern (MKVP) does not match the CKDS header record MKVP.
- 6056
- The output CKDS is not empty.