You can run the conversion program only after you initialize the
master key and CKDS for ICSF. The
CKDS you specify at ICSF startup
must be initialized to contain NOCV-enablement keys. For information
about defining keys on ICSF, see z/OS Cryptographic Services ICSF Administrator's Guide.
If the PCF master key and the
ICSF master
key are not the same, you must define the PCF master key in the input
ICSF CKDS.
Define the PCF master key as an importer key-encrypting key in the
input
ICSF CKDS.
You define the key by entering the key through the key entry hardware,
or by importing the key using the
ICSF key
generator utility program. For information about direct key entry
through the key entry hardware and the key generator utility program,
see
z/OS Cryptographic Services ICSF Administrator's Guide.
Note: Be careful defining the PCF master key in the input ICSF CKDS,
because there is no programmed way to determine its validity.
You run the conversion program by submitting a batch job. On the
EXEC statement, specify PGM=CSFCONV. If the PCF master key and ICSF master
key are not the same in the PARM= field on the EXEC statement, specify
the label of the PCF master key entry in the input ICSF CKDS.
If you do not specify the parameter, the conversion program assumes
that the PCF master key and ICSF master
key are the same.
This
example is a JCL that runs the conversion program:
//CKDSCONV EXEC PGM=CSFCONV,PARM='CUSPMKEY'
//CSFVSRC DD DSN=PROD.CUSP.CKDS,DISP=SHR
//CSFVINP DD DSN=TEST.CSF.CKDS,DISP=SHR
//CSFVOVR DD DSN=OVERRIDE.DATA,DISP=OLD
//CSFVNEW DD DSN=MERGED.CSF.CKDS,DISP=OLD
//CSFVRPT DD SYSOUT=A
//
In the example, CUSPMKEY is the label of the entry in the input ICSF CKDS
for the PCF master key in importer key-encrypting key form. All the
data sets necessary to run the conversion program are specified using
DD statements.
The conversion program uses these data sets:
- CSFVSRC
- The PCF CKDS containing
entries that you want to convert into ICSF format
and place in the output ICSF CKDS.
This is the source CKDS for the conversion. For a description of the
PCF CKDS record format, see OS/VS1 and OS/VS2 MVS Programmed
Cryptographic Facility.
- CSFVINP
- A disk copy of the input ICSF CKDS.
The input CKDS should already contain the header record and the ICSF system
keys and can contain other ICSF key
entries. If the CKDS does not contain NOCV-enablement keys, the output ICSF CKDS
will not contain NOCV-enablement keys. For more information about
NOCV-enablement keys, see z/OS Cryptographic Services ICSF Administrator's Guide.
Note: The input ICSF CKDS
does not have to be the CKDS you specify when you start ICSF.
- CSFVOVR
- The override file with
information specifying how you want the conversion program to process
PCF key entries. If no override data is required, this data set is
optional. However, you must code a dummy DD statement in the JCL.
This JCL is an example of a dummy DD statement for an override
file:
//CSFVOVR DD DUMMY,DCB=(RECFM=FB,LRECL=90,BLKSIZE=3600)
See Using the conversion program override file for a description of when and
how to use the override file.
- CSFVNEW
- An empty disk copy of an ICSF CKDS.
This is the ICSF CKDS
into which the conversion program places key entries. The conversion
program places key entries from the input ICSF CKDS
and the PCF CKDS into the output ICSF CKDS.
The data set must be defined and empty before you run the conversion
program.
- CSFVRPT
- The activity report that
the conversion program creates. The report describes any override
records and gives a summary of CKDS entries that were affected by
the conversion program.
Attention: If a conversion program run ends prematurely,
the results of the job are unpredictable. You should not read a CKDS
involved in the conversion into storage for use. For a description
of the conversion program return codes, see the explanation of message
CSFV0026 in
z/OS Cryptographic Services ICSF Messages.
When you run the conversion program, the program produces
information about the conversion in an activity report. The activity
report lists each override entry, the action each override entry applies
to the input PCF CKDS, and any error messages. The activity report
also lists the data sets that were used in the conversion and a summary
of processing. The summary of processing contains totals that apply
to CKDS entries in the conversion program job.