Steps for initializing ICSF

You must initialize ICSF and the cryptographic coprocessors:

  1. Enter the START command and the startup procedure name. In this example, CSF is the name of the startup procedure. 
       START CSF

    When you start ICSF, you specify the name of the ICSF startup procedure you created (see Steps to create the ICSF startup procedure). See Starting and stopping ICSF for more information about starting and stopping ICSF.

    Note: To reuse ASIDs, the REUSASID parameter can be added to the START comment:
    START CSF,REUSASID=YES
  2. Access the ICSF panels to define a master key and initialize the CKDS and PKDS. For a description of how to use the ICSF panels to define a master key and initialize the CKDS and PKDS at first-time startup, see z/OS Cryptographic Services ICSF Administrator's Guide.

    If you intend to use secure key PKCS #11 services, you will also need to initialize the TKDS. This step is optional and may be deferred until a later time. Initializing the TKDS requires entering the master key using a TKE workstation. For more information, see z/OS Cryptographic Services ICSF TKE Workstation User's Guide.

    When defining a master key by specifying master key parts, make sure the key parts are recorded and saved in a secure location. When you are entering the key parts for the first time, be aware that you may need to reenter these same key values at a later date to restore master key values that have been cleared. If defining a master key using a pass phrase, realize that the same pass phrase will always produce the same master key values, and is therefore as critical and sensitive as the master key values themselves. Make sure you save the pass phrase so that you can later reenter it if needed. Because of the sensitive nature of the pass phrase, make sure you secure it in a safe place.

  3. When you start ICSF for the first time, you will see different messages depending on your system hardware. The following examples show the messages returned on a IBM zEnterprise EC12 machine with one CCA coprocessor and one EP11 cryptographic coprocessor that have CEX4 features.
    • First time startup messages before master keys have been loaded and the CKDS, PKDS, and TKDS have not been initialized: 
      S CSF 
CSFM608I A CKDS KEY STORE POLICY IS NOT DEFINED.
CSFM608I A PKDS KEY STORE POLICY IS NOT DEFINED.
CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.
CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.
CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.
CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.
CSFM654I KEY ARCHIVING USE CONTROL IS DISABLED.
CSFM015I FIPS 140 SELF CHECKS FOR PKCS11 SERVICES SUCCESSFUL. 
CSFM111I CRYPTOGRAPHIC FEATURE IS ACTIVE. CRYPTO EXPRESS4 COPROCESSOR 4Cxx, SERIAL NUMBER nnnnnnnn.
CSFM111I CRYPTOGRAPHIC FEATURE IS ACTIVE. CRYPTO EXPRESS4 COPROCESSOR 4Pxx, SERIAL NUMBER nnnnnnnn.
CSFM131E CRYPTOGRAPHY - SECURE KEY PKCS11 SERVICES ARE NOT AVAILABLE.           
CSFM102I TOKEN DATA SET, CSF.TKDSIS NOT INITIALIZED FOR SECURE KEY PKCS11.
CSFM100E CRYPTOGRAPHIC KEY DATA SET, CSF.CKDS IS NOT INITIALIZED.
CSFM101E PKA KEY DATA SET, CSF.PKDS IS NOT INITIALIZED.          
CSFM508I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC ACCELERATORS ONLINE.         
CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE.                  
CSFM001I ICSF INITIALIZATION COMPLETE
    • First time startup messages before master keys have been loaded and sharing an initialized CKDS, PKDS, and TKDS: 
      S CSF
CSFM608I A CKDS KEY STORE POLICY IS NOT DEFINED.
CSFM608I A PKDS KEY STORE POLICY IS NOT DEFINED.
CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.
CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.
CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.
CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.
CSFM654I KEY ARCHIVING USE CONTROL IS DISABLED.
CSFM015I FIPS 140 SELF CHECKS FOR PKCS11 SERVICES SUCCESSFUL.
CSFM124I MASTER KEY P11 ON CRYPTO EXPRESS4 COPROCESSOR 4Pxx, SERIAL NUMBER nnnnnnnn, NOT INITIALIZED.                               
CSFM124I MASTER KEY DES ON CRYPTO EXPRESS4 COPROCESSOR 4Cxx, SERIAL NUMBER nnnnnnnn, NOT INITIALIZED.                                
CSFM124I MASTER KEY AES ON CRYPTO EXPRESS4 COPROCESSOR 4Cxx, SERIAL NUMBER nnnnnnnn, NOT INITIALIZED.                                
CSFM124I MASTER KEY RSA ON CRYPTO EXPRESS4 COPROCESSOR 4Cxx, SERIAL NUMBER nnnnnnnn, NOT INITIALIZED.                                
CSFM124I MASTER KEY ECC ON CRYPTO EXPRESS4 COPROCESSOR 4Cxx, SERIAL NUMBER nnnnnnnn, NOT INITIALIZED.                                
                                                            
CSFM508I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC ACCELERATORS ONLINE.
CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE.                                                               
CSFM001I ICSF INITIALIZATION COMPLETE
    • Normal ICSF restart messages. Master key registers are valid and match the CKDS/PKDS/TKDS: 
      S CSF 
CSFM608I A CKDS KEY STORE POLICY IS NOT DEFINED.                
CSFM608I A PKDS KEY STORE POLICY IS NOT DEFINED.                
CSFM610I GRANULAR KEYLABEL ACCESS CONTROL IS DISABLED.      
CSFM611I XCSFKEY EXPORT CONTROL FOR AES IS DISABLED.        
CSFM611I XCSFKEY EXPORT CONTROL FOR DES IS DISABLED.        
CSFM612I PKA KEY EXTENSIONS CONTROL IS DISABLED.            
CSFM654I KEY ARCHIVING USE CONTROL IS DISABLED.
CSFM015I FIPS 140 SELF CHECKS FOR PKCS11 SERVICES SUCCESSFUL.                                                              
CSFM129I MASTER KEY P11 ON CRYPTO EXPRESS4 COPROCESSOR 4Pxx, SERIAL NUMBER nnnnnnnn, IS CORRECT.
CSFM129I MASTER KEY DES ON CRYPTO EXPRESS4 COPROCESSOR 4Cxx, SERIAL NUMBER nnnnnnnn, IS CORRECT.
CSFM129I MASTER KEY AES ON CRYPTO EXPRESS4 COPROCESSOR 4Cxx, SERIAL NUMBER nnnnnnnn, IS CORRECT.
CSFM129I MASTER KEY RSA ON CRYPTO EXPRESS4 COPROCESSOR 4Cxx, SERIAL NUMBER nnnnnnnn, IS CORRECT.
CSFM129I MASTER KEY ECC ON CRYPTO EXPRESS4 COPROCESSOR 4Cxx, SERIAL NUMBER nnnnnnnn, IS CORRECT.
CSFM111I CRYPTOGRAPHIC FEATURE IS ACTIVE. CRYPTO EXPRESS4 COPROCESSOR 4Cxx, SERIAL NUMBER nnnnnnnn.
CSFM111I CRYPTOGRAPHIC FEATURE IS ACTIVE. CRYPTO EXPRESS4 COPROCESSOR 4Pxx, SERIAL NUMBER nnnnnnnn.
CSFM132I SECURE KEY PKCS11 SERVICES AVAILABLE.
CSFM400I CRYPTOGRAPHY - SERVICES ARE NOW AVAILABLE.         
CSFM130I CRYPTOGRAPHY - RSA SERVICES ARE AVAILABLE.         
CSFM130I CRYPTOGRAPHY - DES SERVICES ARE AVAILABLE.
CSFM130I CRYPTOGRAPHY - ECC SERVICES ARE AVAILABLE.         
CSFM127I CRYPTOGRAPHY - AES SERVICES ARE AVAILABLE. 
CSFM508I CRYPTOGRAPHY - THERE ARE NO CRYPTOGRAPHIC ACCELERATORS ONLINE.
CSFM126I CRYPTOGRAPHY - FULL CPU-BASED SERVICES ARE AVAILABLE.                                                               
CSFM001I ICSF INITIALIZATION COMPLETE

Notes:
  1. When you are starting ICSF for the first time and loading the first master key and initializing one or more CKDS, PKDS, or TKDS, you provide the name of the empty VSAM data set you defined previously (see Steps to create the PKDS step 3) to use for the CKDS, PKDS, and TKDS when starting ICSF.
  2. While ICSF processes the data set, it requires exclusive use so that no one can make changes while the data set is read. ICSF releases the data set when it completes startup processing.
  3. During CKDS, PKDS, and TKDS initialization or refresh, ICSF reads the CKDS, PKDS, or TKDS into extended private storage. Make sure that the region size is sufficient for reading in the entire data set. The parameter setting REGION=0M specifies the maximum available space.
  4. You can also write application programs to call services to perform cryptographic functions. See Exits for the services for details.
Parent topic: Steps to start ICSF for the first time