To start ICSF, issue the operator START command. You must issue the START command after each IPL. When you issue the START command, verification tests check that the master key in each coprocessor is the same as the master key that enciphered the cryptographic key data set (CKDS) and that the hash patterns in each coprocessor is the same as the hash pattern of the master key that enciphered the PKA key data set (PKDS).
There are four CCA master keys: DES, RSA, AES and ECC. The DES and RSA master keys are available on all coprocessors. The availability of the AES and ECC master keys depends on your server and the CCA licenced internal code loaded in the coprocessors.
The coprocessor activation procedure will use the master key verification patterns (MKVP) in the header record of the CKDS and PKDS to determine which coprocessors become active. If the MKVP of a master key is in the CKDS or PKDS, that master key must be loaded and the verification pattern of the current master key register must match the MKVP in the CKDS or PKDS. If all of the MKVPs in the CKDS and PKDS match the current master key registers, the coprocessor will become active. Otherwise, the status of the coprocessor is 'Master key incorrect'.
This applies to all master keys that the coprocessor supports. When there is a MKVP in the CKDS or PKDS and the coprocessor doesn't support that master key, it is ignored. When a MKVP is not in the CKDS or PKDS, the master key is ignored.
A migration health check is available to find any coprocessors that will not become active when starting HCR77A1. The ICSFMIG77A1_COPROCESSOR_ACTIVE migration check is available for HCR7770, HR7780, HCR7790, and HCR77A0.
For Enterprise PKCS #11 (EP11) coprocessor, ICSF uses the master key validation pattern (MKVP) in the header record of the TKDS to determine which EP11 coprocessors to make active. An EP11 coprocessor is active if the MKVP in the current master key register matched the MKVP in the header record of the TKDS or the TKDS has not been initialized.
If a DES-MK master key verification pattern does not match the verification pattern in the CKDS, then: ICSF starts and a message that indicates the verification failed for the indicated coprocessor appears on the console. The PCIXCCs will not be active.
If the RSA-MKs do not match, or if they match but the verification pattern does not match the verification pattern in the PKDS, a message indicates that the PKA verification pattern in the PKDS does not match the system PKA verification pattern. PKA callable services are not enabled.
If the RSA-MKs do match the verification pattern in the PKDS but the DES-MK is not valid, then PKA callable services are not enabled. Once the DES-MK become valid, the user will have to enable the PKA services or stop and restart ICSF.
If DES-MK or AES-MK master key verification patterns do not match the verification patterns in the CKDS, then: ICSF starts and a message that indicates the verification failed for the indicated coprocessor appears on the console. In order for the coprocessor to become active, either the DES-MK or the AES-MK (or both) verification patterns must match those in the CKDS. If neither match, the coprocessor will not be active.
If the RSA-MKs do not match, or if they match but the verification pattern does not match the verification pattern in the PKDS, a message indicates that the RSA verification pattern in the PKDS does not match the system RSA verification pattern. PKA callable services are not enabled.
If the RSA-MKs do match the verification pattern in the PKDS but both the DES-MK and AES-MK are not valid, then PKA callable services are not enabled. Once the DES-MK or AES-MK becomes valid, the user will have to enable the PKA services or stop and restart ICSF.
If DES-MK or AES-MK master key verification patterns do not match the verification patterns in the CKDS, then: ICSF starts and a message that indicates the verification failed for the indicated coprocessor appears on the console.
If the RSA-MKs do not match or the ECC-MKs do not match, or if they match but do not match the verification pattern in the PKDS, a message indicates that the verification pattern in the PKDS does not match the system verification pattern.
In order for a coprocessor to become active, all master keys must match the MKVPs in the KDSs.
PKA callable services are enabled if the RSA-MK matches the verification pattern in the PKDS. PKA callable services are disabled if the RSA-MK does not match the verification pattern.
When ICSF successfully starts, a message that indicates that initialization is complete appears on the console.
START CSF
START CSF,REUSASID=YES
You can start ICSF only as a started task.
To stop ICSF, issue the operator STOP command. After you issue the command, all ICSF processing stops. If ICSF stops successfully, a message that states that ICSF is stopped appears on the console.
STOP CSF
FORCE csfproc,arm