Starting and stopping ICSF

To start ICSF, issue the operator START command. You must issue the START command after each IPL. When you issue the START command, verification tests check that the master key in each coprocessor is the same as the master key that enciphered the cryptographic key data set (CKDS) and that the hash patterns in each coprocessor is the same as the hash pattern of the master key that enciphered the PKA key data set (PKDS).

There are four CCA master keys: DES, RSA, AES and ECC. The DES and RSA master keys are available on all coprocessors. The availability of the AES and ECC master keys depends on your server and the CCA licenced internal code loaded in the coprocessors.

The coprocessor activation procedure will use the master key verification patterns (MKVP) in the header record of the CKDS and PKDS to determine which coprocessors become active. If the MKVP of a master key is in the CKDS or PKDS, that master key must be loaded and the verification pattern of the current master key register must match the MKVP in the CKDS or PKDS. If all of the MKVPs in the CKDS and PKDS match the current master key registers, the coprocessor will become active. Otherwise, the status of the coprocessor is 'Master key incorrect'.

This applies to all master keys that the coprocessor supports. When there is a MKVP in the CKDS or PKDS and the coprocessor doesn't support that master key, it is ignored. When a MKVP is not in the CKDS or PKDS, the master key is ignored.

A migration health check is available to find any coprocessors that will not become active when starting HCR77A1. The ICSFMIG77A1_COPROCESSOR_ACTIVE migration check is available for HCR7770, HR7780, HCR7790, and HCR77A0.

For Enterprise PKCS #11 (EP11) coprocessor, ICSF uses the master key validation pattern (MKVP) in the header record of the TKDS to determine which EP11 coprocessors to make active. An EP11 coprocessor is active if the MKVP in the current master key register matched the MKVP in the header record of the TKDS or the TKDS has not been initialized.

On PCIXCC Systems, verification tests are also performed to ensure that the PCIXCC DES-MK is the same on all PCIXCC coprocessors, and that the PCIXCC RSA-MK is the same on all PCIXCC coprocessors.
If a DES-MK master key verification pattern does not match the verification pattern in the CKDS, then: ICSF starts and a message that indicates the verification failed for the indicated coprocessor appears on the console. The PCIXCCs will not be active.

If the RSA-MKs do not match, or if they match but the verification pattern does not match the verification pattern in the PKDS, a message indicates that the PKA verification pattern in the PKDS does not match the system PKA verification pattern. PKA callable services are not enabled.

If the RSA-MKs do match the verification pattern in the PKDS but the DES-MK is not valid, then PKA callable services are not enabled. Once the DES-MK become valid, the user will have to enable the PKA services or stop and restart ICSF.
On CEX2C Systems, verification tests are also performed to ensure that the DES-MK, AES-MK, and RSA-MK are the same on all CEX2C coprocessors.
If DES-MK or AES-MK master key verification patterns do not match the verification patterns in the CKDS, then: ICSF starts and a message that indicates the verification failed for the indicated coprocessor appears on the console. In order for the coprocessor to become active, either the DES-MK or the AES-MK (or both) verification patterns must match those in the CKDS. If neither match, the coprocessor will not be active.

If the RSA-MKs do not match, or if they match but the verification pattern does not match the verification pattern in the PKDS, a message indicates that the RSA verification pattern in the PKDS does not match the system RSA verification pattern. PKA callable services are not enabled.

If the RSA-MKs do match the verification pattern in the PKDS but both the DES-MK and AES-MK are not valid, then PKA callable services are not enabled. Once the DES-MK or AES-MK becomes valid, the user will have to enable the PKA services or stop and restart ICSF.
On systems that have CCA Cryptographic coprocessors that are CEX3C or later, verification tests are also performed to ensure that the DES-MK, AES-MK, RSA-MK, and ECC-MK are the same on all coprocessors.
If DES-MK or AES-MK master key verification patterns do not match the verification patterns in the CKDS, then: ICSF starts and a message that indicates the verification failed for the indicated coprocessor appears on the console.

If the RSA-MKs do not match or the ECC-MKs do not match, or if they match but do not match the verification pattern in the PKDS, a message indicates that the verification pattern in the PKDS does not match the system verification pattern.

In order for a coprocessor to become active, all master keys must match the MKVPs in the KDSs.

PKA callable services are enabled if the RSA-MK matches the verification pattern in the PKDS. PKA callable services are disabled if the RSA-MK does not match the verification pattern.

When ICSF successfully starts, a message that indicates that initialization is complete appears on the console.

This example shows the format of the START command to start ICSF, assuming that CSF is the name of the start procedure:

   START CSF

Note: To reuse ASIDs the REUSASID parameter can be added to the START comment:

START CSF,REUSASID=YES

You can start ICSF only as a started task.

To stop ICSF, issue the operator STOP command. After you issue the command, all ICSF processing stops. If ICSF stops successfully, a message that states that ICSF is stopped appears on the console.

This example shows the format of the STOP command to stop ICSF, assuming that CSF is the name of the started procedure:

   STOP CSF

Note:

If a problem is detected with a cryptographic coprocessor or with an accelerator during initialization, then a CSFM540I message is generated and the device is bypassed.
A Health Check, ICSF_COPROCESSOR_STATE_NEGCHANGE, monitors the state of the coprocessors and accelerators on a daily basis to detect a negative change in state.
If ICSF is unresponsive to the STOP command, be aware that you will not be able to use the CANCEL command to stop ICSF processing. Instead, use the force command:
```
FORCE csfproc,arm
```
The ICSF_MASTER_KEY_CONSISTENCY health check evaluates the master key states of the coprocessors to detect potential master key problems. For more information about this health check, see z/OS Cryptographic Services ICSF Administrator's Guide.