When PKA Key Management Extensions are enabled, ICSF writes to
subtype 27 to record operational and error information related to
PKA Key Management Extensions. A subtype 27 record is written:
- when a CSF.PKAEXTNS.ENABLE or CSF.PKAEXTNS.ENABLE.WARNONLY profile
in the XFACILIT class uses the APPLDATA field to specify a trusted
certificate repository, an SMF record is cut to indicate if the trusted
certificate repository was successfully changed, or whether there
was an error. The APPLDATA field and the repository it specifies will
be checked at startup and whenever the XFACILIT class is RACLISTed.
ICSF will write a subtype 27 record if the certificate repository
is changed, or if there is an error. In this case, subtype 27 will
indicate if:
- the trusted certificate repository was changed
- the specified trusted certificate repository is empty
- an error was detected while extracting the APPLDATA
- the specified repository was not found
- one or more certificates could not be parsed
- when an application calls a service attempting to use a key in
a way that is not allowed by the ICSF segment specifications within
the CSFKEYS or XCSFKEY profile that covers the key. The SMF record
will be written at the completion of the callable service, which,
depending on whether PKA Key Management Extensions had been enabled
in warning or fail mode, may or may not allow the requested operation
on the key. Subtype 27 contains this information. In this case, subtype
27 will indicate if:
- an asymmetric key may not be used for the requested function
- a symmetric key cannot be exported by the provided asymmetric
key
SMF records for this subtype will also contain server user and
end user audit sections.