Converting a CKDS from fixed length to variable length record format

ICSF provides a CKDS conversion program, CSFCNV2, that converts a fixed length record format CKDS to a variable length record format. There will be no changes to the key token in the CKDS record. Only the format of the record will be changed.

Note: There are three formats of the CKDS: The CSFCNV2 utility converts a fixed-length format CKDS to a variable-length format. To convert a fixed-length or variable-length format CKDS to the KDSR format, see Migrating to the KDSR format key data set.

You can also use the CSFCNV2 utility to rewrap encrypted DES values in the CKDS. For more information on this capability of the CSFCNV2 utility, refer to z/OS Cryptographic Services ICSF Administrator's Guide.

There is no conversion from variable length to fixed length records.

You run the conversion utility program by submitting a batch job. On the EXEC statement, specify PGM=CSFCNV2.

This example is a JCL that runs the conversion program:
//CKDSCNV2 EXEC PGM=CSFCNV2,PARM='FORMAT,OLD.CKDS,NEW.CKDS'
Where:
OLD.CKDS
The fixed length record format CKDS to be converted. This is the source CKDS for the conversion.
NEW.CKDS
An empty disk copy of a variable length record format CKDS. This is the CKDS into which the conversion utility writes the converted records. The data set must be defined and empty before you run the conversion program.

Refer to the SYS1.SAMPLIB CSFCKD2 member sample described in Steps to create the CKDS for example JCL that defines a VSAM CKDS for variable length records.

The CSFV0560 message in the joblog will indicate the results of processing.
Return Code
Meaning
0
Process successful.
4
Minor error occurred.
8
RACF authorization check failed.
12
Process unsuccessful.
60 or 92
CKDS processing has failed. A return code 60 indicates the error was detected in the new KDS. A return code 92 indicates the error was detected with the old KDS.

When the program is invoked from another program, the invoking program receives the reason code in General Register 0 along with the return code in General Register 15. The following list describes the meaning of the reason codes. If a particular reason code is not listed, refer to the listing of ICSF and TSS return and reason codes in the z/OS Cryptographic Services ICSF Application Programmer's Guidez/OS Cryptographic Services ICSF Application Programmer's Guide.

Return code 0 has this reason code:
Reason Code
Meaning
36132
CKDS reencipher/Change MK processed only tokens encrypted under the DES master key.
Return code 4 has these reason codes:
Reason Code
Meaning
0
Parameters are incorrect.
4004
Rewrapping is not allowed for one or more keys.
36112
CKDS conversion completed successfully but some tokens could not be rewrapped because the control vector prohibited rewrapping from the enhanced wrapping method.
36164
Input CKDS is already in the variable-length record format. No conversion is necessary.
Return code 8 has this reason code:
Reason Code
Meaning
16000
Invoker has insufficient RACF access authority to perform function.
Return code 12 has these reason codes:
Reason Code
Meaning
0
ICSF has not been started
11060
The required cryptographic coprocessor was not active or the master key has not been set
36000
Unable to change master key. Check hardware status.
36008
Crypto master key register or registers in improper state.
36020
Input CKDS is empty or not initialized (authentication pattern in the control record is invalid).
36036
The new master key register for Coprocessor 1 (C1) is not full, but C0 is ready and the current master key is valid.
36040
The new master key register for C0 is not full, but C1 is ready and the current master key is valid.
36044
The master key authentication pattern for the CKDS does not match the authentication pattern of the coprocessors, which are not equal.
36048
The master key authentication pattern for the CKDS does not match the authentication pattern of either of the coprocessors, which are not equal.
36052
A valid new master key is present in C0, but its authentication pattern does not match that of C1 or the CKDS, which are equal.
36056
A valid new master key is present in C1, but its authentication pattern does not match that of C0 or the CKDS, which are equal.
36060
The new master key register or registers are not full.
36064
Both new master key registers are full but not equal.
36068
The input KDS is not enciphered under the current master key.
36076
The new master key register for C0 is not full, but the CPUs are online.
36080
The new master key register for C1 is not full, but the CPUs are online.
36084
The master key register cannot be changed since ICSF is running in compatibility mode.
36104
Option not available. There were no Cryptographic Coprocessors available to perform the service that was attempted.
36108
PKA callable services are enabled, and the PKDS is the active PKDS as specified in the options data set.
36120
The CKDS is unusable. The CKDS does not support record level authentication.
36124
The CKDS is unusable. The CKDS only supports encrypted AES keys and encrypted DES support is required.
36128
The CKDS is unusable. The CKDS does not support encrypted DES keys which is required.
36160
The attempt to reencipher the CKDS failed because there is an enhanced token in the CKDS.
36168
A CKDS has an invalid LRECL value for the requested function. For wrapping, the input and output CKDS LRECLs must be the same.
36172
The level of hardware required to perform the operation is not available.
Return code 60 or 92 has these reason codes:
Reason Code
Meaning
3078
The CKDS was created with an unsupported LRECL.
5896
The CKDS does not exist.
6008
A service routine has failed.
The service routines that may be called are:
CSFMGN
MAC generation
CSFMVR
MAC verification
CSFMKVR
Master key verification
6012
The single-record, read-write installation exit (CSFSRRW) returned a return code greater than 4.
6016
An I/O error occurred reading or writing the CKDS.
6020
The CSFSRRW installation exit abended and the installation options EXIT keyword specifies that the invoking service should end.
6024
The CSFSRRW installation exit abended and the installation options EXIT keyword specifies that ICSF should end.
6028
The CKDS access routine could not establish the ESTAE environment.
6040
The CSFSRRW installation exit could not be loaded and is required.
6044
Information necessary to set up CSFSRRW installation exit processing could not be obtained.
6048
The system keys cannot be found while attempting to write a complete CKDS data set.
6052
For a write CKDS record request, the current master key verification pattern (MKVP) does not match the CKDS header record MKVP.
6056
The output CKDS is not empty.
Note: It is possible that you will receive MVS reason codes rather than ICSF reason codes, for example, if the reason code indicates a dynamic allocation failure. For an explanation of Dynamic Allocation reason codes, see z/OS MVS Programming: Authorized Assembler Services Guide