Steps to customize SYS1.PARMLIB

The installation options data set you will create is generally stored in SYS1.PARMLIB. If your administrator does not have access to SYS1.PARMLIB, you need to use another data set instead.

Update the data set you are using as follows:

  1. Add CEE.SCEERUN and CSF.SCSFMOD0 to the LNKLST concatenation. This adds the ICSF library to the z/OS library search. This is an example of an ICSF entry to the LNKLST concatenation.
    CSF.SCSFMOD0
  2. APF authorize CSF.SCSFMOD0, if LNKAUTH=APFTAB. This is an example of an ICSF entry for APF authorization.
    APF ADD DSNAME(CSF.SCSFMOD0)  VOLUME(******)
  3. In the IKJTSOxx parameter, add CSFDAUTH and CSFDPKDS as a value in the AUTHPGM parameter list and in the AUTHTSF parameter list. This is an example of an ICSF entry in the IKJTSOxx member.
    AUTHPGM NAMES(        /* AUTHORIZED PROGRAMS             */  +
     ....
     ....
    CSFDAUTH              /* ICSF                            */  +
    CSFDPKDS              /* ICSF                            */  +
    
     ....
    
    AUTHTSF NAMES(        /* PROGRAMS TO BE AUTHORIZED WHEN  */  +
                          /* WHEN CALLED THROUGH THE TSO     */  +
                          /* SERVICE FACILITY                */  +
     ....
     ....
    CSFDAUTH              /* ICSF                            */  +
    CSFDPKDS              /* ICSF                            */ 
  4. If your application programmers intend to use PKCS #11 token key objects for AES Galois/Counter Mode (GCM) encryption or GMAC generation, and have ICSF generate the initialization vectors, then you need to set ECVTSPLX or CVTSNAME to a unique value.

    This needs to be done, because, for AES GCM encryption or GMAC generation, the security of the algorithm is dependent on never repeating a key, initialization vector combination for two or more distinct sets of data. In PKCS #11, applications can request that ICSF generate a new (unique) initialization vector each time AES GCM or GMAC is initiated. In fact, this is the only permitted way to perform AES GCM or GMAC when PKCS #11 is operating in FIPS mode. When ICSF generates initialization vectors, it uses the ECVTSPLX (sysplex mode) or CVTSNAME (non-sysplex mode) field as the cryptographic module name. The name ensures uniqueness if such keys are distributed to multiple systems, but only if each system is set with a unique name.

    When setting ECVTSPLX or CVTSNAME to unique values, be aware that ICSF uses only the first (left most) 4 characters of these fields. For this reason, these 4 characters must be set to uniquely identify the system.

    For example, suppose AES key value 123 is created on the current single-image system (known as System A) and is distributed to another system residing in a Sysplex (known as Sysplex B). Both systems will be performing GCM encryption where ICSF generates the initialization vectors. To ensure that unique initialization vectors are generated, set CVTSNAME=SYSA on System A and ECVTSPLX=PLXB on Sysplex B.

    CVTSNAME is normally set from the SYSNAME=value statement in the IEASYSxx member of "SYS1.PARMLIB". For more information, see z/OS MVS Initialization and Tuning Reference, SA23-1380z/OS MVS Initialization and Tuning Reference.

    ECVTSPLX is normally set from the COUPLE SYSPLEX(value) in the COUPLExx member of "SYS1.PARMLIB". For more information, see z/OS MVS Setting Up a Sysplex.

Note:
  1. If you will be using TKE on this host, you should also add CSFTTKE as a value in the AUTHCMD parameter list.
  2. To change the active IKJTSOxx member of SYS.PARMLIB without an IPL, use the PARMLIB UPDATE command.
z/OS MVS Initialization and Tuning Guide and z/OS MVS Initialization and Tuning Reference provide more information.